Skip to content

Commit 961a213

Browse files
ldenningtonldennington
committed
release: update .NET tool azure connection/variables
Update the .NET tool release workflow to use the workflow's Federated credential for Azure access. Additionally, update ESRP setup to use secrets instead of storage account/resource names.
1 parent 4d3a8f1 commit 961a213

File tree

2 files changed

+21
-12
lines changed

2 files changed

+21
-12
lines changed

.github/set_up_esrp.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# Install ESRP client
2-
az storage blob download --file esrp.zip --auth-mode login --account-name esrpsigningstorage --container signing-resources --name microsoft.esrpclient.1.2.76.nupkg
2+
az storage blob download --file esrp.zip --auth-mode login --account-name $env:AZURE_STORAGE_ACCOUNT --container $env:AZURE_STORAGE_CONTAINER --name $env:ESRP_TOOL
33
Expand-Archive -Path esrp.zip -DestinationPath .\esrp
44

55
# Install certificates

.github/workflows/release.yml

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -309,6 +309,7 @@ jobs:
309309
dotnet-tool-build:
310310
name: Build .NET tool
311311
runs-on: ubuntu-latest
312+
needs: prereqs
312313
steps:
313314
- uses: actions/checkout@v4
314315

@@ -349,14 +350,20 @@ jobs:
349350
cd payload
350351
Get-ChildItem -Exclude payload.zip | Remove-Item -Recurse -Force
351352
352-
- uses: azure/login@v1
353+
- name: Log into Azure
354+
uses: azure/login@v1
353355
with:
354-
creds: ${{ secrets.AZURE_CREDENTIALS }}
356+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
357+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
358+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
355359

356360
- name: Set up ESRP client
357361
shell: pwsh
358362
env:
359363
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
364+
AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
365+
AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }}
366+
ESRP_TOOL: ${{ secrets.ESRP_TOOL }}
360367
AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
361368
REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
362369
run: |
@@ -390,15 +397,10 @@ jobs:
390397
dotnet-tool-pack:
391398
name: Package .NET tool
392399
runs-on: ubuntu-latest
393-
needs: dotnet-tool-payload-sign
400+
needs: [ prereqs, dotnet-tool-payload-sign ]
394401
steps:
395402
- uses: actions/checkout@v4
396403

397-
- name: Set version environment variable
398-
run: echo "VERSION=$(cat VERSION | sed -E 's/.[0-9]+$//')" >> $GITHUB_ENV
399-
400-
- uses: actions/checkout@v4
401-
402404
- name: Download signed payload
403405
uses: actions/download-artifact@v3
404406
with:
@@ -413,7 +415,8 @@ jobs:
413415
- name: Package tool
414416
run: |
415417
src/shared/DotnetTool/pack.sh --configuration=Release \
416-
--version=$VERSION --publish-dir=$(pwd)/signed
418+
--version="${{ needs.prereqs.outputs.version }}" \
419+
--publish-dir=$(pwd)/signed
417420
418421
- name: Upload unsigned package
419422
uses: actions/upload-artifact@v3
@@ -444,14 +447,20 @@ jobs:
444447
cd nupkg
445448
Get-ChildItem -Exclude gcm-nupkg.zip | Remove-Item -Recurse -Force
446449
447-
- uses: azure/login@v1
450+
- name: Log into Azure
451+
uses: azure/login@v1
448452
with:
449-
creds: ${{ secrets.AZURE_CREDENTIALS }}
453+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
454+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
455+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
450456

451457
- name: Set up ESRP client
452458
shell: pwsh
453459
env:
454460
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
461+
AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
462+
AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }}
463+
ESRP_TOOL: ${{ secrets.ESRP_TOOL }}
455464
AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
456465
REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
457466
run: |

0 commit comments

Comments
 (0)