|
| 1 | +name: Build and Publish |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + |
| 6 | +env: |
| 7 | + BUILD_CONFIGURATION: Release |
| 8 | + DOTNET_VERSION: '9.x' |
| 9 | + |
| 10 | +jobs: |
| 11 | + build-sign-publish: |
| 12 | + runs-on: windows-latest |
| 13 | + environment: nuget-org-publish |
| 14 | + permissions: |
| 15 | + id-token: write |
| 16 | + contents: read |
| 17 | + |
| 18 | + steps: |
| 19 | + - name: Checkout |
| 20 | + uses: actions/checkout@v4 |
| 21 | + with: |
| 22 | + fetch-depth: 0 |
| 23 | + |
| 24 | + - name: Setup .NET |
| 25 | + uses: actions/setup-dotnet@v4 |
| 26 | + with: |
| 27 | + dotnet-version: ${{ env.DOTNET_VERSION }} |
| 28 | + |
| 29 | + - name: Get version from tag |
| 30 | + id: version |
| 31 | + shell: pwsh |
| 32 | + run: | |
| 33 | + $version = "${{ github.ref_name }}" |
| 34 | + $version = "99.99.99" |
| 35 | + Write-Host "Version: $version" |
| 36 | + echo "version=$version" >> $env:GITHUB_OUTPUT |
| 37 | +
|
| 38 | + - name: Build |
| 39 | + run: | |
| 40 | + dotnet build Infragistics.QueryBuilder.Executor.csproj ` |
| 41 | + -c ${{ env.BUILD_CONFIGURATION }} ` |
| 42 | + /p:Version=${{ steps.version.outputs.version }} |
| 43 | +
|
| 44 | + - name: Setup Code Signing Certificate |
| 45 | + run: | |
| 46 | + Write-Host "Setting up code signing certificate from GitHub secrets..." |
| 47 | +
|
| 48 | + # Create certificate file from secret (base64 encoded) |
| 49 | + $certBytes = [Convert]::FromBase64String("${{ secrets.SIGNING_CERTIFICATE_2023_2026 }}") |
| 50 | + [System.IO.File]::WriteAllBytes("${{ runner.temp }}\certificate.pfx", $certBytes) |
| 51 | + Write-Host "Certificate written to: $certPath" |
| 52 | + shell: pwsh |
| 53 | + |
| 54 | + - name: Sign all DLL files |
| 55 | + if: false # This step will never run |
| 56 | + shell: pwsh |
| 57 | + env: |
| 58 | + CERT_PASS: ${{ secrets.SIGNING_CERTIFICATE_PASSWORD }} |
| 59 | + TIMESTAMP_URL: ${{ vars.SIGNING_CERTIFICATE_TIMESTAMP_URL }} |
| 60 | + run: | |
| 61 | + $dllFolder = "${{ github.workspace }}\bin\${{ env.BUILD_CONFIGURATION }}\net9.0" |
| 62 | + $certPath = "${{ runner.temp }}\certificate.pfx" |
| 63 | + Write-Host "Signing DLLs in folder: $dllFolder" |
| 64 | +
|
| 65 | + # Find the latest signtool.exe |
| 66 | + Write-Host "##[section]Starting search for signtool.exe at $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff')" |
| 67 | + |
| 68 | + $signtoolPath = $null |
| 69 | + $searchPaths = @( |
| 70 | + "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe", |
| 71 | + "C:\Program Files (x86)\Windows Kits\10\bin\*\x86\signtool.exe", |
| 72 | + "C:\Program Files (x86)\Microsoft SDKs\Windows\*\bin\*\signtool.exe", |
| 73 | + "C:\Program Files (x86)\Microsoft SDKs\Windows\*\bin\signtool.exe" |
| 74 | + ) |
| 75 | + |
| 76 | + foreach ($searchPath in $searchPaths) { |
| 77 | + $foundPaths = Get-ChildItem -Path $searchPath -ErrorAction SilentlyContinue | Sort-Object -Property FullName -Descending |
| 78 | + if ($foundPaths) { |
| 79 | + $signtoolPath = $foundPaths[0].FullName |
| 80 | + break |
| 81 | + } |
| 82 | + } |
| 83 | + |
| 84 | + if (-not $signtoolPath) { |
| 85 | + Write-Error "signtool.exe not found in any of the well-known locations" |
| 86 | + exit 1 |
| 87 | + } |
| 88 | + |
| 89 | + Write-Host "##[section]Found signtool.exe at $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff')" |
| 90 | + Write-Host "Using signtool at: $signtoolPath" |
| 91 | +
|
| 92 | + $dllFiles = Get-ChildItem -Path $dllFolder -Filter *.dll -Recurse |
| 93 | + foreach ($dll in $dllFiles) { |
| 94 | + Write-Host "Signing $($dll.FullName)..." |
| 95 | + & $signtoolPath sign /f $certPath /p $env:CERT_PASS /tr $env:TIMESTAMP_URL /td sha256 /fd sha256 $dll.FullName |
| 96 | +
|
| 97 | + if ($LASTEXITCODE -ne 0) { |
| 98 | + Write-Error "Signing failed for $($dll.FullName)" |
| 99 | + exit 1 |
| 100 | + } |
| 101 | + } |
| 102 | +
|
| 103 | + - name: Pack NuGet package |
| 104 | + shell: pwsh |
| 105 | + run: | |
| 106 | + $packageOutputDir = "${{ github.workspace }}\nupkg" |
| 107 | + $packageVersion = "${{ steps.version.outputs.version }}" |
| 108 | +
|
| 109 | + Write-Host "Packing project from existing build output..." |
| 110 | + dotnet pack ./Infragistics.QueryBuilder.Executor.csproj ` |
| 111 | + --no-build ` |
| 112 | + --configuration ${{ env.BUILD_CONFIGURATION }} ` |
| 113 | + -p:PackageVersion=$packageVersion ` |
| 114 | + -o $packageOutputDir |
| 115 | +
|
| 116 | + if ($LASTEXITCODE -ne 0) { |
| 117 | + Write-Error "dotnet pack failed" |
| 118 | + exit 1 |
| 119 | + } |
| 120 | +
|
| 121 | + - name: Sign NuGet package |
| 122 | + shell: pwsh |
| 123 | + env: |
| 124 | + SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.SIGNING_CERTIFICATE_PASSWORD }} |
| 125 | + SIGNING_CERTIFICATE_TIMESTAMP_URL: ${{ vars.SIGNING_CERTIFICATE_TIMESTAMP_URL }} |
| 126 | + run: | |
| 127 | + $certPath = "${{ runner.temp }}\certificate.pfx" |
| 128 | + $nupkgPath = "${{ github.workspace }}\nupkg\*.nupkg" |
| 129 | + |
| 130 | + dotnet nuget sign $nupkgPath ` |
| 131 | + --certificate-path $certPath ` |
| 132 | + --certificate-password "$env:SIGNING_CERTIFICATE_PASSWORD" ` |
| 133 | + --timestamper "$env:SIGNING_CERTIFICATE_TIMESTAMP_URL" ` |
| 134 | + --overwrite |
| 135 | +
|
| 136 | +
|
| 137 | + - name: NuGet login (OIDC Trusted Publishing) |
| 138 | + uses: nuget/login@v1 |
| 139 | + id: nuget-login |
| 140 | + with: |
| 141 | + user: ${{ secrets.NUGET_ORG_USER }} |
| 142 | + |
| 143 | + - name: Clean up certificate |
| 144 | + if: always() |
| 145 | + shell: pwsh |
| 146 | + run: | |
| 147 | + $certPath = "${{ runner.temp }}\certificate.pfx" |
| 148 | + if (Test-Path $certPath) { |
| 149 | + Remove-Item $certPath -Force |
| 150 | + Write-Host "Certificate cleaned up" |
| 151 | + } |
0 commit comments