full workflow

.github/workflows/release.yml

@@ -90,22 +90,14 @@ jobs:
             -u "https://github.com/git-ecosystem/git-credential-manager" `
             -acst ${{ secrets.AZURE_TENANT_ID }} `
             -acsi ${{ secrets.AZURE_CLIENT_ID }} `
-            -acss ${{ secrets.AZURE_CLIENT_SECRET }} `
-
-      - name: Lay out signed payload, images, and symbols
-        shell: bash
-        run: |
-          mkdir dotnet-tool-payload-sign
-          rm -rf payload
-          mv images payload.sym -t dotnet-tool-payload-sign
-          unzip signed/payload.zip -d dotnet-tool-payload-sign
+            -acss ${{ secrets.AZURE_CLIENT_SECRET }}
 
       - name: Upload signed payload
         uses: actions/upload-artifact@v4
         with:
           name: dotnet-tool-payload-sign
           path: |
-            dotnet-tool-payload-sign
+            payload
 
   dotnet-tool-pack:
     name: Package .NET tool
@@ -137,3 +129,93 @@ jobs:
           name: tmp.dotnet-tool-package-unsigned
           path: |
             out/shared/DotnetTool/nupkg/Release/*.nupkg
+
+  dotnet-tool-sign:
+    name: Sign .NET tool package
+    runs-on: windows-latest
+    environment: release
+    needs: dotnet-tool-pack
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download unsigned package
+        uses: actions/download-artifact@v4
+        with:
+          name: tmp.dotnet-tool-package-unsigned
+          path: nupkg
+
+      - name: Log into Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Sign package
+        run: |
+          ./sign-cli/sign.exe code azcodesign nupkg/* `
+            -acsu https://wus2.codesigning.azure.net/ `
+            -acsa git-fundamentals-signing `
+            -acscp git-fundamentals-windows-signing `
+            -d "Git Fundamentals Windows Signing Certificate" `
+            -u "https://github.com/git-ecosystem/git-credential-manager" `
+            -acst ${{ secrets.AZURE_TENANT_ID }} `
+            -acsi ${{ secrets.AZURE_CLIENT_ID }} `
+            -acss ${{ secrets.AZURE_CLIENT_SECRET }}
+
+      - name: Publish signed package
+        uses: actions/upload-artifact@v4
+        with:
+          name: dotnet-tool-sign
+          path: signed/*.nupkg
+
+  # ================================
+  #           Validate
+  # ================================
+  validate:
+    name: Validate installers
+    strategy:
+      matrix:
+        component:
+          - os: ubuntu-latest
+            artifact: dotnet-tool-sign
+            command: git-credential-manager
+            description: dotnet-tool
+    runs-on: ${{ matrix.component.os }}
+    needs: dotnet-tool-sign
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up .NET
+        uses: actions/setup-dotnet@v4.0.0
+        with:
+          dotnet-version: 7.0.x
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ matrix.component.artifact }}
+
+      - name: Install Windows
+        if: contains(matrix.component.description, 'windows')
+        shell: pwsh
+        run: |
+          $exePaths = Get-ChildItem -Path ./installers/*.exe | %{$_.FullName}
+          foreach ($exePath in $exePaths)
+          {
+            Start-Process -Wait -FilePath "$exePath" -ArgumentList "/SILENT /VERYSILENT /NORESTART"
+          }
+
+      - name: Install .NET tool
+        if: contains(matrix.component.description, 'dotnet-tool')
+        run: |
+          nupkgpath=$(find ./*.nupkg)
+          dotnet tool install -g --add-source $(dirname "$nupkgpath") git-credential-manager
+          "${{ matrix.component.command }}" configure
+
+      - name: Validate
+        shell: bash
+        run: |
+          "${{ matrix.component.command }}" --version | sed 's/+.*//' >actual
+          cat VERSION | sed -E 's/.[0-9]+$//' >expect
+          cmp expect actual || exit 1Q