Skip to content
.NET Tool Signing

test nuget #9

Sign in to view logs

test nuget

test nuget #9

Workflow file for this run

.github/workflows/nuget-test-flow.yml at addabad
name: .NET Tool Signing
on:
- push
permissions:
id-token: write
contents: read
jobs:
prereqs:
name: Prerequisites
runs-on: ubuntu-latest
outputs:
version: ${{ steps.version.outputs.version }}
steps:
- uses: actions/checkout@v4
- name: Set version
run: echo "version=$(cat VERSION | sed -E 's/.[0-9]+$//')" >> $GITHUB_OUTPUT
id: version
# ================================
# .NET Tool
# ================================
create-dotnet-tool-artifacts:
name: Create .NET Tool Artifacts
runs-on: windows-latest
environment: release
needs: prereqs
steps:
- uses: actions/checkout@v4
- name: Set up .NET
uses: actions/setup-dotnet@v3.2.0
with:
dotnet-version: 7.0.x
- name: Build .NET tool
run: |
& $env:GITHUB_WORKSPACE\src\shared\DotnetTool\layout.ps1 Release
# The AzureCodeSigning PowerShell module currently cannot handle files
# without extensions. This is a temporary workaround until the issue is
# fixed.
mkdir $env:GITHUB_WORKSPACE\incompatible-files
Get-ChildItem -Path $env:GITHUB_WORKSPACE\out\shared\DotnetTool\nupkg\Release\payload\* `
-Include NOTICE | Move-Item -Destination `
$env:GITHUB_WORKSPACE\incompatible-files
- name: Log into Azure
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Sign payload files with Azure Code Signing
uses: azure/azure-code-signing-action@v0.2.20
with:
endpoint: https://wus2.codesigning.azure.net/
code-signing-account-name: git-fundamentals-signing
certificate-profile-name: git-fundamentals-windows-signing
files-folder: ${{ github.workspace }}\out\shared\DotnetTool\nupkg\Release\payload
files-folder-filter: exe,dll
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
# The Azure Code Signing action overrides the .NET version, so we reset it.
- name: Set up .NET
uses: actions/setup-dotnet@v3.2.0
with:
dotnet-version: 7.0.x
- name: Package tool
run: |
& $env:GITHUB_WORKSPACE\src\shared\DotnetTool\pack.ps1 Release `
${{ needs.prereqs.outputs.version }}
- name: Zip unsigned package
shell: pwsh
run: |
mkdir nupkg
Compress-Archive -Path out/shared/DotnetTool/nupkg/Release/git-credential-manager.${{ needs.prereqs.outputs.version }}.nupkg `
nupkg/gcm-nupkg.zip
cd nupkg
Get-ChildItem -Exclude gcm-nupkg.zip | Remove-Item -Recurse -Force
- name: Set up ESRP client
shell: pwsh
env:
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }}
ESRP_TOOL: ${{ secrets.ESRP_TOOL }}
AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
run: |
.github\set_up_esrp.ps1
- name: Sign package
shell: pwsh
env:
AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
NUGET_KEY_CODE: ${{ secrets.NUGET_KEY_CODE }}
NUGET_OPERATION_CODE: ${{ secrets.NUGET_OPERATION_CODE }}
run: |
python .github\run_esrp_signing.py nupkg $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE
- name: Unzip signed package
shell: pwsh
run: |
Expand-Archive -LiteralPath signed\gcm-nupkg.zip -DestinationPath .\signed -Force
Remove-Item signed\gcm-nupkg.zip -Force
- name: Publish signed package
uses: actions/upload-artifact@v3
with:
name: dotnet-tool-sign
path: signed/*.nupkg