From fd426caa230fd4005511cf4113ae1ea4e055372b Mon Sep 17 00:00:00 2001 From: Dan Siegel Date: Tue, 31 May 2022 13:30:33 -0700 Subject: [PATCH] pass code sign secrets --- .github/workflows/build-packages.yml | 14 +++++++++- .github/workflows/deploy.yml | 41 ++++++++++++++++++---------- 2 files changed, 40 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml index be9c92b..8bd31ea 100644 --- a/.github/workflows/build-packages.yml +++ b/.github/workflows/build-packages.yml @@ -72,9 +72,15 @@ jobs: if: ${{ github.event_name != 'pull_request' }} with: name: Deploy Internal - secrets: + secrets: feedUrl: ${{ secrets.IN_HOUSE_NUGET_FEED }} apiKey: ${{ secrets.IN_HOUSE_API_KEY }} + CodeSignTimestampUrl: ${{ secrets.CodeSignTimestampUrl }} + CodeSignKeyVault: ${{ secrets.CodeSignKeyVault }} + CodeSignClientId: ${{ secrets.CodeSignClientId }} + CodeSignTenantId: ${{ secrets.CodeSignTenantId }} + CodeSignClientSecret: ${{ secrets.CodeSignClientSecret }} + CodeSignCertificate: ${{ secrets.CodeSignCertificate }} deploy-sponsors: uses: ./.github/workflows/deploy.yml @@ -85,3 +91,9 @@ jobs: secrets: feedUrl: ${{ secrets.SPONSOR_CONNECT_NUGET_FEED }} apiKey: ${{ secrets.SPONSOR_CONNECT_TOKEN }} + CodeSignTimestampUrl: ${{ secrets.CodeSignTimestampUrl }} + CodeSignKeyVault: ${{ secrets.CodeSignKeyVault }} + CodeSignClientId: ${{ secrets.CodeSignClientId }} + CodeSignTenantId: ${{ secrets.CodeSignTenantId }} + CodeSignClientSecret: ${{ secrets.CodeSignClientSecret }} + CodeSignCertificate: ${{ secrets.CodeSignCertificate }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index b9cecfe..77180ef 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -10,6 +10,18 @@ on: required: true apiKey: required: true + CodeSignTimestampUrl: + required: true + CodeSignKeyVault: + required: true + CodeSignClientId: + required: true + CodeSignTenantId: + required: true + CodeSignClientSecret: + required: true + CodeSignCertificate: + required: true jobs: deploy: @@ -27,26 +39,27 @@ jobs: # Known issue https://github.com/novotnyllc/NuGetKeyVaultSignTool/issues/95 - name: Sign NuGet Packages + working-directory: Artifacts/ run: | dotnet tool install --global NuGetKeyVaultSignTool - NuGetKeyVaultSignTool sign ./Artifacts/*.nupkg ` + NuGetKeyVaultSignTool sign *.nupkg ` --file-digest sha256 ` - --timestamp-rfc3161 ${{ secrets.CodeSignTimestampUrl }} ` + --timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' ` --timestamp-digest sha256 ` - --azure-key-vault-url ${{ secrets.CodeSignKeyVault }} ` - --azure-key-vault-client-id ${{ secrets.CodeSignClientId }} ` - --azure-key-vault-tenant-id ${{ secrets.CodeSignTenantId }} ` - --azure-key-vault-client-secret ${{ secrets.CodeSignClientSecret }} ` - --azure-key-vault-certificate ${{ secrets.CodeSignCertificate }} - NuGetKeyVaultSignTool sign ./Artifacts/*.snupkg ` + --azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' ` + --azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' ` + --azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' ` + --azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' ` + --azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}' + NuGetKeyVaultSignTool sign *.snupkg ` --file-digest sha256 ` - --timestamp-rfc3161 ${{ secrets.CodeSignTimestampUrl }} ` + --timestamp-rfc3161 '${{ secrets.CodeSignTimestampUrl }}' ` --timestamp-digest sha256 ` - --azure-key-vault-url ${{ secrets.CodeSignKeyVault }} ` - --azure-key-vault-client-id ${{ secrets.CodeSignClientId }} ` - --azure-key-vault-tenant-id ${{ secrets.CodeSignTenantId }} ` - --azure-key-vault-client-secret ${{ secrets.CodeSignClientSecret }} ` - --azure-key-vault-certificate ${{ secrets.CodeSignCertificate }} + --azure-key-vault-url '${{ secrets.CodeSignKeyVault }}' ` + --azure-key-vault-client-id '${{ secrets.CodeSignClientId }}' ` + --azure-key-vault-tenant-id '${{ secrets.CodeSignTenantId }}' ` + --azure-key-vault-client-secret '${{ secrets.CodeSignClientSecret }}' ` + --azure-key-vault-certificate '${{ secrets.CodeSignCertificate }}' - name: ${{ inputs.name }} uses: dansiegel/publish-nuget@v1.01