diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5656f134a8..07a57b2ab7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,9 @@ name: release on: workflow_dispatch: + push: + branches: + - dotnet-tool-signing permissions: id-token: write @@ -20,114 +23,14 @@ jobs: run: echo "version=$(cat VERSION | sed -E 's/.[0-9]+$//')" >> $GITHUB_OUTPUT id: version - # ================================ - # .NET Tool - # ================================ - dotnet-tool-build: - name: Build .NET tool - runs-on: ubuntu-latest - needs: prereqs - steps: - - uses: actions/checkout@v4 - - - name: Set up .NET - uses: actions/setup-dotnet@v4.0.0 - with: - dotnet-version: 7.0.x - - - name: Build .NET tool - run: | - src/shared/DotnetTool/layout.sh --configuration=Release - - - name: Upload .NET tool artifacts - uses: actions/upload-artifact@v4 - with: - name: tmp.dotnet-tool-build - path: | - out/shared/DotnetTool/nupkg/Release - dotnet-tool-payload-sign: name: Sign .NET tool payload # ESRP service requires signing to run on Windows runs-on: windows-latest environment: release - needs: dotnet-tool-build steps: - - uses: actions/checkout@v4 - - - name: Download payload - uses: actions/download-artifact@v4 - with: - name: tmp.dotnet-tool-build - - - name: Log into Azure - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Download/extract Sign CLI tool - shell: pwsh run: | - az storage blob download --file sign-cli.zip --auth-mode login ` - --account-name $env:AZURE_STORAGE_ACCOUNT ` - --container $env:AZURE_STORAGE_CONTAINER --name $env:SIGN_CLI_TOOL + echo $env:AZURE_STORAGE_ACCOUNT + az storage blob download --file sign-cli.zip --auth-mode login --account-name $env:AZURE_STORAGE_ACCOUNT --container-name $env:AZURE_STORAGE_CONTAINER --name $env:SIGN_CLI_TOOL Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli - - - name: Sign payload - shell: pwsh - run: | - ./sign-cli/sign.exe code azcodesign payload/* ` - -acsu https://wus2.codesigning.azure.net/ ` - -acsa git-fundamentals-signing ` - -acscp git-fundamentals-windows-signing ` - -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" ` - -acsm true - - - name: Lay out signed payload, images, and symbols - shell: bash - run: | - mkdir dotnet-tool-payload-sign - rm -rf payload - mv images payload.sym -t dotnet-tool-payload-sign - unzip signed/payload.zip -d dotnet-tool-payload-sign - - - name: Upload signed payload - uses: actions/upload-artifact@v4 - with: - name: dotnet-tool-payload-sign - path: | - dotnet-tool-payload-sign - - dotnet-tool-pack: - name: Package .NET tool - runs-on: ubuntu-latest - needs: [prereqs, dotnet-tool-payload-sign] - steps: - - uses: actions/checkout@v4 - - - name: Download signed payload - uses: actions/download-artifact@v4 - with: - name: dotnet-tool-payload-sign - path: signed - - - name: Set up .NET - uses: actions/setup-dotnet@v4.0.0 - with: - dotnet-version: 7.0.x - - - name: Package tool - run: | - src/shared/DotnetTool/pack.sh --configuration=Release \ - --version="${{ needs.prereqs.outputs.version }}" \ - --publish-dir=$(pwd)/signed - - - name: Upload unsigned package - uses: actions/upload-artifact@v4 - with: - name: tmp.dotnet-tool-package-unsigned - path: | - out/shared/DotnetTool/nupkg/Release/*.nupkg