diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index 8bd31ea..aed8793 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -66,34 +66,63 @@ jobs:
name: NuGet
path: Artifacts/
+ sign-packages:
+ needs: build
+ if: ${{ github.event_name != 'pull_request' }}
+ runs-on: windows-latest
+ steps:
+ - name: Download Artifacts
+ uses: actions/download-artifact@v3
+ with:
+ name: NuGet
+ path: Artifacts/
+
+ # Known issue https://github.com/novotnyllc/NuGetKeyVaultSignTool/issues/95
+ - name: Sign NuGet Packages
+ working-directory: Artifacts/
+ run: |
+ dotnet tool install --global NuGetKeyVaultSignTool
+ NuGetKeyVaultSignTool sign *.nupkg `
+ --file-digest sha256 `
+ --timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' `
+ --timestamp-digest sha256 `
+ --azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' `
+ --azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' `
+ --azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' `
+ --azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' `
+ --azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}'
+ NuGetKeyVaultSignTool sign *.snupkg `
+ --file-digest sha256 `
+ --timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' `
+ --timestamp-digest sha256 `
+ --azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' `
+ --azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' `
+ --azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' `
+ --azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' `
+ --azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}'
+
+ - name: Upload Artifacts
+ uses: actions/upload-artifact@v3
+ with:
+ name: Signed
+ path: Artifacts/
+
deploy-internal:
uses: ./.github/workflows/deploy.yml
- needs: build
+ needs: sign-packages
if: ${{ github.event_name != 'pull_request' }}
with:
name: Deploy Internal
secrets:
feedUrl: ${{ secrets.IN_HOUSE_NUGET_FEED }}
apiKey: ${{ secrets.IN_HOUSE_API_KEY }}
- CodeSignTimestampUrl: ${{ secrets.CodeSignTimestampUrl }}
- CodeSignKeyVault: ${{ secrets.CodeSignKeyVault }}
- CodeSignClientId: ${{ secrets.CodeSignClientId }}
- CodeSignTenantId: ${{ secrets.CodeSignTenantId }}
- CodeSignClientSecret: ${{ secrets.CodeSignClientSecret }}
- CodeSignCertificate: ${{ secrets.CodeSignCertificate }}
deploy-sponsors:
uses: ./.github/workflows/deploy.yml
- needs: build
+ needs: sign-packages
if: ${{ github.event_name != 'pull_request' }}
with:
name: Deploy Sponsor Connect
secrets:
feedUrl: ${{ secrets.SPONSOR_CONNECT_NUGET_FEED }}
apiKey: ${{ secrets.SPONSOR_CONNECT_TOKEN }}
- CodeSignTimestampUrl: ${{ secrets.CodeSignTimestampUrl }}
- CodeSignKeyVault: ${{ secrets.CodeSignKeyVault }}
- CodeSignClientId: ${{ secrets.CodeSignClientId }}
- CodeSignTenantId: ${{ secrets.CodeSignTenantId }}
- CodeSignClientSecret: ${{ secrets.CodeSignClientSecret }}
- CodeSignCertificate: ${{ secrets.CodeSignCertificate }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 77180ef..6be62a2 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -10,18 +10,6 @@ on:
required: true
apiKey:
required: true
- CodeSignTimestampUrl:
- required: true
- CodeSignKeyVault:
- required: true
- CodeSignClientId:
- required: true
- CodeSignTenantId:
- required: true
- CodeSignClientSecret:
- required: true
- CodeSignCertificate:
- required: true
jobs:
deploy:
@@ -34,33 +22,9 @@ jobs:
- name: Download Artifacts
uses: actions/download-artifact@v3
with:
- name: NuGet
+ name: Signed
path: Artifacts/
- # Known issue https://github.com/novotnyllc/NuGetKeyVaultSignTool/issues/95
- - name: Sign NuGet Packages
- working-directory: Artifacts/
- run: |
- dotnet tool install --global NuGetKeyVaultSignTool
- NuGetKeyVaultSignTool sign *.nupkg `
- --file-digest sha256 `
- --timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' `
- --timestamp-digest sha256 `
- --azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' `
- --azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' `
- --azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' `
- --azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' `
- --azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}'
- NuGetKeyVaultSignTool sign *.snupkg `
- --file-digest sha256 `
- --timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' `
- --timestamp-digest sha256 `
- --azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' `
- --azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' `
- --azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' `
- --azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' `
- --azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}'
-
- name: ${{ inputs.name }}
uses: dansiegel/publish-nuget@v1.01
with:
diff --git a/Directory.Build.props b/Directory.Build.props
index c370639..62a3292 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -25,6 +25,7 @@
true
false
+ $(CI)