Fix release workflow: correct secret names and workload identity federation (#387)

* Fix release workflow: correct secret names and use workload identity federation

The workflow referenced stale secret names (SIGN_KEYVAULT_URL, SIGN_CLIENT_ID,
SIGN_CLIENT_SECRET, SIGN_TENANT_ID, SIGN_CERTIFICATE_NAME) that don't exist.
Replace with the actual secrets: CODE_SIGN_KEY_VAULT, AZURE_CLIENT_ID,
AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID, CODE_SIGN_CERT_NAME.

No SIGN_CLIENT_SECRET exists — authentication uses Azure workload identity
federation (OIDC). Add id-token: write permission and azure/login@v2 step
so DefaultAzureCredential can acquire a token for Key Vault access.

* Fix flaky ShouldAutomaticallyReconnectandSubscribeAfterServerDisconnect test

Use a fixed 15s per-lifecycle CancellationTokenSource instead of
RemainingOrDefault, which decrements across all three sequential
iterations. On loaded CI runners this exhausted the remaining time
before the second or third lifecycle could connect, causing a spurious
False on connectResult.IsSuccess.

Also bound the WhenTerminated await via WaitAsync(cts.Token) to prevent
an unbounded hang if cleanup stalls.

* Fix flaky protocol actor tests on loaded CI runners

Replace CancellationTokenSource(RemainingOrDefault) with a fixed 10-second
timeout in BrokerLimitsEnforcementSpecs, AtLeastOncePublishRetryActorSpecs,
ExactlyOncePublishRetryActorSpecs, and SharedReceiveMaximumQuotaSpecs.

DefaultTimeout (3 s) is exhausted when the Akka TestKit actor system
initialization is slow on a heavily loaded CI runner (the TestEventListener
can take 5+ seconds to respond), leaving no time budget for the actual
test body and causing spurious TaskCanceledException failures.

Author: Aaronontheweb

.github/workflows/release.yaml

@@ -7,13 +7,14 @@ on:
 
 permissions:
   contents: write
+  id-token: write  # required for workload identity federation (OIDC signing)
 
 jobs:
   release:
     name: Build, Sign, and Publish
     runs-on: ubuntu-latest
     env:
-      SIGN_KEYVAULT_URL: ${{ secrets.SIGN_KEYVAULT_URL }}
+      CODE_SIGN_KEY_VAULT: ${{ secrets.CODE_SIGN_KEY_VAULT }}
 
     steps:
       - name: Checkout
@@ -41,23 +42,30 @@ jobs:
       - name: Pack
         run: dotnet pack -c Release -o ./bin/nuget
 
+      - name: Azure login (workload identity federation)
+        if: env.CODE_SIGN_KEY_VAULT != ''
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Install dotnet-sign
-        if: env.SIGN_KEYVAULT_URL != ''
+        if: env.CODE_SIGN_KEY_VAULT != ''
         run: dotnet tool install --global sign --version 0.9.*
 
       - name: Sign NuGet packages
-        if: env.SIGN_KEYVAULT_URL != ''
+        if: env.CODE_SIGN_KEY_VAULT != ''
         run: >
           sign code azure-key-vault
           ./bin/nuget/*.nupkg
           --publisher-name "Petabridge"
           --description "TurboMqtt"
           --description-url "https://github.com/petabridge/TurboMqtt"
-          --azure-key-vault-url "${{ secrets.SIGN_KEYVAULT_URL }}"
-          --azure-key-vault-client-id "${{ secrets.SIGN_CLIENT_ID }}"
-          --azure-key-vault-client-secret "${{ secrets.SIGN_CLIENT_SECRET }}"
-          --azure-key-vault-tenant-id "${{ secrets.SIGN_TENANT_ID }}"
-          --azure-key-vault-certificate "${{ secrets.SIGN_CERTIFICATE_NAME }}"
+          --azure-key-vault-url "${{ secrets.CODE_SIGN_KEY_VAULT }}"
+          --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}"
+          --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}"
+          --azure-key-vault-certificate "${{ secrets.CODE_SIGN_CERT_NAME }}"
 
       - name: Push to NuGet.org
         run: >

tests/TurboMqtt.Tests/End2End/InMemoryMqtt311End2EndSpecs.cs

@@ -40,7 +40,10 @@ async Task RunClientLifeCycle()
         {
             await using var client = await ClientFactory.CreateInMemoryClient(DefaultConnectOptions);
 
-            using var cts = new CancellationTokenSource(RemainingOrDefault);
+            // Use a fixed per-lifecycle timeout rather than RemainingOrDefault, which decrements
+            // across all three sequential iterations and causes the later ones to time out on
+            // loaded CI runners.
+            using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(15));
             var connectResult = await client.ConnectAsync(cts.Token);
             connectResult.IsSuccess.Should().BeTrue();
 
@@ -50,7 +53,7 @@ async Task RunClientLifeCycle()
 
             // disconnect
             await client.DisconnectAsync(cts.Token);
-            await client.WhenTerminated;
+            await client.WhenTerminated.WaitAsync(cts.Token);
         }
     }
 }

tests/TurboMqtt.Tests/Protocol/AtLeastOncePublishRetryActorSpecs.cs

@@ -68,7 +68,7 @@ [Fact] public async Task AtLeastOncePublishRetryActor_should_resend_overdue_publ
         actor.Tell(PublishProtocolDefaults.CheckTimeout.Instance);
 
         // we should have received the packet back
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
         var result = await channel.Reader.ReadAsync(cts.Token);
         result.Should().Be(packet);
         result.Duplicate.Should().BeTrue(); // duplicate flag needs to be set on retries

tests/TurboMqtt.Tests/Protocol/BrokerLimitsEnforcementSpecs.cs

@@ -40,7 +40,7 @@ public async Task AtLeastOnceRetryActor_queues_publishes_beyond_receive_maximum_
         actor.Tell(packet2, probe);
 
         // packet1 should reach the channel
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
         var inChannel = await channel.Reader.ReadAsync(cts.Token);
         inChannel.Should().Be(packet1);
 
@@ -77,7 +77,7 @@ public async Task AtLeastOnceRetryActor_sends_five_publishes_two_at_a_time_with_
         foreach (var p in packets)
             actor.Tell(p, probe);
 
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
 
         // First 2 should go to channel immediately
         var r1 = await channel.Reader.ReadAsync(cts.Token);
@@ -158,7 +158,7 @@ public async Task ExactlyOnceRetryActor_queues_publishes_beyond_receive_maximum_
         actor.Tell(packet1, probe);
         actor.Tell(packet2, probe);
 
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
 
         // packet1 should reach the channel
         var inChannel = await channel.Reader.ReadAsync(cts.Token);
@@ -202,7 +202,7 @@ public async Task ExactlyOnceRetryActor_failed_pubrec_frees_slot_and_promotes_bu
         actor.Tell(packet1, probe);
         actor.Tell(packet2, probe);
 
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
 
         // packet1 goes to channel immediately
         var inChannel = await channel.Reader.ReadAsync(cts.Token);

tests/TurboMqtt.Tests/Protocol/ExactlyOncePublishRetryActorSpecs.cs

@@ -43,7 +43,7 @@ public async Task ExactlyOncePublishRetryActor_should_publish_packet_completely(
         actor.Tell(packet, probe);
         actor.Tell(pubRec, probe);
 
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
         var msg = await channel.Reader.ReadAsync(cts.Token);
         msg.PacketType.Should().Be(MqttPacketType.PubRel);
         // check the packet ids - they should all match
@@ -91,7 +91,7 @@ public async Task ExactlyOncePublishRetryActor_should_resend_overdue_publish_pac
         actor.Tell(PublishProtocolDefaults.CheckTimeout.Instance);
 
         // we should have received the packet back
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
         var result = await channel.Reader.ReadAsync(cts.Token);
         result.Should().Be(packet);
         packet.Duplicate.Should().BeTrue();

tests/TurboMqtt.Tests/Protocol/SharedReceiveMaximumQuotaSpecs.cs

@@ -139,7 +139,7 @@ public async Task SharedQuota_limits_combined_Qos1_and_Qos2_to_receive_maximum()
         var p2 = MakeQos2(2);
         var p3 = MakeQos1(3);
 
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
 
         // Claim slot 1: send p1, wait for it in channel
         qos1.Tell(p1, probe);
@@ -192,7 +192,7 @@ public async Task SharedQuota_cross_Qos_drain_when_Qos1_frees_slot_and_Qos2_has_
         var p2 = MakeQos2(2);
         var p3 = MakeQos2(3);
 
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
 
         qos1.Tell(p1, probe);
         var c1 = await channel.Reader.ReadAsync(cts.Token);
@@ -246,7 +246,7 @@ public async Task SharedQuota_cross_Qos_drain_when_Qos2_frees_slot_and_Qos1_has_
         var p2 = MakeQos2(2);
         var p3 = MakeQos1(3);
 
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
 
         qos1.Tell(p1, probe);
         var c1 = await channel.Reader.ReadAsync(cts.Token);
@@ -302,7 +302,7 @@ public async Task SharedQuota_five_interleaved_publishes_respect_receive_maximum
         var p4 = MakeQos2(4);
         var p5 = MakeQos1(5);
 
-        using var cts = new CancellationTokenSource(RemainingOrDefault);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
 
         // Fill the quota: 3 slots
         qos1.Tell(p1, probe);