From 7affc2aae01abcb6c5e116c8595c04065c71c308 Mon Sep 17 00:00:00 2001
From: Jordan Borean <jborean93@gmail.com>
Date: Mon, 19 Jun 2023 07:37:13 +1000
Subject: [PATCH] Update build scripts

---
 .github/workflows/ci.yml |  5 ++---
 PSToml.build.ps1         | 20 ++++++++++++++------
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d74ebdf..f7a8e2e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,8 +37,7 @@ jobs:
       run: ./build.ps1 -Configuration $env:BUILD_CONFIGURATION -Task Build
       if: ${{ env.BUILD_CONFIGURATION == 'Release' }}
       env:
-        PSMODULE_SIGNING_CERT: ${{ secrets.PSMODULE_SIGNING_CERT }}
-        PSMODULE_SIGNING_CERT_PASSWORD: ${{ secrets.PSMODULE_SIGNING_CERT_PASSWORD }}
+        AZURE_KEYVAULT_CREDENTIALS: ${{ secrets.AZURE_KEYVAULT_CREDENTIALS }}
 
     - name: Capture PowerShell Module
       uses: actions/upload-artifact@v3
@@ -141,7 +140,7 @@ jobs:
     needs:
     - build
     - test
-    runs-on: windows-latest
+    runs-on: ubuntu-latest
     steps:
     - name: Restore Built PowerShell Module
       uses: actions/download-artifact@v3
diff --git a/PSToml.build.ps1 b/PSToml.build.ps1
index 3ac0d17..517a012 100644
--- a/PSToml.build.ps1
+++ b/PSToml.build.ps1
@@ -84,16 +84,24 @@ task CopyToRelease {
 }
 
 task Sign {
-    $certPath = $env:PSMODULE_SIGNING_CERT
-    $certPassword = $env:PSMODULE_SIGNING_CERT_PASSWORD
-    if (-not $certPath -or -not $certPassword) {
+    if (-not $env:AZURE_KEYVAULT_CREDENTIALS) {
         return
     }
 
-    [byte[]]$certBytes = [System.Convert]::FromBase64String($env:PSMODULE_SIGNING_CERT)
-    $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certBytes, $certPassword)
+    $credInfo = ConvertFrom-Json -InputObject $env:AZURE_KEYVAULT_CREDENTIALS
+    $vaultName = $credInfo.vaultName
+    $vaultCert = $credInfo.vaultCert
+
+    $env:AZURE_CLIENT_ID = $credInfo.clientId
+    $env:AZURE_CLIENT_SECRET = $credInfo.clientSecret
+    $env:AZURE_TENANT_ID = $credInfo.tenantId
+    $key = Get-OpenAuthenticodeAzKey -Vault $vaultName -Certificate $vaultCert
+    $env:AZURE_CLIENT_ID = ''
+    $env:AZURE_CLIENT_SECRET = ''
+    $env:AZURE_TENANT_ID = ''
+
     $signParams = @{
-        Certificate = $cert
+        Key = $key
         TimeStampServer = 'http://timestamp.digicert.com'
         HashAlgorithm = 'SHA256'
     }