ci(NuGet): Reworking the code signing mechanism. #17
Open
turbobobbytraykov wants to merge 11 commits into
Open
ci(NuGet): Reworking the code signing mechanism. #17turbobobbytraykov wants to merge 11 commits into
turbobobbytraykov wants to merge 11 commits into
Conversation
Added workflow dispatch inputs for versioning and build configuration. Updated build and signing steps to use environment variables and Azure Key Vault for signing.
There was a problem hiding this comment.
Pull request overview
Updates the release publish workflow to use Windows runners and a Key Vault-based signing flow so assemblies and the produced NuGet package are signed during release publishing.
Changes:
- Switch
publishjob towindows-latestand addBUILD_CONFIGURATIONenv usage for build/pack. - Add Azure OIDC login + Sign CLI steps to sign DLLs and the
.nupkg, plus signature validation steps. - Temporarily add artifact upload for debugging and temporarily disable the final
nuget pushstep.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
127
to
+129
| - name: NuGet push | ||
| run: dotnet nuget push artifacts/IgniteUI.Blazor.GridLite.${VERSION}.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source "https://api.nuget.org/v3/index.json" | ||
| if: false # temp disable while working in the branch | ||
| run: dotnet nuget push artifacts/IgniteUI.Blazor.GridLite.${{ env.VERSION }}.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source "https://api.nuget.org/v3/index.json" |
Removed commented-out steps for signing NuGet package in the workflow.
…re-enable push to nuget.org Removed artifact upload step and adjusted permissions.
Comment on lines
+13
to
+17
| runs-on: windows-latest | ||
| environment: NuGet Deploy | ||
| permissions: | ||
| id-token: write # enable GitHub OIDC token issuance for this job | ||
| contents: read |
Comment on lines
100
to
+102
| # Push the package | ||
| - name: NuGet push | ||
| run: dotnet nuget push artifacts/IgniteUI.Blazor.GridLite.${VERSION}.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source "https://api.nuget.org/v3/index.json" | ||
| run: dotnet nuget push artifacts/IgniteUI.Blazor.GridLite.${{ env.VERSION }}.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source "https://api.nuget.org/v3/index.json" |
Comment on lines
82
to
+86
| - name: Sign NuGet package | ||
| env: | ||
| SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.SIGNING_CERTIFICATE_PASSWORD }} | ||
| SIGNING_CERTIFICATE_TIMESTAMP_URL: ${{ vars.SIGNING_CERTIFICATE_TIMESTAMP_URL }} | ||
| run: | | ||
| dotnet nuget sign "./artifacts/*.nupkg" \ | ||
| --certificate-path signingcert.pfx \ | ||
| --certificate-password "${SIGNING_CERTIFICATE_PASSWORD}" \ | ||
| --timestamper "${SIGNING_CERTIFICATE_TIMESTAMP_URL}" | ||
| shell: pwsh | ||
| run: > | ||
| ./sign/sign code azure-key-vault "*.nupkg" | ||
| --base-directory "${{ github.workspace }}/artifacts" |
Comment on lines
100
to
+102
| # Push the package | ||
| - name: NuGet push | ||
| run: dotnet nuget push artifacts/IgniteUI.Blazor.GridLite.${VERSION}.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source "https://api.nuget.org/v3/index.json" | ||
| run: dotnet nuget push artifacts/IgniteUI.Blazor.GridLite.${{ env.VERSION }}.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source "https://api.nuget.org/v3/index.json" |
Comment on lines
101
to
+102
| - name: NuGet push | ||
| run: dotnet nuget push artifacts/IgniteUI.Blazor.GridLite.${VERSION}.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source "https://api.nuget.org/v3/index.json" | ||
| run: dotnet nuget push artifacts/IgniteUI.Blazor.GridLite.${{ env.VERSION }}.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source "https://api.nuget.org/v3/index.json" |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use the new approach to signing code in the repo, aligning it with the recommendations from Microsoft, a.k.a code-signing the DLLs as well as the NuGet package.
The code signing mechanism works on any Windows runner, but unfortunately it requires Windows OS binaries to work, so ubuntu-latest is no longer viable if we want to keep the workflow with just 1 job.
Reference guide from Barry from MS: https://idunno.org/net-code-nupkg-signing-in-github-actions/