-
Notifications
You must be signed in to change notification settings - Fork 1
156 lines (130 loc) · 5.44 KB
/
build-and-publish.yml
File metadata and controls
156 lines (130 loc) · 5.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: Build and Publish
on:
push:
tags:
- '*'
workflow_dispatch:
env:
BUILD_CONFIGURATION: Release
DOTNET_VERSION: '9.x'
jobs:
build-sign-publish:
runs-on: windows-latest
environment: nuget-org-publish
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Get version from tag
id: version
shell: pwsh
run: |
$version = "${{ github.ref_name }}"
$version = "99.99.99"
Write-Host "Version: $version"
echo "version=$version" >> $env:GITHUB_OUTPUT
- name: Build
run: |
dotnet build Infragistics.QueryBuilder.Executor.csproj `
-c ${{ env.BUILD_CONFIGURATION }} `
/p:Version=${{ steps.version.outputs.version }}
- name: Setup Code Signing Certificate
run: |
Write-Host "Setting up code signing certificate from GitHub secrets..."
# Create certificate file from secret (base64 encoded)
$certBytes = [Convert]::FromBase64String("${{ secrets.SIGNING_CERTIFICATE_2023_2026 }}")
[System.IO.File]::WriteAllBytes("${{ runner.temp }}\certificate.pfx", $certBytes)
Write-Host "Certificate written to: $certPath"
shell: pwsh
- name: Sign all DLL files
continue-on-error: true
shell: pwsh
env:
CERT_PASS: ${{ secrets.SIGNING_CERTIFICATE_PASSWORD }}
TIMESTAMP_URL: ${{ vars.SIGNING_CERTIFICATE_TIMESTAMP_URL }}
run: |
$dllFolder = "${{ github.workspace }}\bin\${{ env.BUILD_CONFIGURATION }}\net9.0"
$certPath = "${{ runner.temp }}\certificate.pfx"
Write-Host "Signing DLLs in folder: $dllFolder"
# Find the latest signtool.exe
Write-Host "##[section]Starting search for signtool.exe at $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff')"
$signtoolPath = $null
$searchPaths = @(
"C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe",
"C:\Program Files (x86)\Windows Kits\10\bin\*\x86\signtool.exe",
"C:\Program Files (x86)\Microsoft SDKs\Windows\*\bin\*\signtool.exe",
"C:\Program Files (x86)\Microsoft SDKs\Windows\*\bin\signtool.exe"
)
foreach ($searchPath in $searchPaths) {
$foundPaths = Get-ChildItem -Path $searchPath -ErrorAction SilentlyContinue | Sort-Object -Property FullName -Descending
if ($foundPaths) {
$signtoolPath = $foundPaths[0].FullName
break
}
}
if (-not $signtoolPath) {
Write-Error "signtool.exe not found in any of the well-known locations"
exit 1
}
Write-Host "##[section]Found signtool.exe at $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff')"
Write-Host "Using signtool at: $signtoolPath"
$dllFiles = Get-ChildItem -Path $dllFolder -Filter *.dll -Recurse
foreach ($dll in $dllFiles) {
Write-Host "Signing $($dll.FullName)..."
& $signtoolPath sign /f $certPath /p $env:CERT_PASS /tr $env:TIMESTAMP_URL /td sha256 /fd sha256 $dll.FullName
if ($LASTEXITCODE -ne 0) {
Write-Error "Signing failed for $($dll.FullName)"
exit 1
}
}
- name: Pack NuGet package
shell: pwsh
run: |
$packageOutputDir = "${{ github.workspace }}\nupkg"
$packageVersion = "${{ steps.version.outputs.version }}"
Write-Host "Packing project from existing build output..."
dotnet pack ./Infragistics.QueryBuilder.Executor.csproj `
--no-build `
--configuration ${{ env.BUILD_CONFIGURATION }} `
-p:PackageVersion=$packageVersion `
-o $packageOutputDir
if ($LASTEXITCODE -ne 0) {
Write-Error "dotnet pack failed"
exit 1
}
- name: Sign NuGet package (using dotnet nuget sign)
shell: pwsh
env:
SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.SIGNING_CERTIFICATE_PASSWORD }}
SIGNING_CERTIFICATE_TIMESTAMP_URL: ${{ vars.SIGNING_CERTIFICATE_TIMESTAMP_URL }}
run: |
$certPath = Join-Path "${{ runner.temp }}" "certificate.pfx"
$nupkgPath = "${{ github.workspace }}\nupkg\*.nupkg"
dotnet nuget sign $nupkgPath --certificate-path $certPath --certificate-password "$env:SIGNING_CERTIFICATE_PASSWORD" --timestamper "$env:SIGNING_CERTIFICATE_TIMESTAMP_URL" --overwrite
- name: NuGet login (OIDC Trusted Publishing)
uses: nuget/login@v1
id: nuget-login
with:
user: ${{ secrets.INFRAGISTICS_NUGET_ORG_USER }}
- name: Publish to NuGet.org
run: |
dotnet nuget push "${{ github.workspace }}\nupkg\*.nupkg" `
--api-key ${{ steps.nuget-login.outputs.nuget-api-key }} `
--source https://api.nuget.org/v3/index.json
- name: Clean up certificate
if: always()
shell: pwsh
run: |
$certPath = "${{ runner.temp }}\certificate.pfx"
if (Test-Path $certPath) {
Remove-Item $certPath -Force
Write-Host "Certificate cleaned up"
}