diff --git a/.github/workflow-gen/Program.cs b/.github/workflow-gen/Program.cs index 4fd5f829..c48381f6 100644 --- a/.github/workflow-gen/Program.cs +++ b/.github/workflow-gen/Program.cs @@ -49,7 +49,7 @@ void GenerateCiWorkflow(Component component) .Push() .Paths(paths); workflow.On - .PullRequestTarget() + .PullRequest() .Paths(paths); workflow.EnvDefaults(); @@ -207,7 +207,7 @@ public static void StepTestAndReport(this Job job, string componentName, string job.Step() .Name($"Test report - {testProject}") .Uses("dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5") // v1.9.1 - .If("success() || failure()") + .If("github.event == 'push' && (success() || failure())") .With( ("name", $"Test Report - {testProject}"), ("path", $"{componentName}/{path}/TestResults/{logFileName}"), @@ -240,12 +240,19 @@ public static void StepSign(this Job job) "--azure-key-vault-certificate NuGetPackageSigning"; job.Step() .Name("Sign packages") + .IfGithubEventIsPush() .Run($""" for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" {flags} done """); } + /// + /// Only run this if the build is triggered on a branch IN the same repo + /// this means it's from a trusted contributor. + /// + public static Step IfGithubEventIsPush(this Step step) + => step.If("github.event == 'push'"); public static Step StepPush(this Job job, string destination, string sourceUrl, string secretName) { diff --git a/.github/workflow-gen/Properties/launchSettings.json b/.github/workflow-gen/Properties/launchSettings.json new file mode 100644 index 00000000..b014caa4 --- /dev/null +++ b/.github/workflow-gen/Properties/launchSettings.json @@ -0,0 +1,8 @@ +{ + "profiles": { + "workflow-gen": { + "commandName": "Project", + "workingDirectory": "$(ProjectDir)" + } + } +} \ No newline at end of file diff --git a/.github/workflows/access-token-management-ci.yml b/.github/workflows/access-token-management-ci.yml index 33131474..e83a0db4 100644 --- a/.github/workflows/access-token-management-ci.yml +++ b/.github/workflows/access-token-management-ci.yml @@ -8,7 +8,7 @@ on: - .github/workflows/access-token-management-** - access-token-management/** - Directory.Packages.props - pull_request_target: + pull_request: paths: - .github/workflows/access-token-management-** - access-token-management/** @@ -45,7 +45,7 @@ jobs: - name: Test - AccessTokenManagement.Tests run: dotnet test -c Release test/AccessTokenManagement.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage" - name: Test report - AccessTokenManagement.Tests - if: success() || failure() + if: github.event == 'push' && (success() || failure()) uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 with: name: Test Report - AccessTokenManagement.Tests @@ -60,6 +60,7 @@ jobs: - name: Pack AccessTokenManagement.OpenIdConnect run: dotnet pack -c Release src/AccessTokenManagement.OpenIdConnect -o artifacts - name: Sign packages + if: github.event == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning diff --git a/.github/workflows/access-token-management-release.yml b/.github/workflows/access-token-management-release.yml index c8f25705..83eff3c8 100644 --- a/.github/workflows/access-token-management-release.yml +++ b/.github/workflows/access-token-management-release.yml @@ -48,6 +48,7 @@ jobs: - name: Tool restore run: dotnet tool restore - name: Sign packages + if: github.event == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning diff --git a/.github/workflows/identity-model-ci.yml b/.github/workflows/identity-model-ci.yml index 5cdd70bb..7051208c 100644 --- a/.github/workflows/identity-model-ci.yml +++ b/.github/workflows/identity-model-ci.yml @@ -8,7 +8,7 @@ on: - .github/workflows/identity-model-** - identity-model/** - Directory.Packages.props - pull_request_target: + pull_request: paths: - .github/workflows/identity-model-** - identity-model/** @@ -45,7 +45,7 @@ jobs: - name: Test - IdentityModel.Tests run: dotnet test -c Release test/IdentityModel.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage" - name: Test report - IdentityModel.Tests - if: success() || failure() + if: github.event == 'push' && (success() || failure()) uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 with: name: Test Report - IdentityModel.Tests @@ -58,6 +58,7 @@ jobs: - name: Pack IdentityModel run: dotnet pack -c Release src/IdentityModel -o artifacts - name: Sign packages + if: github.event == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning diff --git a/.github/workflows/identity-model-oidc-client-ci.yml b/.github/workflows/identity-model-oidc-client-ci.yml index 366f65d0..37df9b9e 100644 --- a/.github/workflows/identity-model-oidc-client-ci.yml +++ b/.github/workflows/identity-model-oidc-client-ci.yml @@ -8,7 +8,7 @@ on: - .github/workflows/identity-model-oidc-client-** - identity-model-oidc-client/** - Directory.Packages.props - pull_request_target: + pull_request: paths: - .github/workflows/identity-model-oidc-client-** - identity-model-oidc-client/** @@ -45,7 +45,7 @@ jobs: - name: Test - IdentityModel.OidcClient.Tests run: dotnet test -c Release test/IdentityModel.OidcClient.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage" - name: Test report - IdentityModel.OidcClient.Tests - if: success() || failure() + if: github.event == 'push' && (success() || failure()) uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 with: name: Test Report - IdentityModel.OidcClient.Tests @@ -60,6 +60,7 @@ jobs: - name: Pack IdentityModel.OidcClient.Extensions run: dotnet pack -c Release src/IdentityModel.OidcClient.Extensions -o artifacts - name: Sign packages + if: github.event == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning diff --git a/.github/workflows/identity-model-oidc-client-release.yml b/.github/workflows/identity-model-oidc-client-release.yml index 55aed3b6..db51a4ed 100644 --- a/.github/workflows/identity-model-oidc-client-release.yml +++ b/.github/workflows/identity-model-oidc-client-release.yml @@ -48,6 +48,7 @@ jobs: - name: Tool restore run: dotnet tool restore - name: Sign packages + if: github.event == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning diff --git a/.github/workflows/identity-model-release.yml b/.github/workflows/identity-model-release.yml index a08666fa..e473b62b 100644 --- a/.github/workflows/identity-model-release.yml +++ b/.github/workflows/identity-model-release.yml @@ -46,6 +46,7 @@ jobs: - name: Tool restore run: dotnet tool restore - name: Sign packages + if: github.event == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning diff --git a/.github/workflows/ignore-this-ci.yml b/.github/workflows/ignore-this-ci.yml index 6aa0698e..34b5f0b0 100644 --- a/.github/workflows/ignore-this-ci.yml +++ b/.github/workflows/ignore-this-ci.yml @@ -8,7 +8,7 @@ on: - .github/workflows/ignore-this-** - ignore-this/** - Directory.Packages.props - pull_request_target: + pull_request: paths: - .github/workflows/ignore-this-** - ignore-this/** @@ -45,7 +45,7 @@ jobs: - name: Test - IgnoreThis.Tests run: dotnet test -c Release test/IgnoreThis.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage" - name: Test report - IgnoreThis.Tests - if: success() || failure() + if: github.event == 'push' && (success() || failure()) uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 with: name: Test Report - IgnoreThis.Tests @@ -58,6 +58,7 @@ jobs: - name: Pack IgnoreThis run: dotnet pack -c Release src/IgnoreThis -o artifacts - name: Sign packages + if: github.event == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning diff --git a/.github/workflows/ignore-this-release.yml b/.github/workflows/ignore-this-release.yml index 175da624..603efd70 100644 --- a/.github/workflows/ignore-this-release.yml +++ b/.github/workflows/ignore-this-release.yml @@ -46,6 +46,7 @@ jobs: - name: Tool restore run: dotnet tool restore - name: Sign packages + if: github.event == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning