full workflow #480
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - dotnet-tool-signing | |
| permissions: | |
| id-token: write | |
| contents: write | |
| jobs: | |
| prereqs: | |
| name: Prerequisites | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set version | |
| run: echo "version=$(cat VERSION | sed -E 's/.[0-9]+$//')" >> $GITHUB_OUTPUT | |
| id: version | |
| # ================================ | |
| # .NET Tool | |
| # ================================ | |
| dotnet-tool-build: | |
| name: Build .NET tool | |
| runs-on: ubuntu-latest | |
| needs: prereqs | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up .NET | |
| uses: actions/[email protected] | |
| with: | |
| dotnet-version: 7.0.x | |
| - name: Build .NET tool | |
| run: | | |
| src/shared/DotnetTool/layout.sh --configuration=Release | |
| - name: Upload .NET tool artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: tmp.dotnet-tool-build | |
| path: | | |
| out/shared/DotnetTool/nupkg/Release | |
| dotnet-tool-payload-sign: | |
| name: Sign .NET tool payload | |
| # ESRP service requires signing to run on Windows | |
| runs-on: windows-latest | |
| environment: release | |
| needs: dotnet-tool-build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download payload | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: tmp.dotnet-tool-build | |
| - name: Log into Azure | |
| uses: azure/login@v1 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Download/extract Sign CLI tool | |
| env: | |
| AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} | |
| ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} | |
| SCT: ${{ secrets.SIGN_CLI_TOOL }} | |
| run: | | |
| az storage blob download --file sign-cli.zip --auth-mode login ` | |
| --account-name $env:AST --container-name $env:ASC --name $env:SCT | |
| Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli | |
| - name: Sign payload | |
| run: | | |
| ./sign-cli/sign.exe code azcodesign payload/* ` | |
| -acsu https://wus2.codesigning.azure.net/ ` | |
| -acsa git-fundamentals-signing ` | |
| -acscp git-fundamentals-windows-signing ` | |
| -d "Git Fundamentals Windows Signing Certificate" ` | |
| -u "https://github.com/git-ecosystem/git-credential-manager" ` | |
| -acst ${{ secrets.AZURE_TENANT_ID }} ` | |
| -acsi ${{ secrets.AZURE_CLIENT_ID }} ` | |
| -acss ${{ secrets.AZURE_CLIENT_SECRET }} | |
| - name: Upload signed payload | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dotnet-tool-payload-sign | |
| path: | | |
| payload | |
| dotnet-tool-pack: | |
| name: Package .NET tool | |
| runs-on: ubuntu-latest | |
| needs: dotnet-tool-payload-sign | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download signed payload | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dotnet-tool-payload-sign | |
| path: signed | |
| - name: Set up .NET | |
| uses: actions/[email protected] | |
| with: | |
| dotnet-version: 7.0.x | |
| - name: Package tool | |
| run: | | |
| src/shared/DotnetTool/pack.sh --configuration=Release \ | |
| --version="${{ needs.prereqs.outputs.version }}" \ | |
| --publish-dir=$(pwd)/signed | |
| - name: Upload unsigned package | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: tmp.dotnet-tool-package-unsigned | |
| path: | | |
| out/shared/DotnetTool/nupkg/Release/*.nupkg | |
| dotnet-tool-sign: | |
| name: Sign .NET tool package | |
| runs-on: windows-latest | |
| environment: release | |
| needs: dotnet-tool-pack | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download unsigned package | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: tmp.dotnet-tool-package-unsigned | |
| path: nupkg | |
| - name: Log into Azure | |
| uses: azure/login@v1 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Sign package | |
| run: | | |
| ./sign-cli/sign.exe code azcodesign nupkg/* ` | |
| -acsu https://wus2.codesigning.azure.net/ ` | |
| -acsa git-fundamentals-signing ` | |
| -acscp git-fundamentals-windows-signing ` | |
| -d "Git Fundamentals Windows Signing Certificate" ` | |
| -u "https://github.com/git-ecosystem/git-credential-manager" ` | |
| -acst ${{ secrets.AZURE_TENANT_ID }} ` | |
| -acsi ${{ secrets.AZURE_CLIENT_ID }} ` | |
| -acss ${{ secrets.AZURE_CLIENT_SECRET }} | |
| - name: Publish signed package | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dotnet-tool-sign | |
| path: signed/*.nupkg | |
| # ================================ | |
| # Validate | |
| # ================================ | |
| validate: | |
| name: Validate installers | |
| strategy: | |
| matrix: | |
| component: | |
| - os: ubuntu-latest | |
| artifact: dotnet-tool-sign | |
| command: git-credential-manager | |
| description: dotnet-tool | |
| runs-on: ${{ matrix.component.os }} | |
| needs: dotnet-tool-sign | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up .NET | |
| uses: actions/[email protected] | |
| with: | |
| dotnet-version: 7.0.x | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ matrix.component.artifact }} | |
| - name: Install Windows | |
| if: contains(matrix.component.description, 'windows') | |
| shell: pwsh | |
| run: | | |
| $exePaths = Get-ChildItem -Path ./installers/*.exe | %{$_.FullName} | |
| foreach ($exePath in $exePaths) | |
| { | |
| Start-Process -Wait -FilePath "$exePath" -ArgumentList "/SILENT /VERYSILENT /NORESTART" | |
| } | |
| - name: Install .NET tool | |
| if: contains(matrix.component.description, 'dotnet-tool') | |
| run: | | |
| nupkgpath=$(find ./*.nupkg) | |
| dotnet tool install -g --add-source $(dirname "$nupkgpath") git-credential-manager | |
| "${{ matrix.component.command }}" configure | |
| - name: Validate | |
| shell: bash | |
| run: | | |
| "${{ matrix.component.command }}" --version | sed 's/+.*//' >actual | |
| cat VERSION | sed -E 's/.[0-9]+$//' >expect | |
| cmp expect actual || exit 1Q |