package signing updates from other PR, first attempt at dev feed publish

TimHess · TimHess · commit 2f0500a1edbf · 2025-07-11T16:40:31.000-05:00
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -2,6 +2,19 @@ name: Package
 
 on:
   workflow_dispatch:
+    inputs:
+      deployToDevFeed:
+        description: 'Deploy to Dev Feed?'
+        required: false
+        default: 'false'
+        type: choice
+        options: [ 'false', 'true' ]
+      deployToNuGet:
+        description: 'Deploy to NuGet.org?'
+        required: false
+        default: 'false'
+        type: choice
+        options: [ 'false', 'true' ]
   push:
     branches:
     - main
@@ -18,6 +31,7 @@ permissions:
 #  pull-requests: write
 
 env:
+  AZURE_ARTIFACTS_FEED_URL: https://pkgs.dev.azure.com/dotnet/Steeltoe/_packaging/dev/nuget/v3/index.json
   DOTNET_CLI_TELEMETRY_OPTOUT: 1
   DOTNET_NOLOGO: true
   SOLUTION_FILE: 'src/Steeltoe.All.sln'
@@ -56,15 +70,17 @@ jobs:
     - name: Upload packages
       uses: actions/upload-artifact@v4
       with:
-        name: packages
+        if-no-files-found: error
+        name: unsigned-packages
         path: ${{ github.workspace }}/packages/**/*.nupkg
-
+        retention-days: 7
 
   sign:
     needs: build
     runs-on: windows-latest
-#    if: ${{ github.ref == 'refs/heads/main' }} # Only run this job on pushes to the main branch
-#    if: ${{ github.event_name != 'pull_request' }}
+    # if: ${{ github.ref == 'refs/heads/main' }} # Only run this job on pushes to the main branch
+    # if: ${{ github.event_name != 'pull_request' }}
+    environment: Production
     permissions:
       id-token: write
 
@@ -85,107 +101,65 @@ jobs:
     - name: Install code signing tool
       run: dotnet tool install --global sign --prerelease
 
-# From documentation workflow
-    - name: Log into Azure CLI with service principal
+    - name: 'Az CLI login'
       uses: azure/login@v2
       with:
-        creds: ${{ secrets.AZURE_CREDENTIALS }}
-        allow-no-subscriptions: true
-
-#    - name: Azure login
-#      uses: azure/login@v2
-#      with:
-#        allow-no-subscriptions: true
-#        client-id: ${{ secrets.AZURE_CLIENT_ID }}
-#        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-#        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-#        sign code azure-key-vault "**/*.nupkg"
-#        --base-directory "${{ github.workspace }}/packages"
-#        --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}"
-#        --azure-key-vault-tenant-id "${{ secrets.AZURE_KEY_VAULT_TENANT_ID }}"
-#        --azure-key-vault-client-id "${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }}"
-#        --azure-key-vault-client-secret "${{ secrets.AZURE_KEY_VAULT_CLIENT_SECRET }}"
-#        --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE }}"
-#        --publisher-name "Steeltoe"
-#        --description "Steeltoe"
-#        --description-url "https://github.com/SteeltoeOSS"
-
-#    - name: Sign packages
-#      shell: pwsh
-#      run: >-
-#        sign code azure-key-vault "**/*.nupkg"
-#        --base-directory "${{ github.workspace }}/packages"
-#        --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}"
-#        --azure-key-vault-tenant-id "${{ secrets.AZURE_KEY_VAULT_TENANT_ID }}"
-#        --azure-key-vault-client-id "${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }}"
-#        --azure-key-vault-client-secret "${{ secrets.AZURE_KEY_VAULT_CLIENT_SECRET }}"
-#        --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_ID }}"
-#        --description "SteeltoeSC"
- #       --description-url "https://github.com/SteeltoeOSS"
+        client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: Sign packages
       shell: pwsh
       run: >-
-        sign code azure-key-vault
-        **/*.nupkg
-        --base-directory "${{ github.workspace }}/packages"
-        --publisher-name "Steeltoe"
-        --description "Steeltoe"
-        --description-url "https://github.com/SteeltoeOSS"
+        sign code azure-key-vault "**/*.nupkg"
+        --base-directory "${{ github.workspace }}"
         --azure-key-vault-managed-identity true
+        --azure-credential-type "azure-cli"
         --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}"
         --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_ID }}"
+        --description "Steeltoe"
 
-    - name: "TEMP: Upload signed packages"
+    - name: "Upload signed packages"
       uses: actions/upload-artifact@v4
       with:
         name: signed-packages
         path: ${{ github.workspace }}/packages/**/*.nupkg
 
-
-
-
-#  - task: PowerShell@2
-#    displayName: Set package version
-#    env:
-#      PackageVersionOverride: $(PackageVersionOverride)
-#    inputs:
-#      targetType: 'inline'
-#      script: |
-#        if ($env:PackageVersionOverride) {
-#            Write-Host "Overriding package version with: $env:PackageVersionOverride"
-#            Write-Warning "Always provide a 4-segment version (such as 1.2.3.0 or 1.2.3.0-rc1), to prevent an increment in patch number."
-#            Write-Warning "The commit hash may still be added to the version, depending on the source branch or PR being built."
-#            nbgv set-version $env:PackageVersionOverride
-#
-#            Write-Host "Contents of version.json after update:"
-#            get-content version.json
-#
-#            git config --global user.email "cibuild@steeltoe.io"
-#            git config --global user.name "steeltoe-cibuild"
-#            git commit --allow-empty -m "Activating version override by locally committing changes to version.json."
-#        }
-#
-#        nbgv cloud
-
-
-# TODO: Rename secrets
-#source: https://dev.azure.com/SteeltoeOSS/Steeltoe/_library?itemType=VariableGroups&view=VariableGroupView&variableGroupId=1&path=PackageSigningSecrets
-#SignClientId
-#SignClientSecret
-#SignClientUser
-#SignKeyVaultCertificate
-#SignKeyVaultUrl
-#SignTenantId
-
-
-
-#  - publish: $(Build.ArtifactStagingDirectory)/packages
-#    condition: succeeded()
-#    displayName: Publish build artifacts
-#    artifact: Packages
-
-# TODO: Delete old yaml file.
-
-# https://github.com/dotnet/sign/blob/main/docs/gh-build-and-sign.yml
+  az-artifacts-build-and-deploy:
+    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.deployToDevFeed == 'true' }}
+    # if: ${{ github.ref == 'refs/heads/main' }}
+    needs: sign
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: '8.0.x'
+        source-url: ${{ env.AZURE_ARTIFACTS_FEED_URL }}
+      env:
+        NUGET_AUTH_TOKEN: ${{ secrets.DEV_FEED_PERSONAL_TOKEN }}
+    - name: Download signed packages
+      uses: actions/download-artifact@v4
+      with:
+        name: signed-packages
+        path: packages
+    # this approach won't work until a managed identity is authorized
+    # - name: Azure CLI Login
+    #   uses: azure/login@v2
+    #   with:
+    #     client-id: ${{ secrets.AZURE_KEY_VAULT_CLIENT_ID }}
+    #     tenant-id: ${{ secrets.AZURE_KEY_VAULT_TENANT_ID }}
+    #     subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+    # - name: Install credential provider for Azure Artifacts
+    #   run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)"
+    # - name: Extract access token
+    #   run: |
+    #       # no idea what the guid is for, came from this link:
+    #       # https://learn.microsoft.com/en-us/azure/devops/artifacts/quickstarts/github-actions?view=azure-devops&pivots=managed-identity#assign-permissions-to-your-managed-identity-in-azure-devops
+    #       accessToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv)
+    #       echo "::add-mask::$accessToken"
+    #       echo "ACCESS_TOKEN=$accessToken" >> $GITHUB_ENV
+    # - name: Configure authentication provider to use Azure DevOps token
+    #   run: echo "VSS_NUGET_ACCESSTOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV
+
+    - name: 'Publish the package to Azure Artifacts'
+      run: dotnet nuget push packages/*.nupkg --api-key AzureDevOps --source ${{ env.AZURE_ARTIFACTS_FEED_URL }}
