@@ -430,6 +430,188 @@ jobs:
430430 name : linux-sign
431431 path : |
432432 signed
433+
434+ # ================================
435+ # .NET Tool
436+ # ================================
437+ dotnet-tool-build :
438+ name : Build .NET tool
439+ runs-on : ubuntu-latest
440+ steps :
441+ - uses : actions/checkout@v3
442+ with :
443+ fetch-depth : 0 # Indicate full history so Nerdbank.GitVersioning works.
444+
445+ - name : Setup .NET
446+ 447+ with :
448+ dotnet-version : 6.0.201
449+
450+ - uses : dotnet/nbgv@master
451+ with :
452+ setCommonVars : true
453+
454+ - name : Build .NET tool
455+ run : |
456+ src/shared/DotnetTool/layout.sh --configuration=Release
457+
458+ name : Upload .NET tool artifacts
459+ uses : actions/upload-artifact@v3
460+ with :
461+ name : tmp.dotnet-tool-build
462+ path : |
463+ out/shared/DotnetTool/nupkg/Release
464+
465+ dotnet-tool-payload-sign :
466+ name : Sign .NET tool payload
467+ # ESRP service requires signing to run on Windows
468+ runs-on : windows-latest
469+ needs : dotnet-tool-build
470+ steps :
471+ - name : Check out repository
472+ uses : actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
473+
474+ - name : Download payload
475+ uses : actions/download-artifact@v3
476+ with :
477+ name : tmp.dotnet-tool-build
478+
479+ - name : Zip unsigned payload
480+ shell : pwsh
481+ run : |
482+ Compress-Archive -Path payload payload/payload.zip
483+ cd payload
484+ Get-ChildItem -Exclude payload.zip | Remove-Item -Recurse -Force
485+
486+ - uses : azure/login@v1
487+ with :
488+ creds : ${{ secrets.AZURE_CREDENTIALS }}
489+
490+ - name : Set up ESRP client
491+ shell : pwsh
492+ env :
493+ AZURE_VAULT : ${{ secrets.AZURE_VAULT }}
494+ AUTH_CERT : ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
495+ REQUEST_SIGNING_CERT : ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
496+ run : |
497+ .github\set_up_esrp.ps1
498+
499+ - name : Run ESRP client
500+ shell : pwsh
501+ env :
502+ AZURE_AAD_ID : ${{ secrets.AZURE_AAD_ID }}
503+ NUGET_KEY_CODE : ${{ secrets.NUGET_KEY_CODE }}
504+ NUGET_OPERATION_CODE : ${{ secrets.NUGET_OPERATION_CODE }}
505+ run : |
506+ python .github\run_esrp_signing.py payload `
507+ $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE
508+
509+ - name : Lay out signed payload, images, and symbols
510+ shell : bash
511+ run : |
512+ mkdir dotnet-tool-payload-sign
513+ rm -rf payload
514+ mv images payload.sym -t dotnet-tool-payload-sign
515+ unzip signed/payload.zip -d dotnet-tool-payload-sign
516+
517+ name : Upload signed payload
518+ uses : actions/upload-artifact@v3
519+ with :
520+ name : dotnet-tool-payload-sign
521+ path : |
522+ dotnet-tool-payload-sign
523+
524+ dotnet-tool-pack :
525+ name : Package .NET tool
526+ runs-on : ubuntu-latest
527+ needs : dotnet-tool-payload-sign
528+ steps :
529+ - uses : actions/checkout@v3
530+ with :
531+ fetch-depth : 0 # Indicate full history so Nerdbank.GitVersioning works.
532+
533+ - name : Download signed payload
534+ uses : actions/download-artifact@v3
535+ with :
536+ name : dotnet-tool-payload-sign
537+ path : signed
538+
539+ - name : Setup .NET
540+ 541+ with :
542+ dotnet-version : 6.0.201
543+
544+ - uses : dotnet/nbgv@master
545+ with :
546+ setCommonVars : true
547+
548+ - name : Package tool
549+ run : |
550+ src/shared/DotnetTool/pack.sh --configuration=Release \
551+ --version=$GitBuildVersionSimple --publish-dir=$(pwd)/signed
552+
553+ name : Upload unsigned package
554+ uses : actions/upload-artifact@v3
555+ with :
556+ name : tmp.dotnet-tool-package-unsigned
557+ path : |
558+ out/shared/DotnetTool/nupkg/Release/*.nupkg
559+
560+ dotnet-tool-sign :
561+ name : Sign .NET tool package
562+ # ESRP service requires signing to run on Windows
563+ runs-on : windows-latest
564+ needs : dotnet-tool-pack
565+ steps :
566+ - name : Check out repository
567+ uses : actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
568+
569+ - name : Download unsigned package
570+ uses : actions/download-artifact@v3
571+ with :
572+ name : tmp.dotnet-tool-package-unsigned
573+ path : nupkg
574+
575+ - name : Zip unsigned package
576+ shell : pwsh
577+ run : |
578+ Compress-Archive -Path nupkg/*.nupkg nupkg/gcm-nupkg.zip
579+ cd nupkg
580+ Get-ChildItem -Exclude gcm-nupkg.zip | Remove-Item -Recurse -Force
581+
582+ - uses : azure/login@v1
583+ with :
584+ creds : ${{ secrets.AZURE_CREDENTIALS }}
585+
586+ - name : Set up ESRP client
587+ shell : pwsh
588+ env :
589+ AZURE_VAULT : ${{ secrets.AZURE_VAULT }}
590+ AUTH_CERT : ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
591+ REQUEST_SIGNING_CERT : ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
592+ run : |
593+ .github\set_up_esrp.ps1
594+
595+ - name : Sign package
596+ shell : pwsh
597+ env :
598+ AZURE_AAD_ID : ${{ secrets.AZURE_AAD_ID }}
599+ NUGET_KEY_CODE : ${{ secrets.NUGET_KEY_CODE }}
600+ NUGET_OPERATION_CODE : ${{ secrets.NUGET_OPERATION_CODE }}
601+ run : |
602+ python .github\run_esrp_signing.py nupkg $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE
603+
604+ - name : Unzip signed package
605+ shell : pwsh
606+ run : |
607+ Expand-Archive -LiteralPath signed\gcm-nupkg.zip -DestinationPath .\signed -Force
608+ Remove-Item signed\gcm-nupkg.zip -Force
609+
610+ - name : Publish signed package
611+ uses : actions/upload-artifact@v3
612+ with :
613+ name : dotnet-tool-sign
614+ path : signed/*.nupkg
433615
434616# ================================
435617# Validate
@@ -452,8 +634,11 @@ jobs:
452634 # Windows due to its placement on the PATH. For this reason, we use
453635 # the full path to our installation to validate the Windows version.
454636 command : " $PROGRAMFILES (x86)/Git Credential Manager/git-credential-manager.exe"
637+ - os : ubuntu-latest
638+ artifact : dotnet-tool-sign
639+ command : git-credential-manager
455640 runs-on : ${{ matrix.component.os }}
456- needs : [ osx-sign, win-sign, linux-sign ]
641+ needs : [ osx-sign, win-sign, linux-sign, dotnet-tool-sign ]
457642 steps :
458643 - uses : actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
459644 with :
@@ -479,7 +664,7 @@ jobs:
479664 }
480665
481666name : Install Linux
482- if : contains(matrix.component.os, 'ubuntu')
667+ if : contains(matrix.component.os, 'ubuntu') && contains(matrix.component.artifact, 'linux')
483668 run : |
484669 debpath=$(find ./*.deb)
485670 sudo apt install $debpath
@@ -491,6 +676,13 @@ jobs:
491676 # Only validate x64, given arm64 agents are not available
492677 pkgpath=$(find ./*.pkg)
493678 sudo installer -pkg $pkgpath -target /
679+
680+ - name : Install .NET tool
681+ if : contains(matrix.component.os, 'ubuntu') && contains(matrix.component.artifact, 'dotnet-tool')
682+ run : |
683+ nupkgpath=$(find ./*.nupkg)
684+ dotnet tool install -g --add-source $(dirname "$nupkgpath") git-credential-manager
685+ "${{ matrix.component.command }}" configure
494686
495687name : Validate
496688 shell : bash
@@ -596,32 +788,12 @@ jobs:
596788
597789 // Upload Linux artifacts
598790 uploadDirectoryToRelease('linux-sign'),
599- ]);
600791
601- create-dotnet-tool :
602- name : Publish dotnet tool
603- runs-on : ubuntu-latest
604- steps :
605- - uses : actions/checkout@v3
606- with :
607- fetch-depth : 0 # Indicate full history so Nerdbank.GitVersioning works.
608-
609- - name : Setup .NET
610- 611- with :
612- dotnet-version : 6.0.201
613-
614- - uses : dotnet/nbgv@master
615- with :
616- setCommonVars : true
617-
618- - name : Package tool
619- run : |
620- src/shared/DotnetTool/pack-tool.sh \
621- --version=$GitBuildVersionSimple \
622- --configuration=Release
792+ // Upload .NET tool package
793+ uploadDirectoryToRelease('dotnet-tool-sign'),
794+ ]);
623795
624- name : Publish tool
625- run : |
626- dotnet nuget push ./out/shared/DotnetTool/nupkg/Release /*.nupkg \
627- --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json
796+ - name : Publish .NET tool to nuget.org
797+ run : |
798+ dotnet nuget push dotnet-tool-sign/signed /*.nupkg \
799+ --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json
0 commit comments