Add GitHub Actions workflow for NuGet packaging #24
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Package | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| deployToDevFeed: | |
| description: 'Deploy to Dev Feed?' | |
| required: false | |
| default: 'false' | |
| type: choice | |
| options: [ 'false', 'true' ] | |
| deployToNuGet: | |
| description: 'Deploy to NuGet.org?' | |
| required: false | |
| default: 'false' | |
| type: choice | |
| options: [ 'false', 'true' ] | |
| push: | |
| branches: | |
| - main | |
| - '[0-9]+.x' | |
| - 'release/*' | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| # pull-requests: write | |
| env: | |
| AZURE_ARTIFACTS_FEED_URL: https://pkgs.dev.azure.com/dotnet/Steeltoe/_packaging/dev/nuget/v3/index.json | |
| DOTNET_CLI_TELEMETRY_OPTOUT: 1 | |
| DOTNET_NOLOGO: true | |
| SOLUTION_FILE: 'src/Steeltoe.All.sln' | |
| jobs: | |
| build: | |
| name: Build | |
| timeout-minutes: 15 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: | | |
| 8.0.* | |
| 9.0.* | |
| - name: Git checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Restore packages | |
| run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal | |
| - name: Set package version | |
| run: nbgv cloud | |
| - name: Build solution | |
| run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal | |
| - name: Collect packages | |
| run: dotnet pack ${{ env.SOLUTION_FILE }} --no-build --configuration Release --output ${{ github.workspace }}/packages | |
| - name: Upload packages | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| if-no-files-found: error | |
| name: unsigned-packages | |
| path: ${{ github.workspace }}/packages/**/*.nupkg | |
| retention-days: 7 | |
| sign: | |
| needs: build | |
| runs-on: windows-latest | |
| # if: ${{ github.ref == 'refs/heads/main' }} # Only run this job on pushes to the main branch | |
| # if: ${{ github.event_name != 'pull_request' }} | |
| environment: Production | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Download packages | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: unsigned-packages | |
| path: packages | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: | | |
| 8.0.* | |
| 9.0.* | |
| - name: Install code signing tool | |
| run: dotnet tool install --global sign --prerelease | |
| - name: 'Az CLI login' | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Sign packages | |
| shell: pwsh | |
| run: >- | |
| sign code azure-key-vault "**/*.nupkg" | |
| --base-directory "${{ github.workspace }}" | |
| --azure-key-vault-managed-identity true | |
| --azure-credential-type "azure-cli" | |
| --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" | |
| --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_ID }}" | |
| --description "Steeltoe" | |
| - name: "Upload signed packages" | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: signed-packages | |
| path: ${{ github.workspace }}/packages/**/*.nupkg | |
| az-artifacts-build-and-deploy: | |
| if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.deployToDevFeed == 'true' }} | |
| # if: ${{ github.ref == 'refs/heads/main' }} | |
| needs: sign | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: '8.0.x' | |
| source-url: ${{ env.AZURE_ARTIFACTS_FEED_URL }} | |
| env: | |
| NUGET_AUTH_TOKEN: ${{ secrets.DEV_FEED_PERSONAL_TOKEN }} | |
| - name: Download signed packages | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: signed-packages | |
| path: packages | |
| # this approach won't work until a managed identity is authorized | |
| # - name: Azure CLI Login | |
| # uses: azure/login@v2 | |
| # with: | |
| # client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }} | |
| # tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }} | |
| # subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| # - name: Install credential provider for Azure Artifacts | |
| # run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)" | |
| # - name: Extract access token | |
| # run: | | |
| # # no idea what the guid is for, came from this link: | |
| # # https://learn.microsoft.com/en-us/azure/devops/artifacts/quickstarts/github-actions?view=azure-devops&pivots=managed-identity#assign-permissions-to-your-managed-identity-in-azure-devops | |
| # accessToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv) | |
| # echo "::add-mask::$accessToken" | |
| # echo "ACCESS_TOKEN=$accessToken" >> $GITHUB_ENV | |
| # - name: Configure authentication provider to use Azure DevOps token | |
| # run: echo "VSS_NUGET_ACCESSTOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV | |
| - name: 'Publish the package to Azure Artifacts' | |
| run: dotnet nuget push packages/*.nupkg --api-key AzureDevOps --source ${{ env.AZURE_ARTIFACTS_FEED_URL }} |