Always sign packages in release workflow

Author: damianh

.github/workflow-gen/Program.cs

@@ -88,8 +88,6 @@ void GenerateCiWorkflow(Component component)
 
     job.StepSign();
 
-    job.StepPush("MyGet", "https://www.myget.org/F/duende_identityserver/api/v2/package", "MYGET");
-
     job.StepPush("GitHub", "https://nuget.pkg.github.com/DuendeSoftware/index.json", "GITHUB_TOKEN")
         .Env(("GITHUB_TOKEN", contexts.Secrets.GitHubToken),
             ("NUGET_AUTH_TOKEN", contexts.Secrets.GitHubToken));
@@ -136,7 +134,7 @@ git tag -a {component.TagPrefix}-{contexts.Event.Input.Version} -m ""Release v{c
 
     tagJob.StepToolRestore();
 
-    tagJob.StepSign();
+    tagJob.StepSign(true);
 
     tagJob.StepPush("MyGet", "https://www.myget.org/F/duende_identityserver/api/v2/package", "MYGET");
 
@@ -149,8 +147,7 @@ git tag -a {component.TagPrefix}-{contexts.Event.Input.Version} -m ""Release v{c
     var publishJob = workflow.Job("publish")
         .Name("Publish to nuget.org")
         .RunsOn(GitHubHostedRunners.UbuntuLatest)
-        .Needs("tag")
-        .Environment("nuget.org", "");
+        .Needs("tag");
 
     publishJob.Step()
         .Uses("actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16") // 4.1.8
@@ -193,6 +190,10 @@ public static void StepSetupDotNet(this Job job)
     public static Step IfRefMain(this Step step) 
         => step.If("github.ref == 'refs/heads/main'");
 
+    public static Job RunEitherOnBranchOrAsPR(this Job job)
+        => job.If(
+            "(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) || (github.event_name == 'push')");
+
     public static void StepTestAndReport(this Job job, string componentName, string testProject)
     {
         var path        = $"test/{testProject}";
@@ -207,7 +208,7 @@ public static void StepTestAndReport(this Job job, string componentName, string
         job.Step()
             .Name($"Test report - {testProject}")
             .Uses("dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5") // v1.9.1
-            .If("github.event == 'push' && (success() || failure())")
+            .If("github.event_name == 'push' && (success() || failure())")
             .With(
                 ("name", $"Test Report - {testProject}"),
                 ("path", $"{componentName}/{path}/TestResults/{logFileName}"),
@@ -229,7 +230,7 @@ public static void StepPack(this Job job, string project)
             .Run($"dotnet pack -c Release {path} -o artifacts");
     }
 
-    public static void StepSign(this Job job)
+    public static void StepSign(this Job job, bool always = false)
     {
         var flags = "--file-digest sha256 "                                                +
                     "--timestamp-rfc3161 http://timestamp.digicert.com "                   +
@@ -238,21 +239,24 @@ public static void StepSign(this Job job)
                     "--azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 "    +
                     "--azure-key-vault-client-secret ${{ secrets.SignClientSecret }} "     +
                     "--azure-key-vault-certificate NuGetPackageSigning";
-        job.Step()
-            .Name("Sign packages")
-            .IfGithubEventIsPushOrWorkflowDispatch()
-            .Run($"""
-                 for file in artifacts/*.nupkg; do
-                    dotnet NuGetKeyVaultSignTool sign "$file" {flags}
-                 done
-                 """);
+        var step = job.Step()
+            .Name("Sign packages");
+        if (!always)
+        {
+            step = step.IfGithubEventIsPush();
+        }
+        step.Run($"""
+              for file in artifacts/*.nupkg; do
+                 dotnet NuGetKeyVaultSignTool sign "$file" {flags}
+              done
+              """);
     }
     /// <summary>
     /// Only run this if the build is triggered on a branch IN the same repo
     /// this means it's from a trusted contributor.
     /// </summary>
-    public static Step IfGithubEventIsPushOrWorkflowDispatch(this Step step)
-        => step.If("github.event == 'push' || github.event == 'workflow_dispatch'");
+    public static Step IfGithubEventIsPush(this Step step)
+        => step.If("github.event_name == 'push'");
 
     public static Step StepPush(this Job job, string destination, string sourceUrl, string secretName)
     {

.github/workflows/access-token-management-ci.yml

@@ -45,7 +45,7 @@ jobs:
     - name: Test - AccessTokenManagement.Tests
       run: dotnet test -c Release test/AccessTokenManagement.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage"
     - name: Test report - AccessTokenManagement.Tests
-      if: github.event == 'push' && (success() || failure())
+      if: github.event_name == 'push' && (success() || failure())
       uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
       with:
         name: Test Report - AccessTokenManagement.Tests
@@ -60,14 +60,11 @@ jobs:
     - name: Pack AccessTokenManagement.OpenIdConnect
       run: dotnet pack -c Release src/AccessTokenManagement.OpenIdConnect -o artifacts
     - name: Sign packages
-      if: github.event == 'push' || github.event == 'workflow_dispatch'
+      if: github.event_name == 'push'
       run: |-
         for file in artifacts/*.nupkg; do
            dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
         done
-    - name: Push packages to MyGet
-      if: github.ref == 'refs/heads/main'
-      run: dotnet nuget push artifacts/*.nupkg --source https://www.myget.org/F/duende_identityserver/api/v2/package --api-key ${{ secrets.MYGET }} --skip-duplicate
     - name: Push packages to GitHub
       if: github.ref == 'refs/heads/main'
       run: dotnet nuget push artifacts/*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate

.github/workflows/access-token-management-release.yml

@@ -48,7 +48,6 @@ jobs:
     - name: Tool restore
       run: dotnet tool restore
     - name: Sign packages
-      if: github.event == 'push' || github.event == 'workflow_dispatch'
       run: |-
         for file in artifacts/*.nupkg; do
            dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
@@ -75,8 +74,6 @@ jobs:
     needs:
     - tag
     runs-on: ubuntu-latest
-    environment:
-      name: nuget.org
     steps:
     - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
       with:

.github/workflows/identity-model-ci.yml

@@ -45,7 +45,7 @@ jobs:
     - name: Test - IdentityModel.Tests
       run: dotnet test -c Release test/IdentityModel.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage"
     - name: Test report - IdentityModel.Tests
-      if: github.event == 'push' && (success() || failure())
+      if: github.event_name == 'push' && (success() || failure())
       uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
       with:
         name: Test Report - IdentityModel.Tests
@@ -58,14 +58,11 @@ jobs:
     - name: Pack IdentityModel
       run: dotnet pack -c Release src/IdentityModel -o artifacts
     - name: Sign packages
-      if: github.event == 'push' || github.event == 'workflow_dispatch'
+      if: github.event_name == 'push'
       run: |-
         for file in artifacts/*.nupkg; do
            dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
         done
-    - name: Push packages to MyGet
-      if: github.ref == 'refs/heads/main'
-      run: dotnet nuget push artifacts/*.nupkg --source https://www.myget.org/F/duende_identityserver/api/v2/package --api-key ${{ secrets.MYGET }} --skip-duplicate
     - name: Push packages to GitHub
       if: github.ref == 'refs/heads/main'
       run: dotnet nuget push artifacts/*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate

.github/workflows/identity-model-oidc-client-ci.yml

@@ -45,7 +45,7 @@ jobs:
     - name: Test - IdentityModel.OidcClient.Tests
       run: dotnet test -c Release test/IdentityModel.OidcClient.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage"
     - name: Test report - IdentityModel.OidcClient.Tests
-      if: github.event == 'push' && (success() || failure())
+      if: github.event_name == 'push' && (success() || failure())
       uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
       with:
         name: Test Report - IdentityModel.OidcClient.Tests
@@ -60,14 +60,11 @@ jobs:
     - name: Pack IdentityModel.OidcClient.Extensions
       run: dotnet pack -c Release src/IdentityModel.OidcClient.Extensions -o artifacts
     - name: Sign packages
-      if: github.event == 'push' || github.event == 'workflow_dispatch'
+      if: github.event_name == 'push'
       run: |-
         for file in artifacts/*.nupkg; do
            dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
         done
-    - name: Push packages to MyGet
-      if: github.ref == 'refs/heads/main'
-      run: dotnet nuget push artifacts/*.nupkg --source https://www.myget.org/F/duende_identityserver/api/v2/package --api-key ${{ secrets.MYGET }} --skip-duplicate
     - name: Push packages to GitHub
       if: github.ref == 'refs/heads/main'
       run: dotnet nuget push artifacts/*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate

.github/workflows/identity-model-oidc-client-release.yml

@@ -48,7 +48,6 @@ jobs:
     - name: Tool restore
       run: dotnet tool restore
     - name: Sign packages
-      if: github.event == 'push' || github.event == 'workflow_dispatch'
       run: |-
         for file in artifacts/*.nupkg; do
            dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
@@ -75,8 +74,6 @@ jobs:
     needs:
     - tag
     runs-on: ubuntu-latest
-    environment:
-      name: nuget.org
     steps:
     - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
       with:

.github/workflows/identity-model-release.yml

@@ -46,7 +46,6 @@ jobs:
     - name: Tool restore
       run: dotnet tool restore
     - name: Sign packages
-      if: github.event == 'push' || github.event == 'workflow_dispatch'
       run: |-
         for file in artifacts/*.nupkg; do
            dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
@@ -73,8 +72,6 @@ jobs:
     needs:
     - tag
     runs-on: ubuntu-latest
-    environment:
-      name: nuget.org
     steps:
     - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
       with:

.github/workflows/ignore-this-ci.yml

@@ -45,7 +45,7 @@ jobs:
     - name: Test - IgnoreThis.Tests
       run: dotnet test -c Release test/IgnoreThis.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage"
     - name: Test report - IgnoreThis.Tests
-      if: github.event == 'push' && (success() || failure())
+      if: github.event_name == 'push' && (success() || failure())
       uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
       with:
         name: Test Report - IgnoreThis.Tests
@@ -58,14 +58,11 @@ jobs:
     - name: Pack IgnoreThis
       run: dotnet pack -c Release src/IgnoreThis -o artifacts
     - name: Sign packages
-      if: github.event == 'push' || github.event == 'workflow_dispatch'
+      if: github.event_name == 'push'
       run: |-
         for file in artifacts/*.nupkg; do
            dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
         done
-    - name: Push packages to MyGet
-      if: github.ref == 'refs/heads/main'
-      run: dotnet nuget push artifacts/*.nupkg --source https://www.myget.org/F/duende_identityserver/api/v2/package --api-key ${{ secrets.MYGET }} --skip-duplicate
     - name: Push packages to GitHub
       if: github.ref == 'refs/heads/main'
       run: dotnet nuget push artifacts/*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate

.github/workflows/ignore-this-release.yml

@@ -46,7 +46,6 @@ jobs:
     - name: Tool restore
       run: dotnet tool restore
     - name: Sign packages
-      if: github.event == 'push' || github.event == 'workflow_dispatch'
       run: |-
         for file in artifacts/*.nupkg; do
            dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
@@ -73,8 +72,6 @@ jobs:
     needs:
     - tag
     runs-on: ubuntu-latest
-    environment:
-      name: nuget.org
     steps:
     - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
       with: