Add GitHub Actions workflow for NuGet packaging

.github/workflows/package.yml

@@ -1,23 +1,184 @@
 name: Package
 
 on:
-  workflow_dispatch:
+  workflow_dispatch: {}
   push:
     branches:
     - main
     - '[0-9]+.x'
     - 'release/*'
-  pull_request:
+  release:
+    types: [ published ]
+  pull_request: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
+env:
+  AZURE_ARTIFACTS_FEED_URL: https://pkgs.dev.azure.com/dotnet/Steeltoe/_packaging/dev/nuget/v3/index.json
+  VSS_NUGET_URI_PREFIXES: https://pkgs.dev.azure.com/dotnet/
+  DOTNET_CLI_TELEMETRY_OPTOUT: 1
+  DOTNET_NOLOGO: true
+  SOLUTION_FILE: 'src/Steeltoe.All.sln'
+
 jobs:
-  empty:
-    name: Empty job
+  build:
+    name: Build
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          8.0.*
+          9.0.*
+
+    - name: Git checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Restore packages
+      run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal
+
+    - name: Set package version
+      run: nbgv cloud
+
+    - name: Build solution
+      run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal
+
+    - name: Collect packages
+      run: dotnet pack ${{ env.SOLUTION_FILE }} --no-build --configuration Release --output ${{ github.workspace }}/packages
+
+    - name: Upload packages
+      uses: actions/upload-artifact@v4
+      with:
+        if-no-files-found: error
+        name: unsigned-packages
+        path: ${{ github.workspace }}/packages/**/*.nupkg
+
+  sign:
+    needs: build
+    runs-on: windows-latest
+    if: github.event_name != 'pull_request'
+    environment: signing
+    permissions:
+      id-token: write
+
+    steps:
+    - name: Download packages
+      uses: actions/download-artifact@v4
+      with:
+        name: unsigned-packages
+        path: packages
+
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          8.0.*
+          9.0.*
+
+    - name: Install code signing tool
+      run: dotnet tool install --global sign --prerelease
+
+    - name: Az CLI login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Sign packages
+      shell: pwsh
+      run: >-
+        sign code azure-key-vault "**/*.nupkg"
+        --base-directory "${{ github.workspace }}"
+        --azure-key-vault-managed-identity true
+        --azure-credential-type "azure-cli"
+        --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}"
+        --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_ID }}"
+        --description "Steeltoe"
+
+    - name: Upload signed packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: signed-packages
+        path: ${{ github.workspace }}/packages/**/*.nupkg
+
+  az-artifacts-deploy:
+    name: Deploy packages to Dev Feed
+    needs: [build, sign]
+    if: github.event_name != 'pull_request'
+    environment: azdo
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Azure CLI Login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Download signed packages
+      uses: actions/download-artifact@v4
+      with:
+        name: signed-packages
+        path: packages
 
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: '8.0.x'
+        source-url: ${{ env.AZURE_ARTIFACTS_FEED_URL }}
+      env:
+        NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+    - name: Install credential provider for Azure Artifacts
+      run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)"
+
+    - name: Extract access token
+      run: |
+          accessToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv)
+          echo "::add-mask::$accessToken"
+          echo "ACCESS_TOKEN=$accessToken" >> $GITHUB_ENV
+
+    - name: Configure authentication provider to use Azure DevOps token
+      run: echo "VSS_NUGET_ACCESSTOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV
+
+    - name: Push packages to Azure Artifacts
+      run: dotnet nuget push packages/*.nupkg --api-key azdo-placeholder --source ${{ env.AZURE_ARTIFACTS_FEED_URL }}
+
+  nuget-org-deploy:
+    name: Deploy to nuget.org
+    needs: [build, sign]
+    if: github.event_name == 'release'
+    environment: nuget.org
+    runs-on: ubuntu-latest
     steps:
-    - name: Empty step
-      run: echo "Packaging using GitHub Actions is not yet implemented."
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: '8.0.x'
+
+    - name: Download signed packages
+      uses: actions/download-artifact@v4
+      with:
+        name: signed-packages
+        path: packages
+
+    - name: Push packages to nuget.org
+      run: dotnet nuget push packages/*.nupkg --api-key ${{ secrets.STEELTOE_NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json

.github/workflows/sign-only.yml

@@ -0,0 +1,71 @@
+name: Sign-only
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+    - '[0-9]+.x'
+    - 'release/*'
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+#  pull-requests: write
+
+env:
+  DOTNET_CLI_TELEMETRY_OPTOUT: 1
+  DOTNET_NOLOGO: true
+  SOLUTION_FILE: 'src/Steeltoe.All.sln'
+
+jobs:
+  sign:
+    runs-on: windows-latest
+    permissions:
+      id-token: write
+
+    steps:
+    - name: Git checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Rename file
+      shell: cmd
+      run: ren ${{ github.workspace }}\Steeltoe.Common.4.0.633-beta-ge14e7a3419.nupkg1 Steeltoe.Common.4.0.633-beta-ge14e7a3419.nupkg
+
+    - name: List packages
+      shell: pwsh
+      run: ls ${{ github.workspace }} -Recurse -Filter *.nupkg
+
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          8.0.*
+          9.0.*
+
+    - name: Install code signing tool
+      run: dotnet tool install --global sign --prerelease
+
+    - name: Sign packages
+      shell: pwsh
+      run: >-
+        sign code azure-key-vault "**/*.nupkg"
+        --base-directory "${{ github.workspace }}"
+        --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}"
+        --azure-key-vault-tenant-id "${{ secrets.AZURE_KEY_VAULT_TENANT_ID }}"
+        --azure-key-vault-client-id "${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }}"
+        --azure-key-vault-client-secret "${{ secrets.AZURE_KEY_VAULT_CLIENT_SECRET }}"
+        --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_ID }}"
+        --description "Steeltoe"
+
+    - name: "TEMP: Upload signed packages"
+      uses: actions/upload-artifact@v4
+      with:
+        name: signed-packages
+        path: ${{ github.workspace }}/packages/**/*.nupkg