Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix package signing verification #1761

Merged
merged 7 commits into from
Oct 31, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 35 additions & 9 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ jobs:
# HACK Running on Windows instead of Linux due to https://github.com/stryker-mutator/stryker-net/issues/2741
RUN_MUTATION_TESTS: ${{ matrix.os_name == 'windows' && !startsWith(github.ref, 'refs/tags/') && 'true' || 'false' }}

outputs:
dotnet-sdk-version: ${{ steps.setup-dotnet.outputs.dotnet-version }}

strategy:
fail-fast: false
matrix:
Expand All @@ -50,6 +53,7 @@ jobs:

- name: Setup .NET SDK
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
id: setup-dotnet

- name: Setup NuGet cache
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
Expand Down Expand Up @@ -109,6 +113,8 @@ jobs:

- name: Setup .NET SDK
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
with:
dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}

- name: Validate NuGet packages
shell: pwsh
Expand All @@ -127,7 +133,7 @@ jobs:
}

publish-github:
needs: validate-packages
needs: [ build, validate-packages ]
permissions:
packages: write
runs-on: ubuntu-latest
Expand All @@ -144,12 +150,14 @@ jobs:

- name: Setup .NET SDK
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
with:
dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}

- name: Publish NuGet packages to GitHub Packages
run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate --no-symbols --source https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json

sign:
needs: publish-github
needs: [ build, publish-github ]
runs-on: windows-latest
if: |
github.event.repository.fork == false &&
Expand All @@ -171,9 +179,11 @@ jobs:

- name: Setup .NET SDK
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
with:
dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}

- name: Install Sign CLI tool
run: dotnet tool install --tool-path . sign --version 0.9.1-beta.23274.1
run: dotnet tool install --tool-path . sign --version 0.9.1-beta.23530.1

- name: Sign artifacts
shell: pwsh
Expand All @@ -185,12 +195,13 @@ jobs:
--application-name "Polly"
--publisher-name "App vNext"
--description "Polly"
--description-url "https://github.com/App-vNext/Polly"
--description-url "https://github.com/${{ github.repository }}"
--azure-key-vault-certificate "${{ secrets.SIGN_CLI_CERT_NAME }}"
--azure-key-vault-client-id "${{ secrets.SIGN_CLI_APPLICATION_ID }}"
--azure-key-vault-client-secret "${{ secrets.SIGN_CLI_SECRET }}"
--azure-key-vault-tenant-id "${{ secrets.SIGN_CLI_TENANT_ID }}"
--azure-key-vault-url "${{ secrets.SIGN_CLI_VAULT_URI }}"
--verbosity "${{ runner.debug == '1' && 'Debug' || 'Warning' }}"

- name: Upload signed packages
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
Expand All @@ -200,7 +211,7 @@ jobs:
if-no-files-found: error

validate-signed-packages:
needs: sign
needs: [ build, sign ]
runs-on: windows-latest
steps:

Expand All @@ -211,6 +222,8 @@ jobs:

- name: Setup .NET SDK
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
with:
dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}

- name: Validate NuGet packages
shell: pwsh
Expand All @@ -232,8 +245,14 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
path: AuthenticodeLint
ref: ccfaec53ee5c1b14f029cb8156e0653c530f8b65
repository: vcsjones/AuthenticodeLint
ref: ae44826fdcebaa671b06591ea0b3b47fc946b79c
repository: martincostello/AuthenticodeLint
submodules: recursive

- name: Setup .NET SDK
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
with:
global-json-file: AuthenticodeLint/global.json

- name: Validate signatures
shell: pwsh
Expand All @@ -243,7 +262,12 @@ jobs:
$artifacts = Join-Path $authlintSource "artifacts"
$authlint = Join-Path $artifacts "authlint.exe"

dotnet publish $authLintProject --configuration Release --output $artifacts --runtime win-x64 --self-contained false /p:NoWarn=CS8604
dotnet publish $authLintProject `
--configuration Release `
--output $artifacts `
--runtime win-x64 `
--self-contained false `
/p:NoWarn=NU1902

if ($LASTEXITCODE -ne 0) {
throw "Failed to publish AuthenticodeLint."
Expand Down Expand Up @@ -299,7 +323,7 @@ jobs:
}

publish-nuget:
needs: validate-signed-packages
needs: [ build, validate-signed-packages ]
runs-on: ubuntu-latest
steps:

Expand All @@ -310,6 +334,8 @@ jobs:

- name: Setup .NET SDK
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
with:
dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}

- name: Push signed NuGet packages to NuGet.org
run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.NUGET_TOKEN }} --skip-duplicate --source https://api.nuget.org/v3/index.json