diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 223850f..85f4919 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,29 +1,39 @@ -name: build-and-test +name: BuildTestDeploy on: - pull_request: - branches: - - main + workflow_dispatch: push: branches: - main - workflow_dispatch: {} + - 'release/*' + pull_request: + release: + types: + - published + schedule: + # Run this workflow at 6 PM UTC every Sunday + - cron: "0 18 * * *" concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + env: + DOTNET_CLI_TELEMETRY_OPTOUT: 1 DOTNET_NOLOGO: true - DOTNET_CLI_TELEMETRY_OPTOUT: true jobs: build-and-test: - timeout-minutes: 60 + name: Build, Test and Package + timeout-minutes: 20 strategy: fail-fast: false matrix: os: [ubuntu-latest, windows-latest, macos-latest] runs-on: ${{ matrix.os }} + steps: - name: Setup .NET uses: actions/setup-dotnet@v4 @@ -32,29 +42,154 @@ jobs: 6.0.* 8.0.* 9.0.* + - name: Git checkout uses: actions/checkout@v4 with: fetch-depth: 0 + - name: Restore tools - run: | - dotnet tool restore + run: dotnet tool restore + - name: Restore packages - run: | - dotnet restore - - name: Build - run: | - dotnet build --no-restore --configuration Release + run: dotnet restore --verbosity minimal + + - name: Build solution + run: dotnet build --no-restore --configuration Release --verbosity minimal + - name: Test - run: | - dotnet test --no-build --configuration Release --collect:"XPlat Code Coverage" --logger "GitHubActions;summary.includeSkippedTests=true" - - name: Generate packages + run: dotnet test --no-build --configuration Release --collect:"XPlat Code Coverage" --logger "GitHubActions;summary.includeSkippedTests=true" + + - name: Collect packages shell: pwsh - run: | - dotnet pack src --no-build --configuration Release --output $env:GITHUB_WORKSPACE/artifacts/packages - - name: Upload packages to artifacts - if: matrix.os == 'ubuntu-latest' + run: dotnet pack src --no-build --configuration Release --output ${{ github.workspace }}/packages + + - name: Upload unsigned packages + if: ${{ matrix.os == 'ubuntu-latest' }} uses: actions/upload-artifact@v4 with: - name: packages - path: artifacts/packages + if-no-files-found: error + name: unsigned-packages + path: ${{ github.workspace }}/packages/**/*.nupkg + + sign: + name: Sign + if: ${{ github.event_name != 'pull_request' }} + timeout-minutes: 15 + needs: build-and-test + runs-on: windows-latest + environment: signing + permissions: + id-token: write + + steps: + - name: Download unsigned packages + uses: actions/download-artifact@v4 + with: + name: unsigned-packages + path: packages + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 8.0.* + + - name: Install code signing tool + run: dotnet tool install --global sign --prerelease + + - name: Azure login + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Sign packages + run: >- + sign code azure-key-vault '**/*.nupkg' + --base-directory '${{ github.workspace }}/packages' + --azure-key-vault-managed-identity true + --azure-credential-type 'azure-cli' + --azure-key-vault-url '${{ secrets.AZURE_KEY_VAULT_URL }}' + --azure-key-vault-certificate '${{ secrets.AZURE_SIGN_CERTIFICATE_ID }}' + --publisher-name 'Steeltoe' + --description 'Steeltoe' + --description-url 'https://steeltoe.io/' + + - name: Upload signed packages + uses: actions/upload-artifact@v4 + with: + if-no-files-found: error + name: signed-packages + path: ${{ github.workspace }}/packages/**/*.nupkg + + dev-feed-deploy: + name: Deploy packages to development feed + timeout-minutes: 15 + needs: sign + if: ${{ github.event_name != 'pull_request' }} + environment: azdo + runs-on: ubuntu-latest + permissions: + id-token: write + env: + VSS_NUGET_URI_PREFIXES: https://pkgs.dev.azure.com/dotnet/ + + steps: + - name: Azure login + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Download signed packages + uses: actions/download-artifact@v4 + with: + name: signed-packages + path: packages + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 8.0.x + source-url: ${{ vars.AZURE_ARTIFACTS_FEED_URL }} + env: + NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Install credential provider for Azure Artifacts + run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)" + + - name: Extract access token + run: | + accessToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv) + echo "::add-mask::$accessToken" + echo "ACCESS_TOKEN=$accessToken" >> $GITHUB_ENV + + - name: Configure authentication provider to use Azure DevOps token + run: echo "VSS_NUGET_ACCESSTOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV + + - name: Push packages to Azure Artifacts + run: dotnet nuget push '${{ github.workspace }}/packages/*.nupkg' --api-key 'azdo-placeholder' --source '${{ vars.AZURE_ARTIFACTS_FEED_URL }}' + + nuget-org-deploy: + name: Deploy packages to nuget.org + needs: sign + if: ${{ github.event_name == 'release' }} + environment: nuget.org + runs-on: ubuntu-latest + + steps: + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 8.0.x + + - name: Download signed packages + uses: actions/download-artifact@v4 + with: + name: signed-packages + path: packages + + - name: Push packages to nuget.org + run: dotnet nuget push '${{ github.workspace }}/packages/*.nupkg' --skip-duplicate --api-key ${{ secrets.STEELTOE_NUGET_API_KEY }} --source 'nuget.org' diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml deleted file mode 100644 index 6c1bc24..0000000 --- a/azure-pipelines.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- - -trigger: -- main - -variables: -- name: DOTNET_NOLOGO - value: true -- name: DOTNET_CLI_TELEMETRY_OPTOUT - value: 1 -- group: PackageSigningSecrets - -stages: -- stage: assemble - displayName: Assemble - jobs: - - job: build - displayName: Build - pool: - vmImage: ubuntu-latest - steps: - - task: UseDotNet@2 - displayName: 'Ensure .NET 8.0 SDK' - inputs: - packageType: sdk - version: 8.0.x - - task: UseDotNet@2 - displayName: 'Ensure .NET 6.0 SDK' - inputs: - packageType: sdk - version: 6.0.x - - task: DotNetCoreCLI@2 - displayName: dotnet restore - inputs: - command: restore - - task: DotNetCoreCLI@2 - displayName: dotnet build - inputs: - command: build - arguments: --no-restore /p:TreatWarningsAsErrors=True - - task: DotNetCoreCLI@2 - displayName: dotnet test - inputs: - command: test - arguments: --no-build --filter Category=Smoke - - task: DotNetCoreCLI@2 - displayName: dotnet pack - inputs: - command: pack - packagesToPack: src/Steeltoe.NetCoreTool.Templates.csproj - arguments: --no-build - - task: Powershell@2 - displayName: Sign NuGets - inputs: - filePath: sign/SignPackages.ps1 - env: - ArtifactStagingDirectory: $(Build.ArtifactStagingDirectory) - SignClientUser: $(SignClientUser) - SignClientSecret: $(SignClientSecret) - - task: PublishBuildArtifacts@1 - displayName: Publish Build Artifacts diff --git a/sign/SignPackages.ps1 b/sign/SignPackages.ps1 deleted file mode 100755 index a5bb606..0000000 --- a/sign/SignPackages.ps1 +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env pwsh - -$baseDir = "$PSScriptRoot/.." -$toolDir = "$baseDir/tools" -$artifactStagingDirectory = $Env:ArtifactStagingDirectory - -$name = "Steeltoe" -$description = "Steeltoe" -$descriptionUrl = "https://github.com/SteeltoeOSS" -$appSettings = "$baseDir/sign/appsettings.json" -$signClientUser = $Env:SignClientUser -$signClientSecret = $Env:SignClientSecret - -"installing SignClient" -New-Item -ItemType Directory -Force -Path "$toolDir" -dotnet tool install --tool-path "$toolDir" SignClient - -"looking for artifacts" -$artifacts = Get-ChildItem $artifactStagingDirectory/Steeltoe*.*nupkg -recurse | Select-Object -ExpandProperty FullName -if ($artifacts) { - foreach ($artifact in $artifacts) - { - "signing $artifact" - & $toolDir/SignClient Sign --input $artifact --config $appSettings --user $signClientUser --secret $signClientSecret --name $name --description $description --descriptionUrl $descriptionUrl - } -} -else -{ - "no artifacts found" -} diff --git a/sign/appsettings.json b/sign/appsettings.json deleted file mode 100644 index 3276a45..0000000 --- a/sign/appsettings.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "SignClient": { - "AzureAd": { - "AADInstance": "https://login.microsoftonline.com/", - "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8", - "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e" - }, - "Service": { - "Url": "https://codesign.dotnetfoundation.org/", - "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001" - } - } -} \ No newline at end of file diff --git a/sign/filelist.txt b/sign/filelist.txt deleted file mode 100644 index 8c4ba1e..0000000 --- a/sign/filelist.txt +++ /dev/null @@ -1 +0,0 @@ -**/Steeltoe.* diff --git a/version.json b/version.json index 0d4c3a1..a572105 100644 --- a/version.json +++ b/version.json @@ -1,6 +1,6 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "1.4.0", + "version": "1.4.1", "publicReleaseRefSpec": [ "^refs/heads/release/\\d+\\.\\d+$" ],