@@ -2,6 +2,8 @@ name: release
22
33on :
44 push :
5+ branches :
6+ - ' dev/build_signed_packages'
57 tags :
68 - ' v*.*.*'
79
4244 - name : Setup MSBuild
4345 uses : microsoft/setup-msbuild@v2
4446
47+ - name : Setup dotnet sign
48+ run : dotnet tool install --tool-path . --prerelease sign
49+
4550 - name : Cache dotnet tools
4651 uses : actions/cache@v4
4752 id : cache-dotnettools
7075
7176 - name : Build NetOffice
7277 run : |
73- dotnet build Source\NetOffice.sln
78+ dotnet build -c ${{ env.Configuration }} Source\NetOffice.sln
7479env :
7580 VersionSuffix : ${{ steps.build.outputs.app_version_suffix }}
7681 SignOutput : ${{ steps.build.outputs.sign_binaries }}
@@ -85,23 +90,30 @@ jobs:
8590 id : packages
8691 if : steps.build.outputs.publish_nuget == 'true'
8792 run : |
88- dotnet pack --no-build --no-restore Source\NetOffice.sln -c ${{ matrix.configuration }} -o dist
93+ dotnet pack --no-build --no-restore Source\NetOffice.sln -c ${{ env.Configuration }} -o dist
8994env :
9095 VersionSuffix : ${{ steps.build.outputs.app_version_suffix }}
9196
92- # - name: Sign NetOffice packages
93- # if: success() && steps.build.outputs.publish_nuget == 'true' && steps.build.outputs.sign_binaries == 'true'
94- # working-directory: '${{ github.workspace}}\dist'
95- # run: |
96- # NuGetKeyVaultSignTool.exe sign *.nupkg `
97- # --file-digest sha256 `
98- # --timestamp-rfc3161 http://timestamp.digicert.com `
99- # --timestamp-digest sha256 `
100- # --azure-key-vault-url https://opensourcesigning.vault.azure.net `
101- # --azure-key-vault-tenant-id "${{ secrets.KEYVAULT_TENANT_ID }}" `
102- # --azure-key-vault-client-id "${{ secrets.KEYVAULT_CLIENT_ID }}" `
103- # --azure-key-vault-client-secret "${{ secrets.KEYVAULT_CLIENT_SECRET }}" `
104- # --azure-key-vault-certificate "goITSolutions-until-2024-01"
97+ - name : Sign NetOffice packages
98+ if : success() && steps.build.outputs.publish_nuget == 'true' && steps.build.outputs.sign_binaries == 'true'
99+ run : |
100+ $trustedsigning = Get-Content .\Source\trustedsigning.json | ConvertFrom-Json
101+
102+ ./sign code trusted-signing `
103+ **/*.nupkg `
104+ --base-directory "${{ github.workspace }}/dist" `
105+ --publisher-name "NetOffice" `
106+ --description "NetOffice Framework" `
107+ --description-url "https://github.com/NetOfficeFw/NetOffice" `
108+ --trusted-signing-endpoint $trustedsigning.Endpoint `
109+ --trusted-signing-account $trustedsigning.CodeSigningAccountName `
110+ --trusted-signing-certificate-profile $trustedsigning.CertificateProfileName
111+
112+ name : Extract certificate
113+ run : |
114+ dotnet tool install --global Knapcode.CertificateExtractor --version 0.1.1
115+ $nupkg = Get-ChildItem -Filter 'dist\*.nupkg' | Select-Object -First 1
116+ nuget-cert-extractor --file $nupkg --output certificates --code-signing --author --leaf
105117
106118name : Archive NetOffice packages
107119 if : steps.packages.outcome == 'success'
@@ -110,10 +122,17 @@ jobs:
110122 name : NetOffice_packages_v${{ steps.build.outputs.app_version_full }}
111123 path : ' ${{ github.workspace }}\dist'
112124
113- - name : Publish packages
125+ - name : Archive certificates
114126 if : steps.packages.outcome == 'success'
115- working-directory : ' ${{ github.workspace}}\dist'
116- run : |
117- dotnet nuget push *.nupkg --api-key $env:NUGET_TOKEN --source https://api.nuget.org/v3/index.json
118- env :
119- NUGET_TOKEN : ${{ secrets.NUGET_TOKEN }}
127+ uses : actions/upload-artifact@v4
128+ with :
129+ name : Certificates
130+ path : ' ${{ github.workspace }}\certificates'
131+
132+ # - name: Publish packages
133+ # if: steps.packages.outcome == 'success'
134+ # working-directory: '${{ github.workspace}}\dist'
135+ # run: |
136+ # dotnet nuget push *.nupkg --api-key $env:NUGET_TOKEN --source https://api.nuget.org/v3/index.json
137+ # env:
138+ # NUGET_TOKEN: ${{ secrets.NUGET_TOKEN }}
0 commit comments