Skip to content

Sign nuget packages with Azure Trusted Signing certificate #23

Sign nuget packages with Azure Trusted Signing certificate

Sign nuget packages with Azure Trusted Signing certificate #23

Workflow file for this run

name: release
on:
push:
branches:
- 'dev/build_signed_packages'
tags:
- 'v*.*.*'
permissions:
id-token: write
contents: read
jobs:
release:
environment: production
runs-on: windows-2022
strategy:
matrix:
configuration: [Release]
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
DOTNET_GENERATE_ASPNET_CERTIFICATE: 0
ContinuousIntegrationBuild: true
RestoreLockedMode: true
RepositoryBranch: '${{ github.ref_name }}'
RepositoryCommit: '${{ github.sha }}'
Configuration: '${{ matrix.configuration }}'
BUILD_SIGN_RELEASE: ${{ vars.BUILD_SIGN_RELEASE }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup dotnet
uses: actions/setup-dotnet@v4
with:
dotnet-version: 8
- name: Setup MSBuild
uses: microsoft/setup-msbuild@v2
- name: Setup dotnet sign
run: dotnet tool install --tool-path . --prerelease sign
- name: Cache dotnet tools
uses: actions/cache@v4
id: cache-dotnettools
with:
path: ~/.dotnet/tools
key: dotnettools
- name: Cache packages
uses: actions/cache@v4
with:
path: ~/.nuget/packages
key: NetOffice-nuget-${{ hashFiles('**/packages.lock.json') }}
restore-keys: |
NetOffice-nuget-
- name: Build information
id: build
run: .\.github\Get-BuildInfo.ps1 -ref '${{ github.ref }}' -event_name '${{ github.event_name }}' -configuration '${{ matrix.configuration }}'
- name: Azure Login
uses: azure/login@v2
with:
client-id: ${{ secrets.TRUSTED_SIGNING_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Build NetOffice
run: |
dotnet build -c ${{ env.Configuration }} Source\NetOffice.sln
env:
VersionSuffix: ${{ steps.build.outputs.app_version_suffix }}
SignOutput: ${{ steps.build.outputs.sign_binaries }}
- name: Archive NetOffice binaries
uses: actions/upload-artifact@v4
with:
name: NetOffice_binaries_v${{ steps.build.outputs.app_version_full }}_${{ matrix.configuration }}
path: '${{ github.workspace }}\Source\ClientApplication\bin\${{ matrix.configuration }}'
- name: Pack NetOffice
id: packages
if: steps.build.outputs.publish_nuget == 'true'
run: |
dotnet pack --no-build --no-restore Source\NetOffice.sln -c ${{ env.Configuration }} -o dist
env:
VersionSuffix: ${{ steps.build.outputs.app_version_suffix }}
- name: Sign NetOffice packages
if: success() && steps.build.outputs.publish_nuget == 'true' && steps.build.outputs.sign_binaries == 'true'
run: |
$trustedsigning = Get-Content .\Source\trustedsigning.json | ConvertFrom-Json
./sign code trusted-signing `
**/*.nupkg `
--base-directory "${{ github.workspace }}/dist" `
--publisher-name "NetOffice" `
--description "NetOffice Framework" `
--description-url "https://github.com/NetOfficeFw/NetOffice" `
--trusted-signing-endpoint $trustedsigning.Endpoint `
--trusted-signing-account $trustedsigning.CodeSigningAccountName `
--trusted-signing-certificate-profile $trustedsigning.CertificateProfileName
- name: Extract certificate
working-directory: '${{ github.workspace}}\dist'
run: |
dotnet tool install --global Knapcode.CertificateExtractor --version 0.1.1
$nupkg = gci *.nupkg
nuget-cert-extractor --file $nupkg --output certificates --code-signing --author --leaf
- name: Archive NetOffice packages
if: steps.packages.outcome == 'success'
uses: actions/upload-artifact@v4
with:
name: NetOffice_packages_v${{ steps.build.outputs.app_version_full }}
path: '${{ github.workspace }}\dist'
- name: Archive certificates
if: steps.packages.outcome == 'success'
uses: actions/upload-artifact@v4
with:
name: Certificates
path: '${{ github.workspace }}\dist\certificates'
# - name: Publish packages
# if: steps.packages.outcome == 'success'
# working-directory: '${{ github.workspace}}\dist'
# run: |
# dotnet nuget push *.nupkg --api-key $env:NUGET_TOKEN --source https://api.nuget.org/v3/index.json
# env:
# NUGET_TOKEN: ${{ secrets.NUGET_TOKEN }}