.github/workflows/release.yml

name: release

on:
  workflow_dispatch:

permissions:
  id-token: write
  contents: write

jobs:
  prereqs:
    name: Prerequisites
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - uses: actions/checkout@v4

      - name: Set version
        run: echo "version=$(cat VERSION | sed -E 's/.[0-9]+$//')" >> $GITHUB_OUTPUT
        id: version

  # ================================
  #           .NET Tool
  # ================================
  dotnet-tool-build:
    name: Build .NET tool
    runs-on: ubuntu-latest
    needs: prereqs
    steps:
      - uses: actions/checkout@v4

      - name: Set up .NET
        uses: actions/setup-dotnet@v4.0.0
        with:
          dotnet-version: 7.0.x

      - name: Build .NET tool
        run: |
          src/shared/DotnetTool/layout.sh --configuration=Release

      - name: Upload .NET tool artifacts
        uses: actions/upload-artifact@v4
        with:
          name: tmp.dotnet-tool-build
          path: |
            out/shared/DotnetTool/nupkg/Release

  dotnet-tool-payload-sign:
    name: Sign .NET tool payload
    # ESRP service requires signing to run on Windows
    runs-on: windows-latest
    environment: release
    needs: dotnet-tool-build
    steps:
      - uses: actions/checkout@v4

      - name: Download payload
        uses: actions/download-artifact@v4
        with:
          name: tmp.dotnet-tool-build

      - name: Log into Azure
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Download/extract Sign CLI tool
        shell: pwsh
        run: |
          az storage blob download --file sign-cli.zip --auth-mode login `
            --account-name $env:AZURE_STORAGE_ACCOUNT --container `
            $env:AZURE_STORAGE_CONTAINER --name $env:SIGN_CLI_TOOL
          Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli

      - name: Sign payload
        shell: pwsh
        run: |
          ./sign-cli/sign.exe code azcodesign payload/* `
            -acsu https://wus2.codesigning.azure.net/ `
            -acsa git-fundamentals-signing `
            -acscp git-fundamentals-windows-signing `
            -d "Git Fundamentals Windows Signing Certificate" `
            -u "https://github.com/git-ecosystem/git-credential-manager" `
            -acsm true

      - name: Lay out signed payload, images, and symbols
        shell: bash
        run: |
          mkdir dotnet-tool-payload-sign
          rm -rf payload
          mv images payload.sym -t dotnet-tool-payload-sign
          unzip signed/payload.zip -d dotnet-tool-payload-sign

      - name: Upload signed payload
        uses: actions/upload-artifact@v4
        with:
          name: dotnet-tool-payload-sign
          path: |
            dotnet-tool-payload-sign

  dotnet-tool-pack:
    name: Package .NET tool
    runs-on: ubuntu-latest
    needs: [prereqs, dotnet-tool-payload-sign]
    steps:
      - uses: actions/checkout@v4

      - name: Download signed payload
        uses: actions/download-artifact@v4
        with:
          name: dotnet-tool-payload-sign
          path: signed

      - name: Set up .NET
        uses: actions/setup-dotnet@v4.0.0
        with:
          dotnet-version: 7.0.x

      - name: Package tool
        run: |
          src/shared/DotnetTool/pack.sh --configuration=Release \
            --version="${{ needs.prereqs.outputs.version }}" \
            --publish-dir=$(pwd)/signed

      - name: Upload unsigned package
        uses: actions/upload-artifact@v4
        with:
          name: tmp.dotnet-tool-package-unsigned
          path: |
            out/shared/DotnetTool/nupkg/Release/*.nupkg