Fix release signing: use Windows runner and dotnet tool restore (#391)

Aaronontheweb · web-flow · commit b1f283e702fd · 2026-02-23T18:53:54.000-06:00
The sign tool (dotnet/sign) is Windows-only — all binaries target
net8.0/win-x64. Switch the release job to windows-latest and adopt
the same pattern as Akka.Persistence.Azure:

- Pin sign 0.9.1-beta.25181.2 in .config/dotnet-tools.json
- Replace dotnet tool install --global with dotnet tool restore
- Invoke via dotnet sign (local tool) with PowerShell syntax
- Use --base-directory with glob pattern for package discovery
diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
@@ -1,5 +1,13 @@
 {
   "version": 1,
   "isRoot": true,
-  "tools": {}
-} 
+  "tools": {
+    "sign": {
+      "version": "0.9.1-beta.25181.2",
+      "commands": [
+        "sign"
+      ],
+      "rollForward": false
+    }
+  }
+}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -12,7 +12,7 @@ permissions:
 jobs:
   release:
     name: Build, Sign, and Publish
-    runs-on: ubuntu-latest
+    runs-on: windows-latest
     environment: signing
     env:
       CODE_SIGN_KEY_VAULT: ${{ secrets.CODE_SIGN_KEY_VAULT }}
@@ -29,11 +29,15 @@ jobs:
         with:
           global-json-file: "./global.json"
 
+      - name: Restore .NET tools
+        run: dotnet tool restore
+
       - name: Update release notes
         shell: pwsh
         run: ./build.ps1
 
       - name: Extract version from tag
+        shell: bash
         id: version
         run: echo "version=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
 
@@ -51,21 +55,19 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Install dotnet-sign
-        if: env.CODE_SIGN_KEY_VAULT != ''
-        run: dotnet tool install --global sign --version 0.9.*
-
       - name: Sign NuGet packages
         if: env.CODE_SIGN_KEY_VAULT != ''
-        run: >
-          sign code azure-key-vault
-          ./bin/nuget/*.nupkg
-          --publisher-name "Petabridge"
-          --description "TurboMqtt"
-          --description-url "https://github.com/petabridge/TurboMqtt"
-          --azure-key-vault-url "${{ secrets.CODE_SIGN_KEY_VAULT }}"
-          --azure-key-vault-certificate "${{ secrets.CODE_SIGN_CERT_NAME }}"
-          -v Information
+        shell: pwsh
+        run: |
+          dotnet sign code azure-key-vault `
+            "**/*.nupkg" `
+            --base-directory "$env:GITHUB_WORKSPACE/bin/nuget" `
+            --publisher-name "Petabridge" `
+            --description "TurboMqtt" `
+            --description-url "https://github.com/petabridge/TurboMqtt" `
+            --azure-key-vault-certificate "${{ secrets.CODE_SIGN_CERT_NAME }}" `
+            --azure-key-vault-url "${{ secrets.CODE_SIGN_KEY_VAULT }}" `
+            -v Information
 
       - name: Push to NuGet.org
         run: >
