Skip to content
This repository has been archived by the owner on Feb 16, 2023. It is now read-only.

Commit

Permalink
Merge pull request #54 from dansiegel/deterministic
Browse files Browse the repository at this point in the history 
Deterministic Build
  • Loading branch information
@dansiegel
dansiegel authored May 31, 2022
2 parents 5ea48e3 + 14ef956 commit e99a821
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 51 deletions.
57 changes: 43 additions & 14 deletions .github/workflows/build-packages.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,34 +66,63 @@ jobs:
name: NuGet
path: Artifacts/

sign-packages:
needs: build
if: ${{ github.event_name != 'pull_request' }}
runs-on: windows-latest
steps:
- name: Download Artifacts
uses: actions/download-artifact@v3
with:
name: NuGet
path: Artifacts/

# Known issue https://github.com/novotnyllc/NuGetKeyVaultSignTool/issues/95
- name: Sign NuGet Packages
working-directory: Artifacts/
run: |
dotnet tool install --global NuGetKeyVaultSignTool
NuGetKeyVaultSignTool sign *.nupkg `
--file-digest sha256 `
--timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' `
--timestamp-digest sha256 `
--azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' `
--azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' `
--azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' `
--azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' `
--azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}'
NuGetKeyVaultSignTool sign *.snupkg `
--file-digest sha256 `
--timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' `
--timestamp-digest sha256 `
--azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' `
--azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' `
--azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' `
--azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' `
--azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}'
- name: Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: Signed
path: Artifacts/

deploy-internal:
uses: ./.github/workflows/deploy.yml
needs: build
needs: sign-packages
if: ${{ github.event_name != 'pull_request' }}
with:
name: Deploy Internal
secrets:
feedUrl: ${{ secrets.IN_HOUSE_NUGET_FEED }}
apiKey: ${{ secrets.IN_HOUSE_API_KEY }}
CodeSignTimestampUrl: ${{ secrets.CodeSignTimestampUrl }}
CodeSignKeyVault: ${{ secrets.CodeSignKeyVault }}
CodeSignClientId: ${{ secrets.CodeSignClientId }}
CodeSignTenantId: ${{ secrets.CodeSignTenantId }}
CodeSignClientSecret: ${{ secrets.CodeSignClientSecret }}
CodeSignCertificate: ${{ secrets.CodeSignCertificate }}

deploy-sponsors:
uses: ./.github/workflows/deploy.yml
needs: build
needs: sign-packages
if: ${{ github.event_name != 'pull_request' }}
with:
name: Deploy Sponsor Connect
secrets:
feedUrl: ${{ secrets.SPONSOR_CONNECT_NUGET_FEED }}
apiKey: ${{ secrets.SPONSOR_CONNECT_TOKEN }}
CodeSignTimestampUrl: ${{ secrets.CodeSignTimestampUrl }}
CodeSignKeyVault: ${{ secrets.CodeSignKeyVault }}
CodeSignClientId: ${{ secrets.CodeSignClientId }}
CodeSignTenantId: ${{ secrets.CodeSignTenantId }}
CodeSignClientSecret: ${{ secrets.CodeSignClientSecret }}
CodeSignCertificate: ${{ secrets.CodeSignCertificate }}
38 changes: 1 addition & 37 deletions .github/workflows/deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,6 @@ on:
required: true
apiKey:
required: true
CodeSignTimestampUrl:
required: true
CodeSignKeyVault:
required: true
CodeSignClientId:
required: true
CodeSignTenantId:
required: true
CodeSignClientSecret:
required: true
CodeSignCertificate:
required: true

jobs:
deploy:
Expand All @@ -34,33 +22,9 @@ jobs:
- name: Download Artifacts
uses: actions/download-artifact@v3
with:
name: NuGet
name: Signed
path: Artifacts/

# Known issue https://github.com/novotnyllc/NuGetKeyVaultSignTool/issues/95
- name: Sign NuGet Packages
working-directory: Artifacts/
run: |
dotnet tool install --global NuGetKeyVaultSignTool
NuGetKeyVaultSignTool sign *.nupkg `
--file-digest sha256 `
--timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' `
--timestamp-digest sha256 `
--azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' `
--azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' `
--azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' `
--azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' `
--azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}'
NuGetKeyVaultSignTool sign *.snupkg `
--file-digest sha256 `
--timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' `
--timestamp-digest sha256 `
--azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' `
--azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' `
--azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' `
--azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' `
--azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}'
- name: ${{ inputs.name }}
uses: dansiegel/publish-nuget@v1.01
with:
Expand Down
1 change: 1 addition & 0 deletions Directory.Build.props
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
<!-- HACK: WinUI seems to have issues without this -->
<GenerateLibraryLayout>true</GenerateLibraryLayout>
<DisableEmbeddedXbf>false</DisableEmbeddedXbf>
<ContinuousIntegrationBuild>$(CI)</ContinuousIntegrationBuild>
</PropertyGroup>

<PropertyGroup>
Expand Down

0 comments on commit e99a821

Please sign in to comment.