Move from Azure DevOps to GitHub Actions

.github/workflows/build.yml

@@ -1,29 +1,39 @@
-name: build-and-test
+name: BuildTestDeploy
 on:
-  pull_request:
-    branches:
-    - main
+  workflow_dispatch:
   push:
     branches:
     - main
-  workflow_dispatch: {}
+    - 'release/*'
+  pull_request:
+  release:
+    types:
+    - published
+  schedule:
+    # Run this workflow at 6 PM UTC every Sunday
+    - cron: "0 18 * * *"
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
+  DOTNET_CLI_TELEMETRY_OPTOUT: 1
   DOTNET_NOLOGO: true
-  DOTNET_CLI_TELEMETRY_OPTOUT: true
 
 jobs:
   build-and-test:
-    timeout-minutes: 60
+    name: Build, Test and Package
+    timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
     runs-on: ${{ matrix.os }}
+
     steps:
     - name: Setup .NET
       uses: actions/setup-dotnet@v4
@@ -32,29 +42,154 @@ jobs:
           6.0.*
           8.0.*
           9.0.*
+
     - name: Git checkout
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+
     - name: Restore tools
-      run: |
-        dotnet tool restore
+      run: dotnet tool restore
+
     - name: Restore packages
-      run: |
-        dotnet restore
-    - name: Build
-      run: |
-        dotnet build --no-restore --configuration Release
+      run: dotnet restore --verbosity minimal
+
+    - name: Build solution
+      run: dotnet build --no-restore --configuration Release --verbosity minimal
+
     - name: Test
-      run: |
-        dotnet test --no-build --configuration Release --collect:"XPlat Code Coverage" --logger "GitHubActions;summary.includeSkippedTests=true"
-    - name: Generate packages
+      run: dotnet test --no-build --configuration Release --collect:"XPlat Code Coverage" --logger "GitHubActions;summary.includeSkippedTests=true"
+
+    - name: Collect packages
       shell: pwsh
-      run: |
-        dotnet pack src --no-build --configuration Release --output $env:GITHUB_WORKSPACE/artifacts/packages
-    - name: Upload packages to artifacts
-      if: matrix.os == 'ubuntu-latest'
+      run: dotnet pack src --no-build --configuration Release --output ${{ github.workspace }}/packages
+
+    - name: Upload unsigned packages
+      if: ${{ matrix.os == 'ubuntu-latest' }}
       uses: actions/upload-artifact@v4
       with:
-        name: packages
-        path: artifacts/packages
+        if-no-files-found: error
+        name: unsigned-packages
+        path: ${{ github.workspace }}/packages/**/*.nupkg
+
+  sign:
+    name: Sign
+    if: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 15
+    needs: build-and-test
+    runs-on: windows-latest
+    environment: signing
+    permissions:
+      id-token: write
+
+    steps:
+    - name: Download unsigned packages
+      uses: actions/download-artifact@v4
+      with:
+        name: unsigned-packages
+        path: packages
+
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: 8.0.*
+
+    - name: Install code signing tool
+      run: dotnet tool install --global sign --prerelease
+
+    - name: Azure login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Sign packages
+      run: >-
+        sign code azure-key-vault '**/*.nupkg'
+        --base-directory '${{ github.workspace }}/packages'
+        --azure-key-vault-managed-identity true
+        --azure-credential-type 'azure-cli'
+        --azure-key-vault-url '${{ secrets.AZURE_KEY_VAULT_URL }}'
+        --azure-key-vault-certificate '${{ secrets.AZURE_SIGN_CERTIFICATE_ID }}'
+        --publisher-name 'Steeltoe'
+        --description 'Steeltoe'
+        --description-url 'https://steeltoe.io/'
+
+    - name: Upload signed packages
+      uses: actions/upload-artifact@v4
+      with:
+        if-no-files-found: error
+        name: signed-packages
+        path: ${{ github.workspace }}/packages/**/*.nupkg
+
+  dev-feed-deploy:
+    name: Deploy packages to development feed
+    timeout-minutes: 15
+    needs: sign
+    if: ${{ github.event_name != 'pull_request' }}
+    environment: azdo
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    env:
+      VSS_NUGET_URI_PREFIXES: https://pkgs.dev.azure.com/dotnet/
+
+    steps:
+    - name: Azure login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Download signed packages
+      uses: actions/download-artifact@v4
+      with:
+        name: signed-packages
+        path: packages
+
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: 8.0.x
+        source-url: ${{ vars.AZURE_ARTIFACTS_FEED_URL }}
+      env:
+        NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Install credential provider for Azure Artifacts
+      run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)"
+
+    - name: Extract access token
+      run: |
+        accessToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv)
+        echo "::add-mask::$accessToken"
+        echo "ACCESS_TOKEN=$accessToken" >> $GITHUB_ENV
+
+    - name: Configure authentication provider to use Azure DevOps token
+      run: echo "VSS_NUGET_ACCESSTOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV
+
+    - name: Push packages to Azure Artifacts
+      run: dotnet nuget push '${{ github.workspace }}/packages/*.nupkg' --api-key 'azdo-placeholder' --source '${{ vars.AZURE_ARTIFACTS_FEED_URL }}'
+
+  nuget-org-deploy:
+    name: Deploy packages to nuget.org
+    needs: sign
+    if: ${{ github.event_name == 'release' }}
+    environment: nuget.org
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: 8.0.x
+
+    - name: Download signed packages
+      uses: actions/download-artifact@v4
+      with:
+        name: signed-packages
+        path: packages
+
+    - name: Push packages to nuget.org
+      run: dotnet nuget push '${{ github.workspace }}/packages/*.nupkg' --skip-duplicate --api-key ${{ secrets.STEELTOE_NUGET_API_KEY }} --source 'nuget.org'

version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "publicReleaseRefSpec": [
     "^refs/heads/release/\\d+\\.\\d+$"
   ],