-
Notifications
You must be signed in to change notification settings - Fork 4
154 lines (134 loc) · 5.05 KB
/
release.yml
File metadata and controls
154 lines (134 loc) · 5.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: Release
on:
workflow_dispatch:
inputs:
version:
description: New release/tag name
required: true
type: string
run-name: Release ${{ inputs.version }}
jobs:
build:
name: Build
runs-on: windows-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Pack
run: dotnet build src/EFCore.ClickHouse/EFCore.ClickHouse.csproj --configuration Release /p:Version=${{ inputs.version }}
- name: Upload unsigned package
uses: actions/upload-artifact@v6
with:
name: package-unsigned-${{ inputs.version }}
path: src/EFCore.ClickHouse/bin/Release/ClickHouse.EntityFrameworkCore.*nupkg
sign:
name: Sign NuGet Package
runs-on: windows-latest
needs: [build]
steps:
- name: Create directories
run: |
New-Item ${{ github.workspace }}\run -ItemType directory
New-Item ${{ github.workspace }}\package -ItemType directory
- name: Download unsigned package
uses: actions/download-artifact@v7
with:
name: package-unsigned-${{ inputs.version }}
path: ${{ github.workspace }}/package
- name: Create pkcs11properties.cfg file
run: |
$content = @"
name=signingmanager
library="C:\\Program Files\\DigiCert\\DigiCert Keylocker Tools\\smpkcs11.dll"
slotListIndex=0
"@
Write-Host "Writing pkcs11properties.cfg file"
$content | Out-File -FilePath ${{ github.workspace }}\run\pkcs11properties.cfg -Encoding ASCII
Get-Content ${{ github.workspace }}\run\pkcs11properties.cfg
- name: Create signing certificate
run: |
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\run\Certificate_pkcs12.p12", [System.Convert]::FromBase64String("${{ secrets.SM_CLIENT_CERT_FILE_B64 }}"))
- name: Download Keylocker tools
env:
SM_API_KEY: ${{ secrets.SM_API_KEY }}
run: >
Invoke-WebRequest
https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download
-Headers @{"x-api-key" = $env:SM_API_KEY}
-OutFile Keylockertools-windows-x64.msi
- name: Install Keylocker tools
run: |
Start-Process msiexec.exe -ArgumentList '/i Keylockertools-windows-x64.msi /passive /quiet /norestart' -Wait
- name: Check Keylocker tools
run: |
& "C:\Program Files\DigiCert\DigiCert Keylocker Tools\smctl.exe" --version
- name: Sync the certificates
env:
SM_API_KEY: ${{ secrets.SM_API_KEY }}
PKCS11_CONFIG: "${{ github.workspace }}\\run\\pkcs11properties.cfg"
SM_CLIENT_CERT_FILE: "${{ github.workspace }}\\run\\Certificate_pkcs12.p12"
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
SM_HOST: ${{ secrets.SM_HOST }}
SM_TLS_SKIP_VERIFY: false
DIGICERT_KEY_ALIAS: ${{ secrets.DIGICERT_KEY_ALIAS }}
SM_LOG_LEVEL: TRACE
run: >
& "C:\Program Files\DigiCert\DigiCert Keylocker Tools\smctl.exe" windows certsync
- name: Sign NuGet packages
env:
SM_API_KEY: ${{ secrets.SM_API_KEY }}
PKCS11_CONFIG: "${{ github.workspace }}\\run\\pkcs11properties.cfg"
SM_CLIENT_CERT_FILE: "${{ github.workspace }}\\run\\Certificate_pkcs12.p12"
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
SM_HOST: ${{ secrets.SM_HOST }}
SM_TLS_SKIP_VERIFY: false
DIGICERT_KEY_ALIAS: ${{ secrets.DIGICERT_KEY_ALIAS }}
SM_LOG_LEVEL: TRACE
run: |
Get-ChildItem -Path "${{ github.workspace }}\package" -Filter "*.nupkg" | ForEach-Object {
Write-Host "Signing $($_.FullName)"
& "C:\Program Files\DigiCert\DigiCert Keylocker Tools\smctl.exe" sign `
--fingerprint ${{ secrets.DIGICERT_FINGERPRINT }} `
--input $_.FullName
}
- name: Verify signatures
run: |
dotnet nuget verify --all "${{ github.workspace }}\package\*.nupkg"
- name: Upload signed package
uses: actions/upload-artifact@v6
with:
name: package
path: ${{ github.workspace }}/package/ClickHouse.EntityFrameworkCore.*nupkg
push_nuget_org:
runs-on: windows-latest
needs: [sign]
name: Upload to NuGet.org
steps:
- name: Download Artifact
uses: actions/download-artifact@v7
with:
name: package
- name: Push package
shell: cmd
run: dotnet nuget push ClickHouse.EntityFrameworkCore.*.nupkg --skip-duplicate --api-key ${{ secrets.NUGET_TOKEN }} --source https://api.nuget.org/v3/index.json
github_release:
runs-on: ubuntu-latest
needs: [sign]
name: Create GitHub release
permissions:
contents: write
steps:
- name: Download Artifact
uses: actions/download-artifact@v7
with:
name: package
- name: Create Release
id: create_release
uses: ncipollo/release-action@v1
with:
artifacts: "*.nupkg,*.snupkg"
commit: ${{ github.sha }}
tag: ${{ inputs.version }}
generateReleaseNotes: true
draft: false
prerelease: false