From d87faa8677b3d05e9f9c07aeba2e8fa182bff183 Mon Sep 17 00:00:00 2001 From: Damian Hickey <57436+damianh@users.noreply.github.com> Date: Tue, 11 Feb 2025 10:15:44 +0100 Subject: [PATCH] Always sign packages in release workflow --- .github/workflow-gen/Program.cs | 38 ++++++++++--------- .../workflows/access-token-management-ci.yml | 7 +--- .../access-token-management-release.yml | 3 -- .github/workflows/identity-model-ci.yml | 7 +--- .../identity-model-oidc-client-ci.yml | 7 +--- .../identity-model-oidc-client-release.yml | 3 -- .github/workflows/identity-model-release.yml | 3 -- .github/workflows/ignore-this-ci.yml | 7 +--- .github/workflows/ignore-this-release.yml | 3 -- 9 files changed, 29 insertions(+), 49 deletions(-) diff --git a/.github/workflow-gen/Program.cs b/.github/workflow-gen/Program.cs index d09f734c..623f44ae 100644 --- a/.github/workflow-gen/Program.cs +++ b/.github/workflow-gen/Program.cs @@ -88,8 +88,6 @@ void GenerateCiWorkflow(Component component) job.StepSign(); - job.StepPush("MyGet", "https://www.myget.org/F/duende_identityserver/api/v2/package", "MYGET"); - job.StepPush("GitHub", "https://nuget.pkg.github.com/DuendeSoftware/index.json", "GITHUB_TOKEN") .Env(("GITHUB_TOKEN", contexts.Secrets.GitHubToken), ("NUGET_AUTH_TOKEN", contexts.Secrets.GitHubToken)); @@ -136,7 +134,7 @@ git tag -a {component.TagPrefix}-{contexts.Event.Input.Version} -m ""Release v{c tagJob.StepToolRestore(); - tagJob.StepSign(); + tagJob.StepSign(true); tagJob.StepPush("MyGet", "https://www.myget.org/F/duende_identityserver/api/v2/package", "MYGET"); @@ -149,8 +147,7 @@ git tag -a {component.TagPrefix}-{contexts.Event.Input.Version} -m ""Release v{c var publishJob = workflow.Job("publish") .Name("Publish to nuget.org") .RunsOn(GitHubHostedRunners.UbuntuLatest) - .Needs("tag") - .Environment("nuget.org", ""); + .Needs("tag"); publishJob.Step() .Uses("actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16") // 4.1.8 @@ -193,6 +190,10 @@ public static void StepSetupDotNet(this Job job) public static Step IfRefMain(this Step step) => step.If("github.ref == 'refs/heads/main'"); + public static Job RunEitherOnBranchOrAsPR(this Job job) + => job.If( + "(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) || (github.event_name == 'push')"); + public static void StepTestAndReport(this Job job, string componentName, string testProject) { var path = $"test/{testProject}"; @@ -207,7 +208,7 @@ public static void StepTestAndReport(this Job job, string componentName, string job.Step() .Name($"Test report - {testProject}") .Uses("dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5") // v1.9.1 - .If("github.event == 'push' && (success() || failure())") + .If("github.event_name == 'push' && (success() || failure())") .With( ("name", $"Test Report - {testProject}"), ("path", $"{componentName}/{path}/TestResults/{logFileName}"), @@ -229,7 +230,7 @@ public static void StepPack(this Job job, string project) .Run($"dotnet pack -c Release {path} -o artifacts"); } - public static void StepSign(this Job job) + public static void StepSign(this Job job, bool always = false) { var flags = "--file-digest sha256 " + "--timestamp-rfc3161 http://timestamp.digicert.com " + @@ -238,21 +239,24 @@ public static void StepSign(this Job job) "--azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 " + "--azure-key-vault-client-secret ${{ secrets.SignClientSecret }} " + "--azure-key-vault-certificate NuGetPackageSigning"; - job.Step() - .Name("Sign packages") - .IfGithubEventIsPushOrWorkflowDispatch() - .Run($""" - for file in artifacts/*.nupkg; do - dotnet NuGetKeyVaultSignTool sign "$file" {flags} - done - """); + var step = job.Step() + .Name("Sign packages"); + if (!always) + { + step = step.IfGithubEventIsPush(); + } + step.Run($""" + for file in artifacts/*.nupkg; do + dotnet NuGetKeyVaultSignTool sign "$file" {flags} + done + """); } /// /// Only run this if the build is triggered on a branch IN the same repo /// this means it's from a trusted contributor. /// - public static Step IfGithubEventIsPushOrWorkflowDispatch(this Step step) - => step.If("github.event == 'push' || github.event == 'workflow_dispatch'"); + public static Step IfGithubEventIsPush(this Step step) + => step.If("github.event_name == 'push'"); public static Step StepPush(this Job job, string destination, string sourceUrl, string secretName) { diff --git a/.github/workflows/access-token-management-ci.yml b/.github/workflows/access-token-management-ci.yml index ec6ed9d6..c2692d15 100644 --- a/.github/workflows/access-token-management-ci.yml +++ b/.github/workflows/access-token-management-ci.yml @@ -45,7 +45,7 @@ jobs: - name: Test - AccessTokenManagement.Tests run: dotnet test -c Release test/AccessTokenManagement.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage" - name: Test report - AccessTokenManagement.Tests - if: github.event == 'push' && (success() || failure()) + if: github.event_name == 'push' && (success() || failure()) uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 with: name: Test Report - AccessTokenManagement.Tests @@ -60,14 +60,11 @@ jobs: - name: Pack AccessTokenManagement.OpenIdConnect run: dotnet pack -c Release src/AccessTokenManagement.OpenIdConnect -o artifacts - name: Sign packages - if: github.event == 'push' || github.event == 'workflow_dispatch' + if: github.event_name == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning done - - name: Push packages to MyGet - if: github.ref == 'refs/heads/main' - run: dotnet nuget push artifacts/*.nupkg --source https://www.myget.org/F/duende_identityserver/api/v2/package --api-key ${{ secrets.MYGET }} --skip-duplicate - name: Push packages to GitHub if: github.ref == 'refs/heads/main' run: dotnet nuget push artifacts/*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate diff --git a/.github/workflows/access-token-management-release.yml b/.github/workflows/access-token-management-release.yml index 708d714c..bc18d285 100644 --- a/.github/workflows/access-token-management-release.yml +++ b/.github/workflows/access-token-management-release.yml @@ -48,7 +48,6 @@ jobs: - name: Tool restore run: dotnet tool restore - name: Sign packages - if: github.event == 'push' || github.event == 'workflow_dispatch' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning @@ -75,8 +74,6 @@ jobs: needs: - tag runs-on: ubuntu-latest - environment: - name: nuget.org steps: - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: diff --git a/.github/workflows/identity-model-ci.yml b/.github/workflows/identity-model-ci.yml index 9dba1b91..bcd201b0 100644 --- a/.github/workflows/identity-model-ci.yml +++ b/.github/workflows/identity-model-ci.yml @@ -45,7 +45,7 @@ jobs: - name: Test - IdentityModel.Tests run: dotnet test -c Release test/IdentityModel.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage" - name: Test report - IdentityModel.Tests - if: github.event == 'push' && (success() || failure()) + if: github.event_name == 'push' && (success() || failure()) uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 with: name: Test Report - IdentityModel.Tests @@ -58,14 +58,11 @@ jobs: - name: Pack IdentityModel run: dotnet pack -c Release src/IdentityModel -o artifacts - name: Sign packages - if: github.event == 'push' || github.event == 'workflow_dispatch' + if: github.event_name == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning done - - name: Push packages to MyGet - if: github.ref == 'refs/heads/main' - run: dotnet nuget push artifacts/*.nupkg --source https://www.myget.org/F/duende_identityserver/api/v2/package --api-key ${{ secrets.MYGET }} --skip-duplicate - name: Push packages to GitHub if: github.ref == 'refs/heads/main' run: dotnet nuget push artifacts/*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate diff --git a/.github/workflows/identity-model-oidc-client-ci.yml b/.github/workflows/identity-model-oidc-client-ci.yml index 98e5cc07..ede1c051 100644 --- a/.github/workflows/identity-model-oidc-client-ci.yml +++ b/.github/workflows/identity-model-oidc-client-ci.yml @@ -45,7 +45,7 @@ jobs: - name: Test - IdentityModel.OidcClient.Tests run: dotnet test -c Release test/IdentityModel.OidcClient.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage" - name: Test report - IdentityModel.OidcClient.Tests - if: github.event == 'push' && (success() || failure()) + if: github.event_name == 'push' && (success() || failure()) uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 with: name: Test Report - IdentityModel.OidcClient.Tests @@ -60,14 +60,11 @@ jobs: - name: Pack IdentityModel.OidcClient.Extensions run: dotnet pack -c Release src/IdentityModel.OidcClient.Extensions -o artifacts - name: Sign packages - if: github.event == 'push' || github.event == 'workflow_dispatch' + if: github.event_name == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning done - - name: Push packages to MyGet - if: github.ref == 'refs/heads/main' - run: dotnet nuget push artifacts/*.nupkg --source https://www.myget.org/F/duende_identityserver/api/v2/package --api-key ${{ secrets.MYGET }} --skip-duplicate - name: Push packages to GitHub if: github.ref == 'refs/heads/main' run: dotnet nuget push artifacts/*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate diff --git a/.github/workflows/identity-model-oidc-client-release.yml b/.github/workflows/identity-model-oidc-client-release.yml index a712efa2..0c822a3c 100644 --- a/.github/workflows/identity-model-oidc-client-release.yml +++ b/.github/workflows/identity-model-oidc-client-release.yml @@ -48,7 +48,6 @@ jobs: - name: Tool restore run: dotnet tool restore - name: Sign packages - if: github.event == 'push' || github.event == 'workflow_dispatch' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning @@ -75,8 +74,6 @@ jobs: needs: - tag runs-on: ubuntu-latest - environment: - name: nuget.org steps: - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: diff --git a/.github/workflows/identity-model-release.yml b/.github/workflows/identity-model-release.yml index 24259204..83541893 100644 --- a/.github/workflows/identity-model-release.yml +++ b/.github/workflows/identity-model-release.yml @@ -46,7 +46,6 @@ jobs: - name: Tool restore run: dotnet tool restore - name: Sign packages - if: github.event == 'push' || github.event == 'workflow_dispatch' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning @@ -73,8 +72,6 @@ jobs: needs: - tag runs-on: ubuntu-latest - environment: - name: nuget.org steps: - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: diff --git a/.github/workflows/ignore-this-ci.yml b/.github/workflows/ignore-this-ci.yml index 9610be3b..e7520796 100644 --- a/.github/workflows/ignore-this-ci.yml +++ b/.github/workflows/ignore-this-ci.yml @@ -45,7 +45,7 @@ jobs: - name: Test - IgnoreThis.Tests run: dotnet test -c Release test/IgnoreThis.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage" - name: Test report - IgnoreThis.Tests - if: github.event == 'push' && (success() || failure()) + if: github.event_name == 'push' && (success() || failure()) uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 with: name: Test Report - IgnoreThis.Tests @@ -58,14 +58,11 @@ jobs: - name: Pack IgnoreThis run: dotnet pack -c Release src/IgnoreThis -o artifacts - name: Sign packages - if: github.event == 'push' || github.event == 'workflow_dispatch' + if: github.event_name == 'push' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning done - - name: Push packages to MyGet - if: github.ref == 'refs/heads/main' - run: dotnet nuget push artifacts/*.nupkg --source https://www.myget.org/F/duende_identityserver/api/v2/package --api-key ${{ secrets.MYGET }} --skip-duplicate - name: Push packages to GitHub if: github.ref == 'refs/heads/main' run: dotnet nuget push artifacts/*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate diff --git a/.github/workflows/ignore-this-release.yml b/.github/workflows/ignore-this-release.yml index ea442a7f..bc296d5b 100644 --- a/.github/workflows/ignore-this-release.yml +++ b/.github/workflows/ignore-this-release.yml @@ -46,7 +46,6 @@ jobs: - name: Tool restore run: dotnet tool restore - name: Sign packages - if: github.event == 'push' || github.event == 'workflow_dispatch' run: |- for file in artifacts/*.nupkg; do dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning @@ -73,8 +72,6 @@ jobs: needs: - tag runs-on: ubuntu-latest - environment: - name: nuget.org steps: - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: