diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2847e5fb68..945b180bbe 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -19,4 +19,4 @@ jobs: - name: Setup NUKE run: dotnet tool install Nuke.GlobalTool --global - name: Push to NuGet - run: nuke PushToNuGet --configuration Release --msbuild-properties ContinuousIntegrationBuild=true SilkEnableSourceLink=true --feature-sets Android iOS --nuget-api-key ${{ secrets.NUGET_TOKEN }} + run: nuke PushToNuGet --configuration Release --msbuild-properties ContinuousIntegrationBuild=true SilkEnableSourceLink=true --feature-sets Android iOS --nuget-api-key ${{ secrets.NUGET_TOKEN }} --sign-username "${{ secrets.SIGN_USERNAME }}" --sign-password "${{ secrets.SIGN_PASSWORD }}" diff --git a/build/codesigning/.gitignore b/build/codesigning/.gitignore new file mode 100644 index 0000000000..03c093451e --- /dev/null +++ b/build/codesigning/.gitignore @@ -0,0 +1 @@ +tool/ \ No newline at end of file diff --git a/build/codesigning/config.json b/build/codesigning/config.json new file mode 100644 index 0000000000..1bf7b2b9ba --- /dev/null +++ b/build/codesigning/config.json @@ -0,0 +1,13 @@ +{ + "SignClient": { + "AzureAd": { + "AADInstance": "https://login.microsoftonline.com/", + "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8", + "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e" + }, + "Service": { + "Url": "https://codesign.dotnetfoundation.org/", + "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001" + } + } +} \ No newline at end of file diff --git a/build/codesigning/filelist.txt b/build/codesigning/filelist.txt new file mode 100644 index 0000000000..724b8d0a94 --- /dev/null +++ b/build/codesigning/filelist.txt @@ -0,0 +1 @@ +**/Silk.NET* diff --git a/build/nuke/Build.cs b/build/nuke/Build.cs index 21c2292224..5cdb87e162 100644 --- a/build/nuke/Build.cs +++ b/build/nuke/Build.cs @@ -14,6 +14,7 @@ using static Nuke.Common.Tools.MSBuild.MSBuildTasks; using static Nuke.Common.Tools.DotNet.DotNetTasks; using static Nuke.Common.IO.FileSystemTasks; +using static Nuke.Common.Tooling.ProcessTasks; [CheckBuildProjectConfigurations] [UnsetVisualStudioEnvironmentVariables] @@ -77,6 +78,8 @@ bool HasDesktopMsBuild [Parameter("NuGet feed")] readonly string NugetFeed = "https://api.nuget.org/v3/index.json"; [Parameter("NuGet username")] readonly string NugetUsername; [Parameter("NuGet password")] readonly string NugetPassword; + [Parameter("Code-signing service username")] readonly string SignUsername; + [Parameter("Code-signing service password")] readonly string SignPassword; [Parameter("Extra properties passed to MSBuild commands")] readonly string[] MsbuildProperties = Array.Empty(); @@ -223,8 +226,8 @@ Dictionary ProcessedMsbuildProperties { var silkDroid = SourceDirectory / "Windowing" / "Android" / "SilkDroid"; using var process = RuntimeInformation.IsOSPlatform(OSPlatform.Linux) - ? ProcessTasks.StartProcess("bash", "-c \"./gradlew clean\"", silkDroid) - : ProcessTasks.StartProcess("cmd", "/c \".\\gradlew clean\"", silkDroid); + ? StartProcess("bash", "-c \"./gradlew clean\"", silkDroid) + : StartProcess("cmd", "/c \".\\gradlew clean\"", silkDroid); process.AssertZeroExitCode(); return process.Output; } @@ -365,8 +368,8 @@ Dictionary ProcessedMsbuildProperties } using var process = RuntimeInformation.IsOSPlatform(OSPlatform.Linux) - ? ProcessTasks.StartProcess("bash", "-c \"./gradlew build\"", silkDroid) - : ProcessTasks.StartProcess("cmd", "/c \".\\gradlew build\"", silkDroid); + ? StartProcess("bash", "-c \"./gradlew build\"", silkDroid) + : StartProcess("cmd", "/c \".\\gradlew build\"", silkDroid); process.AssertZeroExitCode(); var ret = process.Output; CopyFile @@ -417,19 +420,46 @@ Dictionary ProcessedMsbuildProperties Target FullPack => _ => _ .DependsOn(BuildLibSilkDroid, RegenerateBindings, Pack); - Target PushToNuGet => _ => _ + Target PushToNuGet => _ => _ .DependsOn(Pack) .Executes(PushPackages); Target FullPushToNuGet => _ => _ .DependsOn(FullPack, PushToNuGet); + static string PackageDirectory => RootDirectory / "build" / "output_packages"; + static IEnumerable Packages => Directory.GetFiles(PackageDirectory, "*.nupkg") + .Where(x => Path.GetFileName(x).StartsWith("Silk.NET") || Path.GetFileName(x).StartsWith("Ultz.Native")); + async Task PushPackages() { const int rateLimit = 300; - var allFiles = Directory.GetFiles(RootDirectory / "build" / "output_packages", "*.nupkg") - .Where(x => Path.GetFileName(x).StartsWith("Silk.NET") || Path.GetFileName(x).StartsWith("Ultz.Native")) - .Select((x, i) => new {Index = i, Value = x}) + if (!string.IsNullOrWhiteSpace(SignUsername) && !string.IsNullOrWhiteSpace(SignPassword)) + { + var basePath = RootDirectory / "build" / "codesigning"; + var execPath = basePath / "tool" / (OperatingSystem.IsWindows() ? "SignClient.exe" : "SignClient"); + if (!File.Exists(execPath)) + { + DotNetToolInstall(s => s.SetToolInstallationPath(basePath / "tool").SetPackageName("SignClient")); + } + + StartProcess + ( + execPath, + "sign " + + $"--baseDirectory {PackageDirectory} " + + "--input \"**/*.nupkg\" " + + $"--config \"{basePath / "config.json"}\" " + + $"--filelist \"{basePath / "filelist.txt"}\" " + + $"--user \"{SignUsername}\" " + + $"--secret \"{SignPassword}\" " + + "--name \"Silk.NET\" " + + "--description \"Silk.NET\" " + + "--descriptionUrl \"https://github.com/dotnet/Silk.NET\"" + ).AssertZeroExitCode(); + } + + var allFiles = Packages.Select((x, i) => new {Index = i, Value = x}) .GroupBy(x => x.Index / rateLimit) .Select(x => x.Select(v => v.Value).ToList()) .ToList();