Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: added code-signing-workflow #718

Merged
merged 4 commits into from
Feb 9, 2024
Merged

chore: added code-signing-workflow #718

merged 4 commits into from
Feb 9, 2024

Conversation

tiwarishubham635
Copy link
Contributor

Fixes

Added code-signing-workflow

Checklist

  • I acknowledge that all my contributions will be made under the project's license
  • I have made a material change to the repo (functionality, testing, spelling, grammar)
  • I have read the Contribution Guidelines and my PR follows them
  • I have titled the PR appropriately
  • I have updated my branch with the main branch
  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary documentation about the functionality in the appropriate .md file
  • I have added inline documentation to the code I modified

If you have questions, please file a support ticket, or create a GitHub Issue in this repository.

shrutiburman
shrutiburman reviewed Feb 7, 2024
View reviewed changes
.github/workflows/test-and-deploy.yml
@@ -121,6 +97,71 @@ jobs:
uses: sendgrid/dx-automator/actions/datadog-release-metric@main
env:
DD_API_KEY: ${{ secrets.DATADOG_API_KEY }}

code-signing:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I understand is; we dont need a separate step to import the certificate now, where are we storing the certificate then?

.github/workflows/test-and-deploy.yml
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this print "****" in the logs? If yes, why do we need to print it? If no, lets not print it at all. :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These lines will just set env variables and won't print anything, you can check the run here

.github/workflows/test-and-deploy.yml
id: SSMClientToolSetup
uses: digicert/ssm-code-signing@v0.0.2
env:
SM_API_KEY: ${{ env.SM_API_KEY }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than setting the API_Key in env var , can we use it from Github secrets? I see from line 127 that its originally retrieved from secrets.
Also, please make sure that you add details and values of these secrets in 1pass vault.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I tried using SM_API_KEY from secrets but here it reads env variables only, so for that we need to set the env variable. See "x-api-key:%SM_API_KEY%"

.github/workflows/test-and-deploy.yml
- name: Signing using Nuget
run: |
dotnet pack -c Release
nuget sign **/*.nupkg -Timestamper http://timestamp.digicert.com -outputdirectory .\NugetSigned -CertificateFingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am confused with the deploy step above (line#90) it has the same pack+sign+push step with secrets.CERTIFICATE_PASSWORD. How does that work in sync with this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, that step needs to be removed now. I will do it right away

@tiwarishubham635
Copy link
Contributor Author

tiwarishubham635 commented Feb 7, 2024
edited

Here is a successful run of this workflow

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Feb 7, 2024

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@sbansla sbansla self-requested a review February 9, 2024 10:03
sbansla
sbansla approved these changes Feb 9, 2024
View reviewed changes
Copy link
Contributor

@sbansla sbansla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Address Review Comments, Approving today is release.

@tiwarishubham635 tiwarishubham635 merged commit 6c79e12 into main Feb 9, 2024
9 checks passed
@tiwarishubham635 tiwarishubham635 deleted the code_signing_workflow branch February 9, 2024 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shrutiburman shrutiburman shrutiburman left review comments

@sbansla sbansla sbansla approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tiwarishubham635 @shrutiburman @sbansla