Add github actions workflows

.config/dotnet-tools.json

@@ -0,0 +1,12 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "NuGetKeyVaultSignTool": {
+      "version": "3.2.3",
+      "commands": [
+        "NuGetKeyVaultSignTool"
+      ]
+    }
+  }
+}

.github/workflows/SectigoPublicCodeSigningRootCrossAAA.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFbzCCBFegAwIBAgIQSPyTtGBVlI02p8mKidaUFjANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTIxMDUyNTAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowVjELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGlt
+aXRlZDEtMCsGA1UEAxMkU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIFJvb3Qg
+UjQ2MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjeeUEiIEJHQu/xYj
+ApKKtq42haxH1CORKz7cfeIxoFFvrISR41KKteKW3tCHYySJiv/vEpM7fbu2ir29
+BX8nm2tl06UMabG8STma8W1uquSggyfamg0rUOlLW7O4ZDakfko9qXGrYbNzszwL
+DO/bM1flvjQ345cbXf0fEj2CA3bm+z9m0pQxafptszSswXp43JJQ8mTHqi0Eq8Nq
+6uAvp6fcbtfo/9ohq0C/ue4NnsbZnpnvxt4fqQx2sycgoda6/YDnAdLv64IplXCN
+/7sVz/7RDzaiLk8ykHRGa0c1E3cFM09jLrgt4b9lpwRrGNhx+swI8m2JmRCxrds+
+LOSqGLDGBwF1Z95t6WNjHjZ/aYm+qkU+blpfj6Fby50whjDoA7NAxg0POM1nqFOI
++rgwZfpvx+cdsYN0aT6sxGg7seZnM5q2COCABUhA7vaCZEao9XOwBpXybGWfv1Vb
+HJxXGsd4RnxwqpQbghesh+m2yQ6BHEDWFhcp/FycGCvqRfXvvdVnTyheBe6QTHrn
+xvTQ/PrNPjJGEyA2igTqt6oHRpwNkzoJZplYXCmjuQymMDg80EY2NXycuu7D1fkK
+dvp+BRtAypI16dV60bV/AK6pkKrFfwGcELEW/MxuGNxvYv6mUKe4e7idFT/+IAx1
+yCJaE5UZkADpGtXChvHjjuxf9OUCAwEAAaOCARIwggEOMB8GA1UdIwQYMBaAFKAR
+CiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQy65Ka/zWWSC8oQEJwIDaRXBeF
+5jAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zATBgNVHSUEDDAKBggr
+BgEFBQcDAzAbBgNVHSAEFDASMAYGBFUdIAAwCAYGZ4EMAQQBMEMGA1UdHwQ8MDow
+OKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0FBQUNlcnRpZmljYXRlU2Vy
+dmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29j
+c3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4IBAQASv6Hvi3SamES4aUa1
+qyQKDKSKZ7g6gb9Fin1SB6iNH04hhTmja14tIIa/ELiueTtTzbT72ES+BtlcY2fU
+QBaHRIZyKtYyFfUSg8L54V0RQGf2QidyxSPiAjgaTCDi2wH3zUZPJqJ8ZsBRNraJ
+AlTH/Fj7bADu/pimLpWhDFMpH2/YGaZPnvesCepdgsaLr4CnvYFIUoQx2jLsFeSm
+TD1sOXPUC4U5IOCFGmjhp0g4qdE2JXfBjRkWxYhMZn0vY86Y6GnfrDyoXZ3JHFuu
+2PMvdM+4fvbXg50RlmKarkUT2n/cR/vfw1Kf5gZV6Z2M8jpiUbzsJA8p1FiAhORF
+e1rY
+-----END CERTIFICATE-----
+

.github/workflows/ci.yml

@@ -0,0 +1,91 @@
+name: ci
+
+permissions:
+  contents: read
+  checks: write
+  packages: write
+
+on:
+  workflow_dispatch:
+  push:
+  pull_request:
+
+env:
+  DOTNET_NOLOGO: true
+  DOTNET_CLI_TELEMETRY_OPTOUT: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          8.0.x
+          9.0.x
+
+    - name: Build
+      run: dotnet build -c Release AspNetCore.sln
+
+    - name: Test
+      run: dotnet test -c Release test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx"
+
+    - name: Test report
+      id: test-report
+      uses: dorny/test-reporter@v1
+      if: success() || failure()    # run this step even if previous step failed
+      with:
+        name: Test results
+        path: test/AspNetCore.Authentication.JwtBearer.Tests/TestResults/Tests.trx
+        reporter: dotnet-trx
+        fail-on-error: true
+        fail-on-empty: true
+
+    - name: Pack
+      run: dotnet pack -c Release src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj --no-build -o artifacts
+
+    - name: Sign
+      if: (github.ref == 'refs/heads/main')
+      run: |
+        echo "Install Sectigo CodeSiging CA certificates"
+        sudo apt-get update
+        sudo apt-get install -y ca-certificates
+        sudo cp build/SectigoPublicCodeSigningRootCrossAAA.crt /usr/local/share/ca-certificates/
+        sudo update-ca-certificates
+        echo "Restore tools"
+        dotnet tool restore
+        echo "Sign"
+        for file in artifacts/*.nupkg; do
+            dotnet NuGetKeyVaultSignTool sign "$file" \
+                --file-digest sha256 \
+                --timestamp-rfc3161 http://timestamp.digicert.com \
+                --azure-key-vault-url https://duendecodesigning.vault.azure.net/ \
+                --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 \
+                --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 \
+                --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} \
+                --azure-key-vault-certificate CodeSigning
+        done
+
+    - name: Push packages
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      if: (github.ref == 'refs/heads/main')
+      run: | 
+        dotnet nuget push artifacts\*.nupkg -s https://www.myget.org/F/duende_identityserver/api/v2/package -k ${{ secrets.MYGET }} --skip-duplicate
+        dotnet nuget push artifacts\*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate
+
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v4
+      if: (github.ref == 'refs/heads/main')
+      with:
+        path: artifacts/*.nupkg
+        compression-level: 0
+        overwrite: true
+        retention-days: 15

.github/workflows/codeql.yml

@@ -0,0 +1,35 @@
+name: codeql
+
+on:
+  push:
+    branches: 
+    - main
+  pull_request:
+  schedule:
+    - cron: '38 15 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses:  github/codeql-action/init@v3
+      with:
+        languages: csharp
+
+    - name: Auto build
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:csharp"

.github/workflows/release.yml

@@ -0,0 +1,111 @@
+name: release
+
+on:
+  workflow_dispatch:
+   inputs:
+      version:
+        type: string
+        description: "Version in format X.Y.Z or X.Y.Z-preview.N"
+        required: true
+        default: '0.0.0'
+
+env:
+  DOTNET_NOLOGO: true
+  DOTNET_CLI_TELEMETRY_OPTOUT: true
+
+jobs:
+  tag:
+    name: Tag and Pack
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+    defaults:
+      run:
+        shell: pwsh
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          8.0.x
+          9.0.x
+
+    - name: Tag
+      run: |
+        git config --global user.email "[email protected]"
+        git config --global user.name "Duende Software GitHub Bot"
+        git tag -a it-${{ github.event.inputs.version }} -m "Release v${{ github.event.inputs.version }}"
+        git push origin it-${{ github.event.inputs.version }}
+
+    - name: Pack
+      run: dotnet pack -c Release src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj --no-build -o artifacts
+
+
+    - name: Sign
+      if: (github.ref == 'refs/heads/main')
+      run: |
+        echo "Install Sectigo CodeSiging CA certificates"
+        sudo apt-get update
+        sudo apt-get install -y ca-certificates
+        sudo cp build/SectigoPublicCodeSigningRootCrossAAA.crt /usr/local/share/ca-certificates/
+        sudo update-ca-certificates
+        echo "Restore tools"
+        dotnet tool restore
+        echo "Sign"
+        for file in artifacts/*.nupkg; do
+            dotnet NuGetKeyVaultSignTool sign "$file" \
+                --file-digest sha256 \
+                --timestamp-rfc3161 http://timestamp.digicert.com \
+                --azure-key-vault-url https://duendecodesigning.vault.azure.net/ \
+                --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 \
+                --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 \
+                --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} \
+                --azure-key-vault-certificate CodeSigning
+        done
+
+    - name: Push packages to MyGet
+      run: dotnet nuget push artifacts\*.nupkg -s https://www.myget.org/F/duende_identityserver/api/v2/package -k ${{ secrets.MYGET }} --skip-duplicate
+
+    - name: Push NuGet package to GitHub Packages
+      run: dotnet nuget push artifacts\*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v4
+      if: (github.ref == 'refs/heads/main')
+      with:
+        path: artifacts/*.nupkg
+        compression-level: 0
+        overwrite: true
+        retention-days: 15
+
+  publish:
+    name: Publish to NuGet
+    runs-on: ubuntu-latest
+    environment: nuget.org
+    needs: tag
+
+    steps:
+    - uses: actions/download-artifact@v4
+      with:
+        name: ignore-this-artifacts
+        path: artifacts
+
+    - uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          8.0.x
+    
+    - name: List files
+      shell: bash
+      run: tree
+
+    - name: Push to nuget.org
+      run: dotnet nuget push artifacts/*.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ secrets.NUGET_ORG_API_KEY }} --skip-duplicate

.gitignore

@@ -215,3 +215,6 @@ tempkey.jwk
 keys
 *.key
 test/Configuration.IntegrationTests/CoverageReports
+
+# Build artifacts
+artifacts/*