From fc700f750ef45fc282ac500ba552a7b70b22c0d6 Mon Sep 17 00:00:00 2001 From: Damian Hickey <57436+damianh@users.noreply.github.com> Date: Wed, 23 Oct 2024 17:18:49 +0200 Subject: [PATCH] Add github actions workflows --- .config/dotnet-tools.json | 12 ++ .../SectigoPublicCodeSigningRootCrossAAA.crt | 33 ++++++ .github/workflows/ci.yml | 91 ++++++++++++++ .github/workflows/codeql.yml | 35 ++++++ .github/workflows/release.yml | 111 ++++++++++++++++++ .gitignore | 3 + 6 files changed, 285 insertions(+) create mode 100644 .config/dotnet-tools.json create mode 100644 .github/workflows/SectigoPublicCodeSigningRootCrossAAA.crt create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/release.yml diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json new file mode 100644 index 0000000..1ea2594 --- /dev/null +++ b/.config/dotnet-tools.json @@ -0,0 +1,12 @@ +{ + "version": 1, + "isRoot": true, + "tools": { + "NuGetKeyVaultSignTool": { + "version": "3.2.3", + "commands": [ + "NuGetKeyVaultSignTool" + ] + } + } +} \ No newline at end of file diff --git a/.github/workflows/SectigoPublicCodeSigningRootCrossAAA.crt b/.github/workflows/SectigoPublicCodeSigningRootCrossAAA.crt new file mode 100644 index 0000000..c2f2350 --- /dev/null +++ b/.github/workflows/SectigoPublicCodeSigningRootCrossAAA.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFbzCCBFegAwIBAgIQSPyTtGBVlI02p8mKidaUFjANBgkqhkiG9w0BAQwFADB7 +MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD +VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE +AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTIxMDUyNTAwMDAwMFoXDTI4 +MTIzMTIzNTk1OVowVjELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGlt +aXRlZDEtMCsGA1UEAxMkU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIFJvb3Qg +UjQ2MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjeeUEiIEJHQu/xYj +ApKKtq42haxH1CORKz7cfeIxoFFvrISR41KKteKW3tCHYySJiv/vEpM7fbu2ir29 +BX8nm2tl06UMabG8STma8W1uquSggyfamg0rUOlLW7O4ZDakfko9qXGrYbNzszwL +DO/bM1flvjQ345cbXf0fEj2CA3bm+z9m0pQxafptszSswXp43JJQ8mTHqi0Eq8Nq +6uAvp6fcbtfo/9ohq0C/ue4NnsbZnpnvxt4fqQx2sycgoda6/YDnAdLv64IplXCN +/7sVz/7RDzaiLk8ykHRGa0c1E3cFM09jLrgt4b9lpwRrGNhx+swI8m2JmRCxrds+ +LOSqGLDGBwF1Z95t6WNjHjZ/aYm+qkU+blpfj6Fby50whjDoA7NAxg0POM1nqFOI ++rgwZfpvx+cdsYN0aT6sxGg7seZnM5q2COCABUhA7vaCZEao9XOwBpXybGWfv1Vb +HJxXGsd4RnxwqpQbghesh+m2yQ6BHEDWFhcp/FycGCvqRfXvvdVnTyheBe6QTHrn +xvTQ/PrNPjJGEyA2igTqt6oHRpwNkzoJZplYXCmjuQymMDg80EY2NXycuu7D1fkK +dvp+BRtAypI16dV60bV/AK6pkKrFfwGcELEW/MxuGNxvYv6mUKe4e7idFT/+IAx1 +yCJaE5UZkADpGtXChvHjjuxf9OUCAwEAAaOCARIwggEOMB8GA1UdIwQYMBaAFKAR +CiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQy65Ka/zWWSC8oQEJwIDaRXBeF +5jAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zATBgNVHSUEDDAKBggr +BgEFBQcDAzAbBgNVHSAEFDASMAYGBFUdIAAwCAYGZ4EMAQQBMEMGA1UdHwQ8MDow +OKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0FBQUNlcnRpZmljYXRlU2Vy +dmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29j +c3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4IBAQASv6Hvi3SamES4aUa1 +qyQKDKSKZ7g6gb9Fin1SB6iNH04hhTmja14tIIa/ELiueTtTzbT72ES+BtlcY2fU +QBaHRIZyKtYyFfUSg8L54V0RQGf2QidyxSPiAjgaTCDi2wH3zUZPJqJ8ZsBRNraJ +AlTH/Fj7bADu/pimLpWhDFMpH2/YGaZPnvesCepdgsaLr4CnvYFIUoQx2jLsFeSm +TD1sOXPUC4U5IOCFGmjhp0g4qdE2JXfBjRkWxYhMZn0vY86Y6GnfrDyoXZ3JHFuu +2PMvdM+4fvbXg50RlmKarkUT2n/cR/vfw1Kf5gZV6Z2M8jpiUbzsJA8p1FiAhORF +e1rY +-----END CERTIFICATE----- + diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..5eff3cf --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,91 @@ +name: ci + +permissions: + contents: read + checks: write + packages: write + +on: + workflow_dispatch: + push: + pull_request: + +env: + DOTNET_NOLOGO: true + DOTNET_CLI_TELEMETRY_OPTOUT: true + +jobs: + build: + name: Build + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.0.x + 9.0.x + + - name: Build + run: dotnet build -c Release AspNetCore.sln + + - name: Test + run: dotnet test -c Release test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" + + - name: Test report + id: test-report + uses: dorny/test-reporter@v1 + if: success() || failure() # run this step even if previous step failed + with: + name: Test results + path: test/AspNetCore.Authentication.JwtBearer.Tests/TestResults/Tests.trx + reporter: dotnet-trx + fail-on-error: true + fail-on-empty: true + + - name: Pack + run: dotnet pack -c Release src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj --no-build -o artifacts + + - name: Sign + if: (github.ref == 'refs/heads/main') + run: | + echo "Install Sectigo CodeSiging CA certificates" + sudo apt-get update + sudo apt-get install -y ca-certificates + sudo cp build/SectigoPublicCodeSigningRootCrossAAA.crt /usr/local/share/ca-certificates/ + sudo update-ca-certificates + echo "Restore tools" + dotnet tool restore + echo "Sign" + for file in artifacts/*.nupkg; do + dotnet NuGetKeyVaultSignTool sign "$file" \ + --file-digest sha256 \ + --timestamp-rfc3161 http://timestamp.digicert.com \ + --azure-key-vault-url https://duendecodesigning.vault.azure.net/ \ + --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 \ + --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 \ + --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} \ + --azure-key-vault-certificate CodeSigning + done + + - name: Push packages + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + if: (github.ref == 'refs/heads/main') + run: | + dotnet nuget push artifacts\*.nupkg -s https://www.myget.org/F/duende_identityserver/api/v2/package -k ${{ secrets.MYGET }} --skip-duplicate + dotnet nuget push artifacts\*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate + + - name: Upload artifacts + uses: actions/upload-artifact@v4 + if: (github.ref == 'refs/heads/main') + with: + path: artifacts/*.nupkg + compression-level: 0 + overwrite: true + retention-days: 15 \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..8f7d362 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,35 @@ +name: codeql + +on: + push: + branches: + - main + pull_request: + schedule: + - cron: '38 15 * * 0' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: csharp + + - name: Auto build + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:csharp" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..09e1c7e --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,111 @@ +name: release + +on: + workflow_dispatch: + inputs: + version: + type: string + description: "Version in format X.Y.Z or X.Y.Z-preview.N" + required: true + default: '0.0.0' + +env: + DOTNET_NOLOGO: true + DOTNET_CLI_TELEMETRY_OPTOUT: true + +jobs: + tag: + name: Tag and Pack + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + defaults: + run: + shell: pwsh + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.0.x + 9.0.x + + - name: Tag + run: | + git config --global user.email "github-bot@duendesoftware.com" + git config --global user.name "Duende Software GitHub Bot" + git tag -a it-${{ github.event.inputs.version }} -m "Release v${{ github.event.inputs.version }}" + git push origin it-${{ github.event.inputs.version }} + + - name: Pack + run: dotnet pack -c Release src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj --no-build -o artifacts + + + - name: Sign + if: (github.ref == 'refs/heads/main') + run: | + echo "Install Sectigo CodeSiging CA certificates" + sudo apt-get update + sudo apt-get install -y ca-certificates + sudo cp build/SectigoPublicCodeSigningRootCrossAAA.crt /usr/local/share/ca-certificates/ + sudo update-ca-certificates + echo "Restore tools" + dotnet tool restore + echo "Sign" + for file in artifacts/*.nupkg; do + dotnet NuGetKeyVaultSignTool sign "$file" \ + --file-digest sha256 \ + --timestamp-rfc3161 http://timestamp.digicert.com \ + --azure-key-vault-url https://duendecodesigning.vault.azure.net/ \ + --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 \ + --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 \ + --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} \ + --azure-key-vault-certificate CodeSigning + done + + - name: Push packages to MyGet + run: dotnet nuget push artifacts\*.nupkg -s https://www.myget.org/F/duende_identityserver/api/v2/package -k ${{ secrets.MYGET }} --skip-duplicate + + - name: Push NuGet package to GitHub Packages + run: dotnet nuget push artifacts\*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload artifacts + uses: actions/upload-artifact@v4 + if: (github.ref == 'refs/heads/main') + with: + path: artifacts/*.nupkg + compression-level: 0 + overwrite: true + retention-days: 15 + + publish: + name: Publish to NuGet + runs-on: ubuntu-latest + environment: nuget.org + needs: tag + + steps: + - uses: actions/download-artifact@v4 + with: + name: ignore-this-artifacts + path: artifacts + + - uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.0.x + + - name: List files + shell: bash + run: tree + + - name: Push to nuget.org + run: dotnet nuget push artifacts/*.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ secrets.NUGET_ORG_API_KEY }} --skip-duplicate \ No newline at end of file diff --git a/.gitignore b/.gitignore index 072ea96..58bbcca 100644 --- a/.gitignore +++ b/.gitignore @@ -215,3 +215,6 @@ tempkey.jwk keys *.key test/Configuration.IntegrationTests/CoverageReports + +# Build artifacts +artifacts/*