Sign nuget package using dotnet sign tool

jozefizso · jozefizso · commit a0f3ef0f61ee · 2024-12-07T19:46:48.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,6 +5,10 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
 
   build:
@@ -32,6 +36,16 @@ jobs:
     - name: setup msbuild
       uses: microsoft/setup-msbuild@v2
 
+    - name: setup dotnet sign
+      run: dotnet tool install --tool-path . --prerelease sign
+
+    - name: azure login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.TRUSTED_SIGNING_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
     - name: build
       run: dotnet build -c ${{ env.Configuration }}
 
@@ -41,6 +55,18 @@ jobs:
     - name: pack
       run: dotnet pack --no-build --no-restore src/NetOfficeFw.Build.csproj -c ${{ env.Configuration }} -o dist
 
+    - name: sign
+      run: >
+        ./sign code trusted-signing
+        **/*.nupkg
+        --base-directory "${{ github.workspace }}/dist"
+        --publisher-name "NetOffice"
+        --description "NetOffice Build Tasks"
+        --description-url "https://github.com/NetOfficeFw/BuildTasks/"
+        --trusted-signing-endpoint "https://weu.codesigning.azure.net/"
+        --trusted-signing-account "OpenSourceSigning"
+        --trusted-signing-certificate-profile "JozefIzsoOpenSourceProfile"
+
     - name: archive
       if: always()
       uses: actions/upload-artifact@v4
