version #512
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - add-nuget-cert | |
| permissions: | |
| id-token: write | |
| contents: write | |
| jobs: | |
| prereqs: | |
| name: Prerequisites | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set version | |
| run: echo "version=$(cat VERSION | sed -E 's/.[0-9]+$//')" >> $GITHUB_OUTPUT | |
| id: version | |
| # ================================ | |
| # .NET Tool | |
| # ================================ | |
| dotnet-tool-build: | |
| name: Build .NET tool | |
| runs-on: ubuntu-latest | |
| needs: prereqs | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up .NET | |
| uses: actions/setup-dotnet@v4.0.0 | |
| with: | |
| dotnet-version: 8.0.x | |
| - name: Build .NET tool | |
| run: | | |
| src/shared/DotnetTool/layout.sh --configuration=Release | |
| - name: Upload .NET tool artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: tmp.dotnet-tool-build | |
| path: | | |
| out/shared/DotnetTool/nupkg/Release | |
| dotnet-tool-payload-sign: | |
| name: Sign .NET tool payload | |
| runs-on: windows-latest | |
| environment: release | |
| needs: dotnet-tool-build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download payload | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: tmp.dotnet-tool-build | |
| - name: Log into Azure | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Download/extract Sign CLI tool | |
| env: | |
| AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} | |
| ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} | |
| SCT: ${{ secrets.SIGN_CLI_TOOL }} | |
| run: | | |
| az storage blob download --file sign-cli.zip --auth-mode login ` | |
| --account-name $env:AST --container-name $env:ASC --name $env:SCT | |
| Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli | |
| - name: Sign payload | |
| env: | |
| ACST: ${{ secrets.AZURE_TENANT_ID }} | |
| ACSI: ${{ secrets.AZURE_CLIENT_ID }} | |
| ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} | |
| run: | | |
| ./sign-cli/sign.exe code azcodesign payload/* ` | |
| -acsu https://wus2.codesigning.azure.net/ ` | |
| -acsa git-fundamentals-signing ` | |
| -acscp git-fundamentals-windows-signing ` | |
| -d "Git Fundamentals Windows Signing Certificate" ` | |
| -u "https://github.com/git-ecosystem/git-credential-manager" ` | |
| -acst $env:ACST ` | |
| -acsi $env:ACSI ` | |
| -acss $env:ACSS | |
| - name: Lay out signed payload, images, and symbols | |
| shell: bash | |
| run: | | |
| mkdir dotnet-tool-payload-sign | |
| mv images payload.sym payload -t dotnet-tool-payload-sign | |
| - name: Upload signed payload | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dotnet-tool-payload-sign | |
| path: | | |
| dotnet-tool-payload-sign | |
| dotnet-tool-pack: | |
| name: Package .NET tool | |
| runs-on: ubuntu-latest | |
| needs: [ prereqs, dotnet-tool-payload-sign ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download signed payload | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dotnet-tool-payload-sign | |
| path: signed | |
| - name: Set up .NET | |
| uses: actions/setup-dotnet@v4.0.0 | |
| with: | |
| dotnet-version: 8.0.x | |
| - name: Package tool | |
| run: | | |
| src/shared/DotnetTool/pack.sh --configuration=Release \ | |
| --version="${{ needs.prereqs.outputs.version }}" \ | |
| --publish-dir=$(pwd)/signed | |
| - name: Upload unsigned package | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: tmp.dotnet-tool-package-unsigned | |
| path: | | |
| out/shared/DotnetTool/nupkg/Release/*.nupkg | |
| dotnet-tool-sign: | |
| name: Sign .NET tool package | |
| runs-on: windows-latest | |
| environment: release | |
| needs: dotnet-tool-pack | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download unsigned package | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: tmp.dotnet-tool-package-unsigned | |
| path: nupkg | |
| - name: Log into Azure | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Download/extract Sign CLI tool | |
| env: | |
| AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} | |
| ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} | |
| SCT: ${{ secrets.SIGN_CLI_TOOL }} | |
| run: | | |
| az storage blob download --file sign-cli.zip --auth-mode login ` | |
| --account-name $env:AST --container-name $env:ASC --name $env:SCT | |
| Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli | |
| - name: Sign package | |
| env: | |
| ACST: ${{ secrets.AZURE_TENANT_ID }} | |
| ACSI: ${{ secrets.AZURE_CLIENT_ID }} | |
| ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} | |
| run: | | |
| ./sign-cli/sign.exe code azcodesign nupkg/* ` | |
| -acsu https://wus2.codesigning.azure.net/ ` | |
| -acsa git-fundamentals-signing ` | |
| -acscp git-fundamentals-windows-signing ` | |
| -d "Git Fundamentals Windows Signing Certificate" ` | |
| -u "https://github.com/git-ecosystem/git-credential-manager" ` | |
| -acst $env:ACST ` | |
| -acsi $env:ACSI ` | |
| -acss $env:ACSS ` | |
| -acsc signing-certificate.cer | |
| mv nupkg/* . | |
| - name: Publish signed package and certificate | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dotnet-tool-sign | |
| path: | | |
| *.nupkg | |
| *.cer | |
| # ================================ | |
| # Validate | |
| # ================================ | |
| validate: | |
| name: Validate installers | |
| strategy: | |
| matrix: | |
| component: | |
| - os: ubuntu-latest | |
| artifact: dotnet-tool-sign | |
| command: git-credential-manager | |
| description: dotnet-tool | |
| runs-on: ${{ matrix.component.os }} | |
| needs: [ dotnet-tool-sign ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up .NET | |
| uses: actions/setup-dotnet@v4.0.0 | |
| with: | |
| dotnet-version: 8.0.x | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ matrix.component.artifact }} | |
| - name: Install .NET tool | |
| if: contains(matrix.component.description, 'dotnet-tool') | |
| run: | | |
| nupkgpath=$(find ./*.nupkg) | |
| dotnet tool install -g --add-source $(dirname "$nupkgpath") git-credential-manager | |
| "${{ matrix.component.command }}" configure | |
| - name: Validate | |
| shell: bash | |
| run: | | |
| "${{ matrix.component.command }}" --version | sed 's/+.*//' >actual | |
| cat VERSION | sed -E 's/.[0-9]+$//' >expect | |
| cmp expect actual || exit 1 | |
| # ================================ | |
| # Publish | |
| # ================================ | |
| create-github-release: | |
| name: Publish GitHub draft release | |
| runs-on: ubuntu-latest | |
| env: | |
| AZURE_VAULT: ${{ secrets.AZURE_VAULT }} | |
| GPG_PUBLIC_KEY_SECRET_NAME: ${{ secrets.GPG_PUBLIC_KEY_SECRET_NAME }} | |
| environment: release | |
| needs: [ prereqs, validate ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up .NET | |
| uses: actions/setup-dotnet@v4.0.0 | |
| with: | |
| dotnet-version: 8.0.x | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| - uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const path = require('path'); | |
| const version = "${{ needs.prereqs.outputs.version }}" | |
| var releaseMetadata = { | |
| owner: context.repo.owner, | |
| repo: context.repo.repo | |
| }; | |
| // Create the release | |
| var tagName = `v${version}`; | |
| var createdRelease = await github.rest.repos.createRelease({ | |
| ...releaseMetadata, | |
| draft: true, | |
| tag_name: tagName, | |
| target_commitish: context.sha, | |
| name: `GCM ${version}` | |
| }); | |
| releaseMetadata.release_id = createdRelease.data.id; | |
| // Uploads contents of directory to the release created above | |
| async function uploadDirectoryToRelease(directory, includeExtensions=[]) { | |
| return fs.promises.readdir(directory) | |
| .then(async(files) => Promise.all( | |
| files.filter(file => { | |
| return includeExtensions.length==0 || includeExtensions.includes(path.extname(file).toLowerCase()); | |
| }) | |
| .map(async (file) => { | |
| var filePath = path.join(directory, file); | |
| github.rest.repos.uploadReleaseAsset({ | |
| ...releaseMetadata, | |
| name: file, | |
| headers: { | |
| "content-length": (await fs.promises.stat(filePath)).size | |
| }, | |
| data: fs.createReadStream(filePath) | |
| }); | |
| })) | |
| ); | |
| } | |
| await Promise.all([ | |
| // Upload .NET tool package | |
| uploadDirectoryToRelease('dotnet-tool-sign'), | |
| ]); |