From 7e5e017ff1b26f8e33740b5a334dd332b75daf14 Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Tue, 15 Jul 2025 14:08:47 -0500 Subject: [PATCH 1/9] Move from Azure DevOps to GitHub Actions --- .github/workflows/build.yml | 147 ++++++++++++++++++++++++++++++++---- azure-pipelines.yaml | 61 --------------- sign/SignPackages.ps1 | 30 -------- sign/appsettings.json | 13 ---- sign/filelist.txt | 1 - 5 files changed, 133 insertions(+), 119 deletions(-) delete mode 100644 azure-pipelines.yaml delete mode 100755 sign/SignPackages.ps1 delete mode 100644 sign/appsettings.json delete mode 100644 sign/filelist.txt diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 223850f..98bc2ef 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,8 @@ on: push: branches: - main + release: + types: [ published ] workflow_dispatch: {} concurrency: @@ -13,17 +15,19 @@ concurrency: cancel-in-progress: true env: + AZURE_ARTIFACTS_FEED_URL: https://pkgs.dev.azure.com/dotnet/Steeltoe/_packaging/dev/nuget/v3/index.json + DOTNET_CLI_TELEMETRY_OPTOUT: 1 DOTNET_NOLOGO: true - DOTNET_CLI_TELEMETRY_OPTOUT: true jobs: build-and-test: - timeout-minutes: 60 + timeout-minutes: 20 strategy: fail-fast: false matrix: os: [ubuntu-latest, windows-latest, macos-latest] runs-on: ${{ matrix.os }} + steps: - name: Setup .NET uses: actions/setup-dotnet@v4 @@ -32,29 +36,144 @@ jobs: 6.0.* 8.0.* 9.0.* + - name: Git checkout uses: actions/checkout@v4 with: fetch-depth: 0 + - name: Restore tools - run: | - dotnet tool restore + run: dotnet tool restore + - name: Restore packages - run: | - dotnet restore + run: dotnet restore + - name: Build - run: | - dotnet build --no-restore --configuration Release + run: dotnet build --no-restore --configuration Release + - name: Test - run: | - dotnet test --no-build --configuration Release --collect:"XPlat Code Coverage" --logger "GitHubActions;summary.includeSkippedTests=true" + run: dotnet test --no-build --configuration Release --collect:"XPlat Code Coverage" --logger "GitHubActions;summary.includeSkippedTests=true" + - name: Generate packages shell: pwsh - run: | - dotnet pack src --no-build --configuration Release --output $env:GITHUB_WORKSPACE/artifacts/packages + run: dotnet pack src --no-build --configuration Release --output ${{ github.workspace }}/packages + - name: Upload packages to artifacts if: matrix.os == 'ubuntu-latest' uses: actions/upload-artifact@v4 with: - name: packages - path: artifacts/packages + if-no-files-found: error + name: unsigned-packages + path: ${{ github.workspace }}/packages/**/*.nupkg + + sign: + needs: build-and-test + runs-on: windows-latest + if: github.event_name != 'pull_request' + environment: signing + permissions: + id-token: write + + steps: + - name: Download packages + uses: actions/download-artifact@v4 + with: + name: unsigned-packages + path: packages + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 8.0.* + + - name: Install code signing tool + run: dotnet tool install --global sign --prerelease + + - name: Az CLI login + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Sign packages + shell: pwsh + run: >- + sign code azure-key-vault "**/*.nupkg" + --base-directory "${{ github.workspace }}" + --azure-key-vault-managed-identity true + --azure-credential-type "azure-cli" + --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" + --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_ID }}" + --description "Steeltoe" + + - name: Upload signed packages + uses: actions/upload-artifact@v4 + with: + name: signed-packages + path: ${{ github.workspace }}/packages/**/*.nupkg + + az-artifacts-deploy: + name: Deploy packages to Dev Feed + needs: [build-and-test, sign] + if: github.event_name != 'pull_request' + environment: azdo + runs-on: ubuntu-latest + permissions: + id-token: write + + steps: + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: '8.0.x' + + - name: Download signed packages + uses: actions/download-artifact@v4 + with: + name: signed-packages + path: packages + + - name: Azure CLI Login + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Install credential provider for Azure Artifacts + run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)" + + - name: Extract access token + run: | + accessToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv) + echo "::add-mask::$accessToken" + echo "ACCESS_TOKEN=$accessToken" >> $GITHUB_ENV + + - name: Configure authentication provider to use Azure DevOps token + run: echo "VSS_NUGET_ACCESSTOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV + + - name: Push packages to Azure Artifacts + run: dotnet nuget push packages/*.nupkg --api-key azdo-placeholder --source ${{ env.AZURE_ARTIFACTS_FEED_URL }} + + nuget-org-deploy: + name: Deploy to nuget.org + needs: [build-and-test, sign] + if: github.event_name == 'release' + environment: nuget.org + runs-on: ubuntu-latest + + steps: + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: '8.0.x' + + - name: Download signed packages + uses: actions/download-artifact@v4 + with: + name: signed-packages + path: packages + + - name: Push packages to nuget.org + run: dotnet nuget push packages/*.nupkg --api-key ${{ secrets.STEELTOE_NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml deleted file mode 100644 index 6c1bc24..0000000 --- a/azure-pipelines.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- - -trigger: -- main - -variables: -- name: DOTNET_NOLOGO - value: true -- name: DOTNET_CLI_TELEMETRY_OPTOUT - value: 1 -- group: PackageSigningSecrets - -stages: -- stage: assemble - displayName: Assemble - jobs: - - job: build - displayName: Build - pool: - vmImage: ubuntu-latest - steps: - - task: UseDotNet@2 - displayName: 'Ensure .NET 8.0 SDK' - inputs: - packageType: sdk - version: 8.0.x - - task: UseDotNet@2 - displayName: 'Ensure .NET 6.0 SDK' - inputs: - packageType: sdk - version: 6.0.x - - task: DotNetCoreCLI@2 - displayName: dotnet restore - inputs: - command: restore - - task: DotNetCoreCLI@2 - displayName: dotnet build - inputs: - command: build - arguments: --no-restore /p:TreatWarningsAsErrors=True - - task: DotNetCoreCLI@2 - displayName: dotnet test - inputs: - command: test - arguments: --no-build --filter Category=Smoke - - task: DotNetCoreCLI@2 - displayName: dotnet pack - inputs: - command: pack - packagesToPack: src/Steeltoe.NetCoreTool.Templates.csproj - arguments: --no-build - - task: Powershell@2 - displayName: Sign NuGets - inputs: - filePath: sign/SignPackages.ps1 - env: - ArtifactStagingDirectory: $(Build.ArtifactStagingDirectory) - SignClientUser: $(SignClientUser) - SignClientSecret: $(SignClientSecret) - - task: PublishBuildArtifacts@1 - displayName: Publish Build Artifacts diff --git a/sign/SignPackages.ps1 b/sign/SignPackages.ps1 deleted file mode 100755 index a5bb606..0000000 --- a/sign/SignPackages.ps1 +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env pwsh - -$baseDir = "$PSScriptRoot/.." -$toolDir = "$baseDir/tools" -$artifactStagingDirectory = $Env:ArtifactStagingDirectory - -$name = "Steeltoe" -$description = "Steeltoe" -$descriptionUrl = "https://github.com/SteeltoeOSS" -$appSettings = "$baseDir/sign/appsettings.json" -$signClientUser = $Env:SignClientUser -$signClientSecret = $Env:SignClientSecret - -"installing SignClient" -New-Item -ItemType Directory -Force -Path "$toolDir" -dotnet tool install --tool-path "$toolDir" SignClient - -"looking for artifacts" -$artifacts = Get-ChildItem $artifactStagingDirectory/Steeltoe*.*nupkg -recurse | Select-Object -ExpandProperty FullName -if ($artifacts) { - foreach ($artifact in $artifacts) - { - "signing $artifact" - & $toolDir/SignClient Sign --input $artifact --config $appSettings --user $signClientUser --secret $signClientSecret --name $name --description $description --descriptionUrl $descriptionUrl - } -} -else -{ - "no artifacts found" -} diff --git a/sign/appsettings.json b/sign/appsettings.json deleted file mode 100644 index 3276a45..0000000 --- a/sign/appsettings.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "SignClient": { - "AzureAd": { - "AADInstance": "https://login.microsoftonline.com/", - "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8", - "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e" - }, - "Service": { - "Url": "https://codesign.dotnetfoundation.org/", - "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001" - } - } -} \ No newline at end of file diff --git a/sign/filelist.txt b/sign/filelist.txt deleted file mode 100644 index 8c4ba1e..0000000 --- a/sign/filelist.txt +++ /dev/null @@ -1 +0,0 @@ -**/Steeltoe.* From 08d09b37c0c5cdcaab66942fd2ff719522fdfaa7 Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Tue, 15 Jul 2025 15:36:51 -0500 Subject: [PATCH 2/9] bump template version --- version.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.json b/version.json index 0d4c3a1..a572105 100644 --- a/version.json +++ b/version.json @@ -1,6 +1,6 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "1.4.0", + "version": "1.4.1", "publicReleaseRefSpec": [ "^refs/heads/release/\\d+\\.\\d+$" ], From 28d3ffad4fcec26498deb932d59b5383bf7523ea Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Tue, 15 Jul 2025 16:02:55 -0500 Subject: [PATCH 3/9] follow docs more closely --- .github/workflows/build.yml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 98bc2ef..e9f42dd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,6 +16,7 @@ concurrency: env: AZURE_ARTIFACTS_FEED_URL: https://pkgs.dev.azure.com/dotnet/Steeltoe/_packaging/dev/nuget/v3/index.json + VSS_NUGET_URI_PREFIXES: https://pkgs.dev.azure.com/dotnet/ DOTNET_CLI_TELEMETRY_OPTOUT: 1 DOTNET_NOLOGO: true @@ -123,10 +124,16 @@ jobs: id-token: write steps: - - name: Setup .NET - uses: actions/setup-dotnet@v4 + - uses: actions/checkout@v4 with: - dotnet-version: '8.0.x' + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Azure CLI Login + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Download signed packages uses: actions/download-artifact@v4 @@ -134,12 +141,13 @@ jobs: name: signed-packages path: packages - - name: Azure CLI Login - uses: azure/login@v2 + - name: Setup .NET + uses: actions/setup-dotnet@v4 with: - client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + dotnet-version: '8.0.x' + source-url: ${{ env.AZURE_ARTIFACTS_FEED_URL }} + env: + NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} - name: Install credential provider for Azure Artifacts run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)" From 692117abe93bd4aab744a0a2020a96b27f89bcf8 Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Wed, 16 Jul 2025 08:42:54 -0500 Subject: [PATCH 4/9] Apply suggestions from code review Co-authored-by: Bart Koelman <104792814+bart-vmware@users.noreply.github.com> --- .github/workflows/build.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e9f42dd..1a97f8a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,7 +11,7 @@ on: workflow_dispatch: {} concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: @@ -47,15 +47,15 @@ jobs: run: dotnet tool restore - name: Restore packages - run: dotnet restore + run: dotnet restore --verbosity minimal - - name: Build - run: dotnet build --no-restore --configuration Release + - name: Build solution + run: dotnet build --no-restore --configuration Release --verbosity minimal - name: Test run: dotnet test --no-build --configuration Release --collect:"XPlat Code Coverage" --logger "GitHubActions;summary.includeSkippedTests=true" - - name: Generate packages + - name: Collect packages shell: pwsh run: dotnet pack src --no-build --configuration Release --output ${{ github.workspace }}/packages @@ -114,7 +114,7 @@ jobs: name: signed-packages path: ${{ github.workspace }}/packages/**/*.nupkg - az-artifacts-deploy: + azdo-artifacts-deploy: name: Deploy packages to Dev Feed needs: [build-and-test, sign] if: github.event_name != 'pull_request' @@ -144,7 +144,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v4 with: - dotnet-version: '8.0.x' + dotnet-version: 8.0.x source-url: ${{ env.AZURE_ARTIFACTS_FEED_URL }} env: NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} @@ -175,7 +175,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v4 with: - dotnet-version: '8.0.x' + dotnet-version: 8.0.x - name: Download signed packages uses: actions/download-artifact@v4 From 6f131043ab165975f4881ba672ddc8b471dae54b Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Wed, 16 Jul 2025 08:54:28 -0500 Subject: [PATCH 5/9] pr feedback --- .github/workflows/build.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1a97f8a..54cc88b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,6 @@ name: build-and-test on: + workflow_dispatch: pull_request: branches: - main @@ -8,12 +9,14 @@ on: - main release: types: [ published ] - workflow_dispatch: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + env: AZURE_ARTIFACTS_FEED_URL: https://pkgs.dev.azure.com/dotnet/Steeltoe/_packaging/dev/nuget/v3/index.json VSS_NUGET_URI_PREFIXES: https://pkgs.dev.azure.com/dotnet/ @@ -40,8 +43,6 @@ jobs: - name: Git checkout uses: actions/checkout@v4 - with: - fetch-depth: 0 - name: Restore tools run: dotnet tool restore @@ -70,7 +71,7 @@ jobs: sign: needs: build-and-test runs-on: windows-latest - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' }} environment: signing permissions: id-token: write @@ -117,7 +118,7 @@ jobs: azdo-artifacts-deploy: name: Deploy packages to Dev Feed needs: [build-and-test, sign] - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' }} environment: azdo runs-on: ubuntu-latest permissions: @@ -167,7 +168,7 @@ jobs: nuget-org-deploy: name: Deploy to nuget.org needs: [build-and-test, sign] - if: github.event_name == 'release' + if: ${{ github.event_name == 'release' }} environment: nuget.org runs-on: ubuntu-latest From 5b6c21fbc910764d949028a137869f30d918afeb Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Wed, 16 Jul 2025 09:13:50 -0500 Subject: [PATCH 6/9] restore fetch-depth --- .github/workflows/build.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 54cc88b..85918e6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -43,7 +43,8 @@ jobs: - name: Git checkout uses: actions/checkout@v4 - + with: + fetch-depth: 0 - name: Restore tools run: dotnet tool restore @@ -146,7 +147,7 @@ jobs: uses: actions/setup-dotnet@v4 with: dotnet-version: 8.0.x - source-url: ${{ env.AZURE_ARTIFACTS_FEED_URL }} + source-url: ${{ vars.AZURE_ARTIFACTS_FEED_URL }} env: NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} From a82f2e2007a3fd5995d61fb6a2f0b76fa09979f5 Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Wed, 16 Jul 2025 10:14:22 -0500 Subject: [PATCH 7/9] secret name updates --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 85918e6..c95ac58 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -95,8 +95,8 @@ jobs: - name: Az CLI login uses: azure/login@v2 with: - client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Sign packages @@ -107,7 +107,7 @@ jobs: --azure-key-vault-managed-identity true --azure-credential-type "azure-cli" --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" - --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_ID }}" + --azure-key-vault-certificate "${{ secrets.AZURE_SIGN_CERTIFICATE_ID }}" --description "Steeltoe" - name: Upload signed packages @@ -133,8 +133,8 @@ jobs: - name: Azure CLI Login uses: azure/login@v2 with: - client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Download signed packages From 7dfe331048b121556d1dfbf781b10042c2923817 Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Wed, 16 Jul 2025 13:36:00 -0500 Subject: [PATCH 8/9] Run this workflow at 6 PM UTC every Sunday --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c95ac58..cecad88 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,6 +9,9 @@ on: - main release: types: [ published ] + schedule: + # Run this workflow at 6 PM UTC every Sunday + - cron: "0 18 * * *" concurrency: group: ${{ github.workflow }}-${{ github.ref }} From 8106c5ddb29818e6719af36e1c97f6d99fcda8e0 Mon Sep 17 00:00:00 2001 From: Bart Koelman <104792814+bart-vmware@users.noreply.github.com> Date: Thu, 17 Jul 2025 13:04:07 +0200 Subject: [PATCH 9/9] Sync up with changes in Steeltoe workflow --- .github/workflows/build.yml | 73 +++++++++++++++++++------------------ 1 file changed, 38 insertions(+), 35 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cecad88..85f4919 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,14 +1,14 @@ -name: build-and-test +name: BuildTestDeploy on: workflow_dispatch: - pull_request: - branches: - - main push: branches: - main + - 'release/*' + pull_request: release: - types: [ published ] + types: + - published schedule: # Run this workflow at 6 PM UTC every Sunday - cron: "0 18 * * *" @@ -21,13 +21,12 @@ permissions: contents: read env: - AZURE_ARTIFACTS_FEED_URL: https://pkgs.dev.azure.com/dotnet/Steeltoe/_packaging/dev/nuget/v3/index.json - VSS_NUGET_URI_PREFIXES: https://pkgs.dev.azure.com/dotnet/ DOTNET_CLI_TELEMETRY_OPTOUT: 1 DOTNET_NOLOGO: true jobs: build-and-test: + name: Build, Test and Package timeout-minutes: 20 strategy: fail-fast: false @@ -48,6 +47,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + - name: Restore tools run: dotnet tool restore @@ -64,8 +64,8 @@ jobs: shell: pwsh run: dotnet pack src --no-build --configuration Release --output ${{ github.workspace }}/packages - - name: Upload packages to artifacts - if: matrix.os == 'ubuntu-latest' + - name: Upload unsigned packages + if: ${{ matrix.os == 'ubuntu-latest' }} uses: actions/upload-artifact@v4 with: if-no-files-found: error @@ -73,15 +73,17 @@ jobs: path: ${{ github.workspace }}/packages/**/*.nupkg sign: + name: Sign + if: ${{ github.event_name != 'pull_request' }} + timeout-minutes: 15 needs: build-and-test runs-on: windows-latest - if: ${{ github.event_name != 'pull_request' }} environment: signing permissions: id-token: write steps: - - name: Download packages + - name: Download unsigned packages uses: actions/download-artifact@v4 with: name: unsigned-packages @@ -95,7 +97,7 @@ jobs: - name: Install code signing tool run: dotnet tool install --global sign --prerelease - - name: Az CLI login + - name: Azure login uses: azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} @@ -103,37 +105,38 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Sign packages - shell: pwsh run: >- - sign code azure-key-vault "**/*.nupkg" - --base-directory "${{ github.workspace }}" + sign code azure-key-vault '**/*.nupkg' + --base-directory '${{ github.workspace }}/packages' --azure-key-vault-managed-identity true - --azure-credential-type "azure-cli" - --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" - --azure-key-vault-certificate "${{ secrets.AZURE_SIGN_CERTIFICATE_ID }}" - --description "Steeltoe" + --azure-credential-type 'azure-cli' + --azure-key-vault-url '${{ secrets.AZURE_KEY_VAULT_URL }}' + --azure-key-vault-certificate '${{ secrets.AZURE_SIGN_CERTIFICATE_ID }}' + --publisher-name 'Steeltoe' + --description 'Steeltoe' + --description-url 'https://steeltoe.io/' - name: Upload signed packages uses: actions/upload-artifact@v4 with: + if-no-files-found: error name: signed-packages path: ${{ github.workspace }}/packages/**/*.nupkg - azdo-artifacts-deploy: - name: Deploy packages to Dev Feed - needs: [build-and-test, sign] + dev-feed-deploy: + name: Deploy packages to development feed + timeout-minutes: 15 + needs: sign if: ${{ github.event_name != 'pull_request' }} environment: azdo runs-on: ubuntu-latest permissions: id-token: write + env: + VSS_NUGET_URI_PREFIXES: https://pkgs.dev.azure.com/dotnet/ steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Azure CLI Login + - name: Azure login uses: azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} @@ -152,26 +155,26 @@ jobs: dotnet-version: 8.0.x source-url: ${{ vars.AZURE_ARTIFACTS_FEED_URL }} env: - NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} + NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Install credential provider for Azure Artifacts run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)" - name: Extract access token run: | - accessToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv) - echo "::add-mask::$accessToken" - echo "ACCESS_TOKEN=$accessToken" >> $GITHUB_ENV + accessToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv) + echo "::add-mask::$accessToken" + echo "ACCESS_TOKEN=$accessToken" >> $GITHUB_ENV - name: Configure authentication provider to use Azure DevOps token run: echo "VSS_NUGET_ACCESSTOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV - name: Push packages to Azure Artifacts - run: dotnet nuget push packages/*.nupkg --api-key azdo-placeholder --source ${{ env.AZURE_ARTIFACTS_FEED_URL }} + run: dotnet nuget push '${{ github.workspace }}/packages/*.nupkg' --api-key 'azdo-placeholder' --source '${{ vars.AZURE_ARTIFACTS_FEED_URL }}' nuget-org-deploy: - name: Deploy to nuget.org - needs: [build-and-test, sign] + name: Deploy packages to nuget.org + needs: sign if: ${{ github.event_name == 'release' }} environment: nuget.org runs-on: ubuntu-latest @@ -189,4 +192,4 @@ jobs: path: packages - name: Push packages to nuget.org - run: dotnet nuget push packages/*.nupkg --api-key ${{ secrets.STEELTOE_NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json + run: dotnet nuget push '${{ github.workspace }}/packages/*.nupkg' --skip-duplicate --api-key ${{ secrets.STEELTOE_NUGET_API_KEY }} --source 'nuget.org'