Move from Azure DevOps to GitHub Actions

.github/workflows/build.yml

@@ -6,24 +6,29 @@ on:
   push:
     branches:
     - main
+  release:
+    types: [ published ]
   workflow_dispatch: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 env:
+  AZURE_ARTIFACTS_FEED_URL: https://pkgs.dev.azure.com/dotnet/Steeltoe/_packaging/dev/nuget/v3/index.json
+  VSS_NUGET_URI_PREFIXES: https://pkgs.dev.azure.com/dotnet/
+  DOTNET_CLI_TELEMETRY_OPTOUT: 1
   DOTNET_NOLOGO: true
-  DOTNET_CLI_TELEMETRY_OPTOUT: true
 
 jobs:
   build-and-test:
-    timeout-minutes: 60
+    timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
     runs-on: ${{ matrix.os }}
+
     steps:
     - name: Setup .NET
       uses: actions/setup-dotnet@v4
@@ -32,29 +37,151 @@ jobs:
           6.0.*
           8.0.*
           9.0.*
+
     - name: Git checkout
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+
     - name: Restore tools
-      run: |
-        dotnet tool restore
+      run: dotnet tool restore
+
     - name: Restore packages
-      run: |
-        dotnet restore
+      run: dotnet restore
+
     - name: Build
-      run: |
-        dotnet build --no-restore --configuration Release
+      run: dotnet build --no-restore --configuration Release
+
     - name: Test
-      run: |
-        dotnet test --no-build --configuration Release --collect:"XPlat Code Coverage" --logger "GitHubActions;summary.includeSkippedTests=true"
+      run: dotnet test --no-build --configuration Release --collect:"XPlat Code Coverage" --logger "GitHubActions;summary.includeSkippedTests=true"
+
     - name: Generate packages
       shell: pwsh
-      run: |
-        dotnet pack src --no-build --configuration Release --output $env:GITHUB_WORKSPACE/artifacts/packages
+      run: dotnet pack src --no-build --configuration Release --output ${{ github.workspace }}/packages
+
     - name: Upload packages to artifacts
       if: matrix.os == 'ubuntu-latest'
       uses: actions/upload-artifact@v4
       with:
-        name: packages
-        path: artifacts/packages
+        if-no-files-found: error
+        name: unsigned-packages
+        path: ${{ github.workspace }}/packages/**/*.nupkg
+
+  sign:
+    needs: build-and-test
+    runs-on: windows-latest
+    if: github.event_name != 'pull_request'
+    environment: signing
+    permissions:
+      id-token: write
+
+    steps:
+    - name: Download packages
+      uses: actions/download-artifact@v4
+      with:
+        name: unsigned-packages
+        path: packages
+
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: 8.0.*
+
+    - name: Install code signing tool
+      run: dotnet tool install --global sign --prerelease
+
+    - name: Az CLI login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Sign packages
+      shell: pwsh
+      run: >-
+        sign code azure-key-vault "**/*.nupkg"
+        --base-directory "${{ github.workspace }}"
+        --azure-key-vault-managed-identity true
+        --azure-credential-type "azure-cli"
+        --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}"
+        --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_ID }}"
+        --description "Steeltoe"
+
+    - name: Upload signed packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: signed-packages
+        path: ${{ github.workspace }}/packages/**/*.nupkg
+
+  az-artifacts-deploy:
+    name: Deploy packages to Dev Feed
+    needs: [build-and-test, sign]
+    if: github.event_name != 'pull_request'
+    environment: azdo
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Azure CLI Login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Download signed packages
+      uses: actions/download-artifact@v4
+      with:
+        name: signed-packages
+        path: packages
+
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: '8.0.x'
+        source-url: ${{ env.AZURE_ARTIFACTS_FEED_URL }}
+      env:
+        NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+    - name: Install credential provider for Azure Artifacts
+      run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)"
+
+    - name: Extract access token
+      run: |
+          accessToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv)
+          echo "::add-mask::$accessToken"
+          echo "ACCESS_TOKEN=$accessToken" >> $GITHUB_ENV
+
+    - name: Configure authentication provider to use Azure DevOps token
+      run: echo "VSS_NUGET_ACCESSTOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV
+
+    - name: Push packages to Azure Artifacts
+      run: dotnet nuget push packages/*.nupkg --api-key azdo-placeholder --source ${{ env.AZURE_ARTIFACTS_FEED_URL }}
+
+  nuget-org-deploy:
+    name: Deploy to nuget.org
+    needs: [build-and-test, sign]
+    if: github.event_name == 'release'
+    environment: nuget.org
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: '8.0.x'
+
+    - name: Download signed packages
+      uses: actions/download-artifact@v4
+      with:
+        name: signed-packages
+        path: packages
+
+    - name: Push packages to nuget.org
+      run: dotnet nuget push packages/*.nupkg --api-key ${{ secrets.STEELTOE_NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json

version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "publicReleaseRefSpec": [
     "^refs/heads/release/\\d+\\.\\d+$"
   ],