From d44761cfb8d016630f9ce673344a611314f3138b Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 12:12:33 -0600 Subject: [PATCH 01/17] new reusable workflows --- .github/scripts/sign.ps1 | 155 +++++++++++++++++++++++++++++++++ .github/workflows/build.yml | 156 +++++++++++++++------------------- .github/workflows/publish.yml | 39 +++++++++ .github/workflows/release.yml | 60 +++++++++++++ 4 files changed, 323 insertions(+), 87 deletions(-) create mode 100644 .github/scripts/sign.ps1 create mode 100644 .github/workflows/publish.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/scripts/sign.ps1 b/.github/scripts/sign.ps1 new file mode 100644 index 0000000..3de6ee4 --- /dev/null +++ b/.github/scripts/sign.ps1 @@ -0,0 +1,155 @@ +param( + [Parameter(Mandatory=$true)] [string]$clientId, + [Parameter(Mandatory=$true)] [string]$workspace, + [Parameter(Mandatory=$true)] [string]$subscriptionId, + [Parameter(Mandatory=$true)] [string]$storage_name, + [Parameter(Mandatory=$true)] [string]$container_name, + [Parameter(Mandatory=$true)] [string]$vault_name, + [Parameter(Mandatory=$true)] [string]$aad_cert, + [Parameter(Mandatory=$true)] [string]$sign_cert, + [Parameter(Mandatory=$true)] [string]$signing_cert_fingerprint, + [Parameter(Mandatory=$false)] [switch]$user_login +) + +if ($workspace -notmatch '\\\\') +{ + Write-Host "The 'workspace' parameter is not properly escaped. Don't worry, we'll clean it up." + $workspace = [regex]::Escape($workspace) +} + +$fileName = (Get-ChildItem -Recurse -Path unsigned -Filter *.nupkg | Select-Object -Property Name -First 1).Name +if ($fileName -match ' ') { + # This accounts for cases where it finds the same package and we end up with $fileName = "proj.1.1.0.nupkg proj.1.1.0.nupkg" + $fileName = $fileName.split()[0] +} + +if ([string]::IsNullOrWhiteSpace($fileName)) { + throw "Unable to find unsigned nupkg for signing. Ensure the 'dotnet pack' command has been run and that it's output to a directory called 'unsigned'." +} + +Write-Host "Found unsigned nupkg: $fileName" +if ($user_login) { + Write-Host 'Logging into Azure.' + az login --output none + az account set --subscription $subscriptionId +} + +if (Test-Path 'signed') { + Write-Host "'signed' directory already exists." +} else { + mkdir signed + Write-Host "'signed' directory created successfully." +} + +Write-Host "Generating 'auth.json' and 'input.json' files for ESRP Client." +$authJson = @" +{ + "Version": "1.0.0", + "AuthenticationType": "AAD_CERT", + "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", + "ClientId": "$clientId", + "AuthCert": { + "SubjectName": "CN=$clientId.microsoft.com", + "StoreLocation": "LocalMachine", + "StoreName": "My", + "SendX5c": "true" + }, + "RequestSigningCert": { + "SubjectName": "CN=$clientId", + "StoreLocation": "LocalMachine", + "StoreName": "My" + } +} +"@ +$inputJson = @" +{ + "Version": "1.0.0", + "SignBatches": [ + { + "SourceLocationType": "UNC", + "SourceRootDirectory": "$workspace\\unsigned", + "DestinationLocationType": "UNC", + "DestinationRootDirectory": "$workspace\\signed", + "SignRequestFiles": [ + { + "SourceLocation": "$fileName", + "DestinationLocation": "$fileName" + } + ], + "SigningInfo": { + "Operations": [ + { + "KeyCode": "CP-401405", + "OperationCode": "NuGetSign", + "ToolName": "sign", + "ToolVersion": "1.0" + }, + { + "KeyCode": "CP-401405", + "OperationCode": "NuGetVerify", + "ToolName": "sign", + "ToolVersion": "1.0" + } + ] + } + } + ] +} +"@ +Out-File -FilePath .\auth.json -InputObject $authJson +Out-File -FilePath .\input.json -InputObject $inputJson +Write-Host 'Done.' +try { + Write-Host 'Downloading ESRP Client.' + az storage blob download --auth-mode login --subscription $subscriptionId --account-name $storage_name -c $container_name -n microsoft.esrpclient.1.2.76.zip -f esrp.zip + if (Test-Path 'esrp.zip') { + Write-Host 'Done.' + } else { + throw 'Download did not complete successfully. This is likely due to an access issue.' + } + + Write-Host 'Unzipping ESRP Client.' + Expand-Archive -Path 'esrp.zip' -DestinationPath './esrp' -Force + Write-Host 'Done.' + Write-Host 'Downloading & Installing Certifictes.' + Remove-Item cert.pfx -ErrorAction SilentlyContinue + az keyvault secret download --subscription $subscriptionId --vault-name $vault_name --name $aad_cert -f cert.pfx + certutil -silent -f -importpfx cert.pfx + Remove-Item cert.pfx + az keyvault secret download --subscription $subscriptionId --vault-name $vault_name --name $sign_cert -f cert.pfx + certutil -silent -f -importpfx cert.pfx + Remove-Item cert.pfx + Write-Host 'Done.' + Write-Host 'Executing ESRP Client.' + ./esrp/tools/EsrpClient.exe sign -a ./auth.json -p ./esrp/tools/Policy.json -c ./esrp/tools/Config.json -i ./input.json -o ./Output.json -l Verbose -f STDOUT + $signedFileName = (Get-ChildItem -Recurse -Path signed -Filter *.nupkg | Select-Object -Property Name -First 1).Name + if ($signedFileName -match ' ') { + # This accounts for cases where it finds the same package and we end up with $signedFileName = "proj.1.1.0.nupkg proj.1.1.0.nupkg" + $signedFileName = $signedFileName.split()[0] + } + + if ([string]::IsNullOrWhiteSpace($signedFileName)) { + throw "Unable to find signed nupkg. Check ESRP Client output for errors." + } + + Write-Host 'Done. Signing Complete.' + Write-Host 'Verifying signatures with NuGet.' + $result = nuget verify -Signatures signed/$signedFileName -CertificateFingerprint $signing_cert_fingerprint + Write-Host $result + $validationFailString = $result | Where-Object { $_ -match 'Package signature validation failed.'} + $noPackageFailString = $result | Where-Object { $_ -match 'File does not exist'} + if (![string]::IsNullOrWhiteSpace($validationFailString)) { + throw 'Package signature validation failed.' + } elseif (![string]::IsNullOrWhiteSpace($noPackageFailString)) { + throw 'The ESRP Client did not produce a signed package for verification.' + } else { + Write-Host 'Done. Signatures verified.' + Write-Host 'Package ready for upload.' + } +} catch { + throw +} finally { + if ($user_login) { + az logout + } +} \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2773b05..54fd61f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,111 +1,93 @@ +name: Build + on: workflow_call: inputs: - project-to-pack: + project-to-build: required: true type: string + project-to-test: + required: false + type: string + test-filter: + required: false + type: string + default: TestCategory!=Integration coverage-threshold: required: false type: number default: 100 - outputs: - beta-version: - description: "Beta version number." - value: ${{jobs.Pack.outputs.beta-version}} - stable-version: - description: "Stable version number." - value: ${{jobs.Pack.outputs.stable-version}} jobs: - Pack: + Build: runs-on: ubuntu-latest - outputs: - beta-version: ${{steps.version.outputs.beta-version}} - stable-version: ${{steps.version.outputs.stable-version}} + env: + OFFICIAL_BUILD: "True" steps: - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - - name: Setup .NET - uses: actions/setup-dotnet@v1 - with: - dotnet-version: 6.0.x + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 - - name: Test - run: dotnet test /p:CollectCoverage=true /p:Threshold=${{inputs.coverage-threshold}} /p:ThresholdType=line /p:ThresholdStat=total /p:CoverletOutputFormat=cobertura /p:CoverletOutput=$GITHUB_WORKSPACE/coverage.xml + - name: Setup .NET + uses: actions/setup-dotnet@v2 + with: + dotnet-version: 6.0.x - - name: Generate Test Coverage Report - uses: danielpalme/ReportGenerator-GitHub-Action@5.1.3 - with: - reports: 'coverage.xml' - targetdir: 'coveragereport' - reporttypes: 'HtmlInline;Cobertura;Badges' # The output formats and scope (separated by semicolon) Values: Badges, Clover, Cobertura, CsvSummary, Html, Html_Dark, Html_Light, HtmlChart, HtmlInline, HtmlInline_AzurePipelines, HtmlInline_AzurePipelines_Dark, HtmlInline_AzurePipelines_Light, HtmlSummary, JsonSummary, Latex, LatexSummary, lcov, MarkdownSummary, MHtml, PngChart, SonarQube, TeamCitySummary, TextSummary, Xml, XmlSummary - verbosity: 'Info' - tag: '${{ github.run_number }}_${{ github.run_id }}' - toolpath: 'reportgeneratortool' - if: always() + - name: Restore packages + run: dotnet restore - - name: Upload Coverage Report Artifact - uses: actions/upload-artifact@v2 - with: - name: CoverageReport - path: coveragereport - if: always() + - name: Build + run: dotnet build "${{inputs.project-to-build}}" --no-restore --configuration Debug - - name: Install GitVersion - uses: gittools/actions/gitversion/setup@v0.9.7 - with: - versionSpec: '5.x' - - - name: Determine Version - id: gitversion - uses: gittools/actions/gitversion/execute@v0.9.7 - with: - useConfigFile: true - - - name: Set version variables - run: | - echo "STABLE=${{steps.gitversion.outputs.majorMinorPatch}}" >> $GITHUB_ENV - echo "BETA=${{steps.gitversion.outputs.majorMinorPatch}}-beta.$(date +%s)" >> $GITHUB_ENV + Test: + runs-on: ubuntu-latest + if: inputs.project-to-test != '' + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 - - name: Output Version Numbers - id: version - run: | - echo "::set-output name=beta-version::${{env.BETA}}" - echo "::set-output name=stable-version::${{env.STABLE}}" + - name: Setup .NET + uses: actions/setup-dotnet@v1 + with: + dotnet-version: 6.0.x - - name: Pack - run: | - dotnet pack "${{inputs.project-to-pack}}" --configuration Release /p:Version="${{env.BETA}}" --output unsigned/beta - dotnet pack "${{inputs.project-to-pack}}" --configuration Release /p:Version="${{env.STABLE}}" --output unsigned/stable + - name: Test + run: dotnet test "${{inputs.project-to-test}}" --filter "${{inputs.test-filter}}" /p:CollectCoverage=true /p:Threshold=${{inputs.coverage-threshold}} /p:ThresholdType=line /p:ThresholdStat=total /p:CoverletOutputFormat=cobertura /p:CoverletOutput=$GITHUB_WORKSPACE/coverage.xml - - name: Upload Unsigned Packages - uses: actions/upload-artifact@v2 - with: - name: unsigned - path: unsigned + - name: Generate Test Coverage Report + uses: danielpalme/ReportGenerator-GitHub-Action@5.1.3 + with: + reports: "coverage.xml" + targetdir: "coveragereport" + reporttypes: "HtmlInline;Cobertura;Badges" # The output formats and scope (separated by semicolon) Values: Badges, Clover, Cobertura, CsvSummary, Html, Html_Dark, Html_Light, HtmlChart, HtmlInline, HtmlInline_AzurePipelines, HtmlInline_AzurePipelines_Dark, HtmlInline_AzurePipelines_Light, HtmlSummary, JsonSummary, Latex, LatexSummary, lcov, MarkdownSummary, MHtml, PngChart, SonarQube, TeamCitySummary, TextSummary, Xml, XmlSummary + verbosity: "Info" + tag: "${{ github.run_number }}_${{ github.run_id }}" + toolpath: "reportgeneratortool" + if: always() -# - name: Get branch names -# id: branch-names -# uses: tj-actions/branch-names@v5.1 + - name: Upload Coverage Report Artifact + uses: actions/upload-artifact@v2 + with: + name: CoverageReport + path: coveragereport + if: always() -# - name: Current branch name -# run: echo "${{steps.branch-names.outputs.current_branch}}" + Verify: + runs-on: windows-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 -# - name: Install git-conventional-commits -# run: npm install --global git-conventional-commits - -# - name: Validate last commit message -# run: | -# git checkout ${{ steps.branch-names.outputs.current_branch }} -# git rev-list --format=%B --max-count=1 HEAD | tail +2 > msg.txt -# git-conventional-commits commit-msg-hook msg.txt + - name: PrePack + run: dotnet pack "${{inputs.project-to-build}}" --configuration Release --output ./unsigned -# - name: Determine version -# id: conventional-commits -# run: echo "::set-output name=version::$(npx -q git-conventional-commits version)" - -# - name: examine version -# run: echo "${{ steps.conventional-commits.outputs.version }}" + - name: Verify Package Metadata + run: | + $url = "https://raw.githubusercontent.com/NuGet/NuGetGallery/master/src/VerifyMicrosoftPackage/verify.ps1" + Invoke-WebRequest $url -OutFile verify.ps1 + .\verify.ps1 .\unsigned\*.nupkg \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..2ccb5b2 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,39 @@ +name: Publish + +on: + workflow_call: + secrets: + api_key: + required: true + inputs: + dry-run: + required: false + type: boolean + default: false + +jobs: + Publish_Package: + runs-on: ubuntu-latest + environment: Release + steps: + - name: Download Signed Packages + uses: actions/download-artifact@v2 + with: + name: signed + path: signed + + - name: Setup NuGet + uses: NuGet/setup-nuget@v1.0.5 + + - name: Push Stable Package + run: | + $signedFileName = (Get-ChildItem -Recurse -Path signed -Filter *.nupkg | Select-Object -Property Name -First 1).Name + if ($dry_run -eq $true) { + Write-Host "Dry-run enabled. Skipping nuget push." + Write-Host "Signed Filename found: $signedFileName" + return + } + + Write-Host "Oh no, didn't skip" + # nuget push signed/$fileName -Source https://api.nuget.org/v3/index.json -ApiKey ${{ secrets.api_key }} -Verbosity detailed -NonInteractive + shell: pwsh \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..93baf9c --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,60 @@ +name: Release + +on: + workflow_call: + inputs: + project-to-release: + required: true + type: string + +permissions: + contents: write + packages: write + +jobs: + Pack: + runs-on: ubuntu-latest + env: + OFFICIAL_BUILD: 'True' + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Setup .NET + uses: actions/setup-dotnet@v2 + with: + dotnet-version: 6.0.x + + - name: Restore packages + run: dotnet restore + + - name: Build CLI tool + run: dotnet pack "${{inputs.project-to-release}}" --configuration Release --output ./unsigned + + - name: Upload Unsigned Packages + uses: actions/upload-artifact@v2 + with: + name: unsigned + path: unsigned + + Sign: + needs: Build + uses: ./.github/workflows/sign.yml + secrets: + client_id: ${{ secrets.AAD_SIGNING_CLIENT_ID }} + az_creds: ${{ secrets.AZURE_CREDENTIALS }} + az_sub: ${{ secrets.AZURE_SUBSCRIPTION }} + storage_name: ${{ secrets.AZURE_STORAGE }} + container_name: ${{ secrets.AZURE_STORAGE_CONTAINER }} + vault_name: ${{ secrets.AZURE_VAULT }} + aad_cert: ${{ secrets.AAD_AUTH_CERT }} + sign_cert: ${{ secrets.ESRP_SIGNING_CERT }} + signing_cert_fingerprint: ${{ secrets.SIGNING_CERT_FINGERPRINT }} + + Publish: + needs: [Build, Sign] + uses: ./.github/workflows/publish.yml + secrets: + api_key: ${{ secrets.NUGET_API_KEY }} \ No newline at end of file From 5a844cdb863e1e6348a2861f21b9b0c676af6f03 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 12:35:27 -0600 Subject: [PATCH 02/17] action improvements --- .github/workflows/release.yml | 45 +++++++--- .github/workflows/sign.yml | 160 +++------------------------------- 2 files changed, 43 insertions(+), 162 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 93baf9c..93f9e37 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,10 +6,27 @@ on: project-to-release: required: true type: string - -permissions: - contents: write - packages: write + secrets: + client_id: + required: true + az_creds: + required: true + az_sub: + required: true + storage_name: + required: true + container_name: + required: true + vault_name: + required: true + aad_cert: + required: true + sign_cert: + required: true + signing_cert_fingerprint: + required: true + api_key: + required: true jobs: Pack: @@ -43,18 +60,18 @@ jobs: needs: Build uses: ./.github/workflows/sign.yml secrets: - client_id: ${{ secrets.AAD_SIGNING_CLIENT_ID }} - az_creds: ${{ secrets.AZURE_CREDENTIALS }} - az_sub: ${{ secrets.AZURE_SUBSCRIPTION }} - storage_name: ${{ secrets.AZURE_STORAGE }} - container_name: ${{ secrets.AZURE_STORAGE_CONTAINER }} - vault_name: ${{ secrets.AZURE_VAULT }} - aad_cert: ${{ secrets.AAD_AUTH_CERT }} - sign_cert: ${{ secrets.ESRP_SIGNING_CERT }} - signing_cert_fingerprint: ${{ secrets.SIGNING_CERT_FINGERPRINT }} + client_id: ${{ secrets.client_id }} + az_creds: ${{ secrets.az_creds }} + az_sub: ${{ secrets.az_sub }} + storage_name: ${{ secrets.storage_name }} + container_name: ${{ secrets.container_name }} + vault_name: ${{ secrets.vault_name }} + aad_cert: ${{ secrets.aad_cert }} + sign_cert: ${{ secrets.sign_cert }} + signing_cert_fingerprint: ${{ secrets.signing_cert_fingerprint }} Publish: needs: [Build, Sign] uses: ./.github/workflows/publish.yml secrets: - api_key: ${{ secrets.NUGET_API_KEY }} \ No newline at end of file + api_key: ${{ secrets.api_key }} \ No newline at end of file diff --git a/.github/workflows/sign.yml b/.github/workflows/sign.yml index fddca10..ec07a75 100644 --- a/.github/workflows/sign.yml +++ b/.github/workflows/sign.yml @@ -1,15 +1,7 @@ +name: Sign + on: workflow_call: - inputs: - assembly_name: - required: true - type: string - beta_version: - required: true - type: string - stable_version: - required: true - type: string secrets: client_id: required: true @@ -34,162 +26,34 @@ jobs: Sign: runs-on: windows-latest steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Download Unsigned Packages uses: actions/download-artifact@v2 with: name: unsigned path: unsigned - - name: Create Signed Directory - run: | - mkdir signed/beta - mkdir signed/stable - - - name: Create Auth File - env: - CLIENT_ID: ${{ secrets.client_id }} - run: | - $authJson = @' - { - "Version": "1.0.0", - "AuthenticationType": "AAD_CERT", - "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", - "ClientId": "${{env.CLIENT_ID}}", - "AuthCert": { - "SubjectName": "CN=${{env.CLIENT_ID}}.microsoft.com", - "StoreLocation": "LocalMachine", - "StoreName": "My", - "SendX5c": "true" - }, - "RequestSigningCert": { - "SubjectName": "CN=${{env.CLIENT_ID}}", - "StoreLocation": "LocalMachine", - "StoreName": "My" - } - } - '@ - Out-File -FilePath .\auth.json -InputObject $authJson - - - name: Create Beta Input File - run: | - $betaInputJsonTemplate = @' - { - "Version": "1.0.0", - "SignBatches": [ - { - "SourceLocationType": "UNC", - "SourceRootDirectory": "@@workspace@@\\unsigned\\beta", - "DestinationLocationType": "UNC", - "DestinationRootDirectory": "@@workspace@@\\signed\\beta", - "SignRequestFiles": [ - { - "SourceLocation": "${{inputs.assembly_name}}.${{inputs.beta_version}}.nupkg", - "DestinationLocation": "${{inputs.assembly_name}}.${{inputs.beta_version}}.nupkg" - } - ], - "SigningInfo": { - "Operations": [ - { - "KeyCode": "CP-401405", - "OperationCode": "NuGetSign", - "ToolName": "sign", - "ToolVersion": "1.0" - }, - { - "KeyCode": "CP-401405", - "OperationCode": "NuGetVerify", - "ToolName": "sign", - "ToolVersion": "1.0" - } - ] - } - } - ] - } - '@ - $workspace = [regex]::escape("${{github.workspace}}") - $betaInputJson = $betaInputJsonTemplate -replace '@@workspace@@', $workspace - Out-File -FilePath .\betaInput.json -InputObject $betaInputJson - - - name: Create Stable Input File - run: | - $stableInputJsonTemplate = @' - { - "Version": "1.0.0", - "SignBatches": [ - { - "SourceLocationType": "UNC", - "SourceRootDirectory": "@@workspace@@\\unsigned\\stable", - "DestinationLocationType": "UNC", - "DestinationRootDirectory": "@@workspace@@\\signed\\stable", - "SignRequestFiles": [ - { - "SourceLocation": "${{inputs.assembly_name}}.${{inputs.stable_version}}.nupkg", - "DestinationLocation": "${{inputs.assembly_name}}.${{inputs.stable_version}}.nupkg" - } - ], - "SigningInfo": { - "Operations": [ - { - "KeyCode": "CP-401405", - "OperationCode": "NuGetSign", - "ToolName": "sign", - "ToolVersion": "1.0" - }, - { - "KeyCode": "CP-401405", - "OperationCode": "NuGetVerify", - "ToolName": "sign", - "ToolVersion": "1.0" - } - ] - } - } - ] - } - '@ - $workspace = [regex]::escape("${{github.workspace}}") - $stableInputJson = $stableInputJsonTemplate -replace '@@workspace@@', $workspace - Out-File -FilePath .\stableInput.json -InputObject $stableInputJson + - name: Setup NuGet + uses: NuGet/setup-nuget@v1.0.5 - name: Azure Login uses: azure/login@v1 with: creds: ${{ secrets.az_creds }} - - name: Install ESRP Client - run: | - az storage blob download --auth-mode login --subscription ${{ secrets.az_sub }} --account-name ${{ secrets.storage_name }} -c ${{ secrets.container_name }} -n microsoft.esrpclient.1.2.76.zip -f esrp.zip - unzip -d ./esrp esrp.zip - - - name: Install Certificates - run: | - az keyvault secret download --subscription "${{ secrets.az_sub }}" --vault-name "${{ secrets.vault_name }}" --name "${{ secrets.aad_cert }}" -f cert.pfx - certutil -silent -f -importpfx cert.pfx - rm cert.pfx - az keyvault secret download --subscription "${{ secrets.az_sub }}" --vault-name "${{ secrets.vault_name }}" --name "${{ secrets.sign_cert }}" -f cert.pfx - certutil -silent -f -importpfx cert.pfx - rm cert.pfx + - name: Run Signing Script + run: ./.github/scripts/sign.ps1 ${{ secrets.client_id }} ${{ github.workspace }} ${{ secrets.az_sub }} ${{ secrets.storage_name }} ${{ secrets.container_name }} ${{ secrets.vault_name }} ${{ secrets.aad_cert }} ${{ secrets.sign_cert }} ${{ secrets.signing_cert_fingerprint }} - name: Azure logout run: az logout if: always() - - name: Run ESRP Client - run: | - ./esrp/tools/EsrpClient.exe sign -a ./auth.json -p ./esrp/tools/Policy.json -c ./esrp/tools/Config.json -i ./betaInput.json -o ./Output.json -l Verbose -f STDOUT - ./esrp/tools/EsrpClient.exe sign -a ./auth.json -p ./esrp/tools/Policy.json -c ./esrp/tools/Config.json -i ./stableInput.json -o ./Output.json -l Verbose -f STDOUT - - - name: Setup NuGet - uses: NuGet/setup-nuget@v1.0.5 - - - name: Verify Signature - run: | - nuget verify -Signatures signed/stable/${{inputs.assembly_name}}.${{inputs.stable_version}}.nupkg -CertificateFingerprint ${{secrets.signing_cert_fingerprint}} - nuget verify -Signatures signed/beta/${{inputs.assembly_name}}.${{inputs.beta_version}}.nupkg -CertificateFingerprint ${{secrets.signing_cert_fingerprint}} - - name: Upload Signed Packages uses: actions/upload-artifact@v2 with: name: signed - path: signed + path: signed \ No newline at end of file From 7e27815380757aa604f58935c370ffe2275ec422 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 13:41:24 -0600 Subject: [PATCH 03/17] fix for reusable workflow limitations --- .github/workflows/pack.yml | 36 ++++++++++++++++ .github/workflows/release.yml | 77 ----------------------------------- 2 files changed, 36 insertions(+), 77 deletions(-) create mode 100644 .github/workflows/pack.yml delete mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml new file mode 100644 index 0000000..23317fe --- /dev/null +++ b/.github/workflows/pack.yml @@ -0,0 +1,36 @@ +name: Pack + +on: + workflow_call: + inputs: + project-to-pack: + required: true + type: string + +jobs: + Pack: + runs-on: ubuntu-latest + env: + OFFICIAL_BUILD: 'True' + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Setup .NET + uses: actions/setup-dotnet@v2 + with: + dotnet-version: 6.0.x + + - name: Restore packages + run: dotnet restore + + - name: Package project + run: dotnet pack "${{inputs.project-to-pack}}" --configuration Release --output ./unsigned + + - name: Upload Unsigned Packages + uses: actions/upload-artifact@v2 + with: + name: unsigned + path: unsigned \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 93f9e37..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: Release - -on: - workflow_call: - inputs: - project-to-release: - required: true - type: string - secrets: - client_id: - required: true - az_creds: - required: true - az_sub: - required: true - storage_name: - required: true - container_name: - required: true - vault_name: - required: true - aad_cert: - required: true - sign_cert: - required: true - signing_cert_fingerprint: - required: true - api_key: - required: true - -jobs: - Pack: - runs-on: ubuntu-latest - env: - OFFICIAL_BUILD: 'True' - steps: - - name: Checkout repository - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Setup .NET - uses: actions/setup-dotnet@v2 - with: - dotnet-version: 6.0.x - - - name: Restore packages - run: dotnet restore - - - name: Build CLI tool - run: dotnet pack "${{inputs.project-to-release}}" --configuration Release --output ./unsigned - - - name: Upload Unsigned Packages - uses: actions/upload-artifact@v2 - with: - name: unsigned - path: unsigned - - Sign: - needs: Build - uses: ./.github/workflows/sign.yml - secrets: - client_id: ${{ secrets.client_id }} - az_creds: ${{ secrets.az_creds }} - az_sub: ${{ secrets.az_sub }} - storage_name: ${{ secrets.storage_name }} - container_name: ${{ secrets.container_name }} - vault_name: ${{ secrets.vault_name }} - aad_cert: ${{ secrets.aad_cert }} - sign_cert: ${{ secrets.sign_cert }} - signing_cert_fingerprint: ${{ secrets.signing_cert_fingerprint }} - - Publish: - needs: [Build, Sign] - uses: ./.github/workflows/publish.yml - secrets: - api_key: ${{ secrets.api_key }} \ No newline at end of file From 7d8ce29b4e1e3eabad786090e07b0a64aeaff0fc Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 14:21:20 -0600 Subject: [PATCH 04/17] testing-local-script reference --- .github/scripts/msft-verify.ps1 | 3 +++ .github/workflows/build.yml | 6 ++---- .github/workflows/publish.yml | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) create mode 100644 .github/scripts/msft-verify.ps1 diff --git a/.github/scripts/msft-verify.ps1 b/.github/scripts/msft-verify.ps1 new file mode 100644 index 0000000..4a3a71a --- /dev/null +++ b/.github/scripts/msft-verify.ps1 @@ -0,0 +1,3 @@ +$url = "https://raw.githubusercontent.com/NuGet/NuGetGallery/master/src/VerifyMicrosoftPackage/verify.ps1" +Invoke-WebRequest $url -OutFile verify.ps1 +.\verify.ps1 .\unsigned\*.nupkg \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 54fd61f..8f90703 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -87,7 +87,5 @@ jobs: run: dotnet pack "${{inputs.project-to-build}}" --configuration Release --output ./unsigned - name: Verify Package Metadata - run: | - $url = "https://raw.githubusercontent.com/NuGet/NuGetGallery/master/src/VerifyMicrosoftPackage/verify.ps1" - Invoke-WebRequest $url -OutFile verify.ps1 - .\verify.ps1 .\unsigned\*.nupkg \ No newline at end of file + uses: pwsh + run: scripts/msft-verify.ps1 \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2ccb5b2..eaf0385 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,7 +12,7 @@ on: default: false jobs: - Publish_Package: + Publish: runs-on: ubuntu-latest environment: Release steps: From 6c98ab540ca5ba8cded94a9672cd7ace687a38f3 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 14:26:56 -0600 Subject: [PATCH 05/17] fix verify --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8f90703..4af7088 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -87,5 +87,5 @@ jobs: run: dotnet pack "${{inputs.project-to-build}}" --configuration Release --output ./unsigned - name: Verify Package Metadata - uses: pwsh - run: scripts/msft-verify.ps1 \ No newline at end of file + run: scripts/msft-verify.ps1 + shell: pwsh \ No newline at end of file From 8d61c63c2b291f849ca31c4f4b00775770332192 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 14:36:15 -0600 Subject: [PATCH 06/17] move scripts for testing --- {.github/scripts => scripts}/msft-verify.ps1 | 0 {.github/scripts => scripts}/sign.ps1 | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {.github/scripts => scripts}/msft-verify.ps1 (100%) rename {.github/scripts => scripts}/sign.ps1 (100%) diff --git a/.github/scripts/msft-verify.ps1 b/scripts/msft-verify.ps1 similarity index 100% rename from .github/scripts/msft-verify.ps1 rename to scripts/msft-verify.ps1 diff --git a/.github/scripts/sign.ps1 b/scripts/sign.ps1 similarity index 100% rename from .github/scripts/sign.ps1 rename to scripts/sign.ps1 From 17e21716bfc512704f361b115234f3d4f0176ea5 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 14:40:33 -0600 Subject: [PATCH 07/17] try referencing script like resuable workflow --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4af7088..6dbab74 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -87,5 +87,5 @@ jobs: run: dotnet pack "${{inputs.project-to-build}}" --configuration Release --output ./unsigned - name: Verify Package Metadata - run: scripts/msft-verify.ps1 + run: microsoft/digitalworkplace-workflows/scripts/msft-verify.ps1@users/mibir/new-workflows shell: pwsh \ No newline at end of file From 8c2aaaecea288e66ff02ae92bebaa4d76f9a44c1 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 14:48:23 -0600 Subject: [PATCH 08/17] try original way again --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6dbab74..4af7088 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -87,5 +87,5 @@ jobs: run: dotnet pack "${{inputs.project-to-build}}" --configuration Release --output ./unsigned - name: Verify Package Metadata - run: microsoft/digitalworkplace-workflows/scripts/msft-verify.ps1@users/mibir/new-workflows + run: scripts/msft-verify.ps1 shell: pwsh \ No newline at end of file From f664a16c585332e93242bed5c335fe372c2b584c Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 15:35:43 -0600 Subject: [PATCH 09/17] change to download script --- .github/workflows/build.yml | 5 ++++- .github/workflows/sign.yml | 6 +++++- scripts/msft-verify.ps1 | 3 --- 3 files changed, 9 insertions(+), 5 deletions(-) delete mode 100644 scripts/msft-verify.ps1 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4af7088..d2e772f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -87,5 +87,8 @@ jobs: run: dotnet pack "${{inputs.project-to-build}}" --configuration Release --output ./unsigned - name: Verify Package Metadata - run: scripts/msft-verify.ps1 + run: | + $url = "https://raw.githubusercontent.com/NuGet/NuGetGallery/master/src/VerifyMicrosoftPackage/verify.ps1" + Invoke-WebRequest $url -OutFile verify.ps1 + .\verify.ps1 .\unsigned\*.nupkg shell: pwsh \ No newline at end of file diff --git a/.github/workflows/sign.yml b/.github/workflows/sign.yml index ec07a75..e321985 100644 --- a/.github/workflows/sign.yml +++ b/.github/workflows/sign.yml @@ -46,7 +46,11 @@ jobs: creds: ${{ secrets.az_creds }} - name: Run Signing Script - run: ./.github/scripts/sign.ps1 ${{ secrets.client_id }} ${{ github.workspace }} ${{ secrets.az_sub }} ${{ secrets.storage_name }} ${{ secrets.container_name }} ${{ secrets.vault_name }} ${{ secrets.aad_cert }} ${{ secrets.sign_cert }} ${{ secrets.signing_cert_fingerprint }} + run: | + $url = "https://raw.githubusercontent.com/microsoft/digitalworkplace-workflows/users/mibir/new-workflows/scripts/sign.ps1" + Invoke-WebRequest $url -OutFile sign.ps1 + .\sign.ps1 ${{ secrets.client_id }} ${{ github.workspace }} ${{ secrets.az_sub }} ${{ secrets.storage_name }} ${{ secrets.container_name }} ${{ secrets.vault_name }} ${{ secrets.aad_cert }} ${{ secrets.sign_cert }} ${{ secrets.signing_cert_fingerprint }} + shell: pwsh - name: Azure logout run: az logout diff --git a/scripts/msft-verify.ps1 b/scripts/msft-verify.ps1 deleted file mode 100644 index 4a3a71a..0000000 --- a/scripts/msft-verify.ps1 +++ /dev/null @@ -1,3 +0,0 @@ -$url = "https://raw.githubusercontent.com/NuGet/NuGetGallery/master/src/VerifyMicrosoftPackage/verify.ps1" -Invoke-WebRequest $url -OutFile verify.ps1 -.\verify.ps1 .\unsigned\*.nupkg \ No newline at end of file From 104a17e2229bebf2586a6fc8d10c11e247982554 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 16:06:23 -0600 Subject: [PATCH 10/17] fix publish --- .github/workflows/publish.yml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index eaf0385..6aba34d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -6,7 +6,7 @@ on: api_key: required: true inputs: - dry-run: + dry_run: required: false type: boolean default: false @@ -25,15 +25,17 @@ jobs: - name: Setup NuGet uses: NuGet/setup-nuget@v1.0.5 - - name: Push Stable Package + - name: Push Package Dry Run + if: inputs.dry_run == true run: | $signedFileName = (Get-ChildItem -Recurse -Path signed -Filter *.nupkg | Select-Object -Property Name -First 1).Name - if ($dry_run -eq $true) { - Write-Host "Dry-run enabled. Skipping nuget push." - Write-Host "Signed Filename found: $signedFileName" - return - } + Write-Host "Dry-run enabled. Not pushing to NuGet." + Write-Host "Signed Filename found: $signedFileName" + shell: pwsh - Write-Host "Oh no, didn't skip" - # nuget push signed/$fileName -Source https://api.nuget.org/v3/index.json -ApiKey ${{ secrets.api_key }} -Verbosity detailed -NonInteractive + - name: Push Package + if: inputs.dry_run == false + run: | + $signedFileName = (Get-ChildItem -Recurse -Path signed -Filter *.nupkg | Select-Object -Property Name -First 1).Name + nuget push signed/$fileName -Source https://api.nuget.org/v3/index.json -ApiKey ${{ secrets.api_key }} -Verbosity detailed -NonInteractive shell: pwsh \ No newline at end of file From 558ef01c27e16b25142fbedffa3f342844600a66 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 20:35:52 -0600 Subject: [PATCH 11/17] pr feedback updates --- .github/workflows/build.yml | 28 +++++++++------------------- .github/workflows/sign.yml | 2 +- 2 files changed, 10 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d2e772f..adfce9a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,6 +9,10 @@ on: project-to-test: required: false type: string + run-package-verification: + required: false + type: boolean + default: false test-filter: required: false type: string @@ -21,8 +25,6 @@ on: jobs: Build: runs-on: ubuntu-latest - env: - OFFICIAL_BUILD: "True" steps: - name: Checkout repository uses: actions/checkout@v3 @@ -38,26 +40,14 @@ jobs: run: dotnet restore - name: Build - run: dotnet build "${{inputs.project-to-build}}" --no-restore --configuration Debug - - Test: - runs-on: ubuntu-latest - if: inputs.project-to-test != '' - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - - name: Setup .NET - uses: actions/setup-dotnet@v1 - with: - dotnet-version: 6.0.x + run: dotnet build "${{inputs.project-to-build}}" --no-restore --configuration Release - name: Test + if: inputs.project-to-test != '' run: dotnet test "${{inputs.project-to-test}}" --filter "${{inputs.test-filter}}" /p:CollectCoverage=true /p:Threshold=${{inputs.coverage-threshold}} /p:ThresholdType=line /p:ThresholdStat=total /p:CoverletOutputFormat=cobertura /p:CoverletOutput=$GITHUB_WORKSPACE/coverage.xml - name: Generate Test Coverage Report + if: inputs.project-to-test != '' uses: danielpalme/ReportGenerator-GitHub-Action@5.1.3 with: reports: "coverage.xml" @@ -66,16 +56,16 @@ jobs: verbosity: "Info" tag: "${{ github.run_number }}_${{ github.run_id }}" toolpath: "reportgeneratortool" - if: always() - name: Upload Coverage Report Artifact + if: inputs.project-to-test != '' uses: actions/upload-artifact@v2 with: name: CoverageReport path: coveragereport - if: always() Verify: + if: inputs.run-package-verification == true runs-on: windows-latest steps: - name: Checkout repository diff --git a/.github/workflows/sign.yml b/.github/workflows/sign.yml index e321985..25ba04f 100644 --- a/.github/workflows/sign.yml +++ b/.github/workflows/sign.yml @@ -47,7 +47,7 @@ jobs: - name: Run Signing Script run: | - $url = "https://raw.githubusercontent.com/microsoft/digitalworkplace-workflows/users/mibir/new-workflows/scripts/sign.ps1" + $url = "https://raw.githubusercontent.com/microsoft/digitalworkplace-workflows/main/scripts/sign.ps1" Invoke-WebRequest $url -OutFile sign.ps1 .\sign.ps1 ${{ secrets.client_id }} ${{ github.workspace }} ${{ secrets.az_sub }} ${{ secrets.storage_name }} ${{ secrets.container_name }} ${{ secrets.vault_name }} ${{ secrets.aad_cert }} ${{ secrets.sign_cert }} ${{ secrets.signing_cert_fingerprint }} shell: pwsh From 594c1873032a61f0854f37328331e506724b9124 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Tue, 24 May 2022 20:37:00 -0600 Subject: [PATCH 12/17] removed unnecessary checkout --- .github/workflows/sign.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/sign.yml b/.github/workflows/sign.yml index 25ba04f..4593c5f 100644 --- a/.github/workflows/sign.yml +++ b/.github/workflows/sign.yml @@ -26,11 +26,6 @@ jobs: Sign: runs-on: windows-latest steps: - - name: Checkout repository - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Download Unsigned Packages uses: actions/download-artifact@v2 with: From c9fb852b8f34e9c60baabc4202361c6c8ea6c822 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Wed, 25 May 2022 10:58:48 -0600 Subject: [PATCH 13/17] removed env variable --- .github/workflows/pack.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml index 23317fe..5ea561a 100644 --- a/.github/workflows/pack.yml +++ b/.github/workflows/pack.yml @@ -10,8 +10,6 @@ on: jobs: Pack: runs-on: ubuntu-latest - env: - OFFICIAL_BUILD: 'True' steps: - name: Checkout repository uses: actions/checkout@v3 From 0d2fcbc53b8c433046f2f7f3a0db0f6b20f33466 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Wed, 25 May 2022 12:01:15 -0600 Subject: [PATCH 14/17] move verification to pack.yml & updated readme --- .github/workflows/build.yml | 25 +------------------------ .github/workflows/pack.yml | 9 ++++++++- README.md | 19 +++++++++++++++---- 3 files changed, 24 insertions(+), 29 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index adfce9a..a137dcd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,10 +9,6 @@ on: project-to-test: required: false type: string - run-package-verification: - required: false - type: boolean - default: false test-filter: required: false type: string @@ -62,23 +58,4 @@ jobs: uses: actions/upload-artifact@v2 with: name: CoverageReport - path: coveragereport - - Verify: - if: inputs.run-package-verification == true - runs-on: windows-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: PrePack - run: dotnet pack "${{inputs.project-to-build}}" --configuration Release --output ./unsigned - - - name: Verify Package Metadata - run: | - $url = "https://raw.githubusercontent.com/NuGet/NuGetGallery/master/src/VerifyMicrosoftPackage/verify.ps1" - Invoke-WebRequest $url -OutFile verify.ps1 - .\verify.ps1 .\unsigned\*.nupkg - shell: pwsh \ No newline at end of file + path: coveragereport \ No newline at end of file diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml index 5ea561a..b7cc105 100644 --- a/.github/workflows/pack.yml +++ b/.github/workflows/pack.yml @@ -9,7 +9,7 @@ on: jobs: Pack: - runs-on: ubuntu-latest + runs-on: windows-latest steps: - name: Checkout repository uses: actions/checkout@v3 @@ -27,6 +27,13 @@ jobs: - name: Package project run: dotnet pack "${{inputs.project-to-pack}}" --configuration Release --output ./unsigned + - name: Verify Package Metadata + run: | + $url = "https://raw.githubusercontent.com/NuGet/NuGetGallery/master/src/VerifyMicrosoftPackage/verify.ps1" + Invoke-WebRequest $url -OutFile verify.ps1 + .\verify.ps1 .\unsigned\*.nupkg + shell: pwsh + - name: Upload Unsigned Packages uses: actions/upload-artifact@v2 with: diff --git a/README.md b/README.md index 8bad521..e2e13f3 100644 --- a/README.md +++ b/README.md @@ -4,16 +4,27 @@ This repo provides a set of Github workflow templates to be used by Microsoft.Di The templates take inputs and secrets as needed to run their defined behavior and stable_publish.yml workflow is the only one that assumes a Release environment, mainly for approval purposes. +## Workflow overviews + ### build.yml -runs the basic build steps and test steps and generates NuGet packages for the project specified in the input. + +Runs the basic build steps and test steps and generates NuGet packages for the project specified in the input. + +### pack.yml + +Packs the given project and verifies the project has the correct metadata for Microsoft using a downloaded script, then uploads the nupkg to an 'unsigned' artifact - intended to be used later by the *sign* workflow. ### sign.yml -communicates with ESRP (a Microsoft internal tool for signing NuGet packages) using their client and signs the packages in the artifacts folder - it assumes an `unsigned` artifacts folder that contains two folders: `beta` & `stable` for the corresponding .nupkg files. After signing the packages it uploads them to the `signed` artifacts folder with a similar hierarchy to the unsigned one. -### beta_publish.yml and stable_publish.yml -push the signed nupkg files to the public NuGet.org feed. +Communicates with ESRP (a Microsoft internal tool for signing NuGet packages) using their client and signs the packag in the artifact folder - it assumes an `unsigned` artifact folder exists with the corresponding .nupkg file. After signing the package it uploads it to the `signed` artifact folder. + +### beta_publish.yml and stable_publish.yml [deprecated] + +Pushes the signed nupkg files to the public NuGet.org feed. +### publish.yml +Pushes the signed nupkg file to the public NuGet.org feed. ## Contributing From f8ee95233ef822029b04ebc78ac83ff5b2a21282 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Wed, 25 May 2022 12:20:31 -0600 Subject: [PATCH 15/17] use main instead of master for verify.ps1 --- .github/workflows/pack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml index b7cc105..703bab8 100644 --- a/.github/workflows/pack.yml +++ b/.github/workflows/pack.yml @@ -29,7 +29,7 @@ jobs: - name: Verify Package Metadata run: | - $url = "https://raw.githubusercontent.com/NuGet/NuGetGallery/master/src/VerifyMicrosoftPackage/verify.ps1" + $url = "https://raw.githubusercontent.com/NuGet/NuGetGallery/main/src/VerifyMicrosoftPackage/verify.ps1" Invoke-WebRequest $url -OutFile verify.ps1 .\verify.ps1 .\unsigned\*.nupkg shell: pwsh From 7a4635648aa86002d61ea327c4805cca7b4f51a7 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Wed, 25 May 2022 12:26:41 -0600 Subject: [PATCH 16/17] trying out ubuntu in pack again --- .github/workflows/pack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml index 703bab8..500e0d5 100644 --- a/.github/workflows/pack.yml +++ b/.github/workflows/pack.yml @@ -9,7 +9,7 @@ on: jobs: Pack: - runs-on: windows-latest + runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v3 From 85f4a18fb4b42b830930c1ca7bc1b31e8ec70337 Mon Sep 17 00:00:00 2001 From: ms-mikeb Date: Wed, 25 May 2022 12:29:48 -0600 Subject: [PATCH 17/17] reverting to windows --- .github/workflows/pack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml index 500e0d5..703bab8 100644 --- a/.github/workflows/pack.yml +++ b/.github/workflows/pack.yml @@ -9,7 +9,7 @@ on: jobs: Pack: - runs-on: ubuntu-latest + runs-on: windows-latest steps: - name: Checkout repository uses: actions/checkout@v3