-
Notifications
You must be signed in to change notification settings - Fork 3
306 lines (267 loc) · 10.5 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
name: 'Build and Release'
run-name: 'Build and Release v${{ inputs.release_version }}'
on:
workflow_dispatch:
inputs:
certificate_sign:
description: 'Sign the binaries and packages using a certificate stored in Azure Key Vault?'
required: true
type: boolean
default: false
strong_name_sign:
description: 'Sign the assemblies using a strong name key stored in GitHub Secrets?'
required: true
type: boolean
default: false
create_github_release:
description: 'Create a GitHub Release?'
required: true
type: boolean
default: false
publish_nuget:
description: 'Publish packages to NuGet Gallery?'
required: true
type: boolean
default: false
publish_powershell:
description: 'Publish module to PowerShell Gallery?'
required: true
type: boolean
default: false
release_version:
description: 'Version'
required: true
type: string
default: '1.x'
permissions:
id-token: write
contents: write
env:
DOTNET_NOLOGO: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
jobs:
build:
name: 'Build'
runs-on: windows-latest
timeout-minutes: 10
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Restore Strong Name Key
if: ${{ inputs.strong_name_sign }}
working-directory: Keys
shell: powershell
env:
STRONG_NAME_KEY: ${{ secrets.STRONG_NAME_KEY }}
run: |
if($null -ne $env:STRONG_NAME_KEY)
{
Write-Host 'Creating file Keys/DSInternals.Private.snk...'
[byte[]] $privateKey = [System.Convert]::FromBase64String($env:STRONG_NAME_KEY)
[System.IO.File]::WriteAllBytes('DSInternals.Private.snk', $privateKey)
}
else
{
Write-Warning 'The STRONG_NAME_KEY secret is not available. Skipping SNK file creation.'
}
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
cache: true
cache-dependency-path: 'Src/*/packages.lock.json'
- name: Restore NuGet Packages
working-directory: Src
run: dotnet restore --locked-mode
- name: Build Binaries
working-directory: Src
run: dotnet build --configuration Release --no-restore
- name: Build PowerShell Module
working-directory: Scripts
shell: powershell
run: .\Build-PowerShellModule.ps1 -Configuration Release
- name: Cache DotNet Global Tools
id: cache-dotnet-globaltools
uses: actions/cache@v4
if: ${{ inputs.certificate_sign }}
with:
path: ~/.dotnet/tools
# Heuristics: The current list of required global tools is defined in this workflow file.
key: ${{ runner.os }}-DotNET-GlobalTools-Release-${{ hashFiles('.github/workflows/release.yml') }}
- name: Install Code Signing Tools
if: ${{ inputs.certificate_sign && steps.cache-dotnet-globaltools.outputs.cache-hit != 'true' }}
run: |
dotnet tool install --global --prerelease sign
- name: Azure Login
uses: azure/login@v2
if: ${{ inputs.certificate_sign }}
with:
client-id: ${{ secrets.SIGNING_CLIENT_ID }}
tenant-id: ${{ secrets.SIGNING_TENANT_ID }}
allow-no-subscriptions: true
- name: Sign PowerShell Scripts
shell: cmd
run: >
sign code trusted-signing
DSInternals.Passkeys.ps*1
--base-directory "${{ github.workspace }}/Build/bin/PSModule/Release/DSInternals.Passkeys"
--trusted-signing-endpoint "${{ secrets.SIGNING_ENDPOINT }}"
--trusted-signing-account "${{ secrets.SIGNING_ACCOUNT_NAME }}"
--trusted-signing-certificate-profile "${{ secrets.SIGNING_PROFILE_NAME }}"
--file-digest SHA256
--timestamp-digest SHA256
--timestamp-url "http://timestamp.acs.microsoft.com"
--verbosity Information
- name: Sign DSInternals.Win32.WebAuthn Libraries
shell: cmd
run: >
sign code trusted-signing
release_*/DSInternals.Win32.WebAuthn.dll
--base-directory "${{ github.workspace }}/Build/bin/DSInternals.Win32.WebAuthn"
--trusted-signing-endpoint "${{ secrets.SIGNING_ENDPOINT }}"
--trusted-signing-account "${{ secrets.SIGNING_ACCOUNT_NAME }}"
--trusted-signing-certificate-profile "${{ secrets.SIGNING_PROFILE_NAME }}"
--file-digest SHA256
--timestamp-digest SHA256
--timestamp-url "http://timestamp.acs.microsoft.com"
--verbosity Information
- name: Sign DSInternals.Win32.WebAuthn.Adapter Libraries
shell: cmd
run: >
sign code trusted-signing
release_*/DSInternals.Win32.WebAuthn.Adapter.dll
--base-directory "${{ github.workspace }}/Build/bin/DSInternals.Win32.WebAuthn.Adapter"
--trusted-signing-endpoint "${{ secrets.SIGNING_ENDPOINT }}"
--trusted-signing-account "${{ secrets.SIGNING_ACCOUNT_NAME }}"
--trusted-signing-certificate-profile "${{ secrets.SIGNING_PROFILE_NAME }}"
--file-digest SHA256
--timestamp-digest SHA256
--timestamp-url "http://timestamp.acs.microsoft.com"
--verbosity Information
- name: Sign Fido2UI Binary
shell: cmd
run: >
sign code trusted-signing
Fido2UI.exe
--base-directory "${{ github.workspace }}/Build/bin/Fido2UI/release"
--trusted-signing-endpoint "${{ secrets.SIGNING_ENDPOINT }}"
--trusted-signing-account "${{ secrets.SIGNING_ACCOUNT_NAME }}"
--trusted-signing-certificate-profile "${{ secrets.SIGNING_PROFILE_NAME }}"
--file-digest SHA256
--timestamp-digest SHA256
--timestamp-url "http://timestamp.acs.microsoft.com"
--verbosity Information
- name: Copy Signed Libraries to Module and App Directories
shell: cmd
if: ${{ inputs.certificate_sign }}
working-directory: Build/bin
timeout-minutes: 1
run: |
xcopy "DSInternals.Win32.WebAuthn/release_net48/DSInternals.Win32.WebAuthn.dll" "Fido2UI/release/" /Y /I /F
xcopy "DSInternals.Win32.WebAuthn/release_net48/DSInternals.Win32.WebAuthn.dll" "PSModule/Release/DSInternals.Passkeys/net48/" /Y /I /F
xcopy "DSInternals.Win32.WebAuthn/release_net6.0/DSInternals.Win32.WebAuthn.dll" "PSModule/Release/DSInternals.Passkeys/net6.0/" /Y /I /F
- name: Upload Desktop App as Artifact
uses: actions/upload-artifact@v4
with:
name: Fido2UI
path: Build/bin/Fido2UI/release/*
- name: Upload PowerShell Module as Artifact
uses: actions/upload-artifact@v4
with:
name: PowerShell
path: Build/bin/PSModule/Release
- name: Create NuGet Packages
working-directory: Src
run: dotnet pack --configuration Release --no-build
- name: Sign NuGet Packages
shell: cmd
run: >
sign code trusted-signing
*.*nupkg
--base-directory "${{ github.workspace }}/Build/package/release"
--trusted-signing-endpoint "${{ secrets.SIGNING_ENDPOINT }}"
--trusted-signing-account "${{ secrets.SIGNING_ACCOUNT_NAME }}"
--trusted-signing-certificate-profile "${{ secrets.SIGNING_PROFILE_NAME }}"
--file-digest SHA256
--timestamp-digest SHA256
--timestamp-url "http://timestamp.acs.microsoft.com"
--verbosity Information
- name: Upload NuGet Packages as Artifacts
uses: actions/upload-artifact@v4
with:
name: NuGet
path: Build/package/release/*nupkg
nuget:
name: 'Publish to NuGet Gallery'
if: ${{ inputs.publish_nuget }}
runs-on: ubuntu-latest
needs: build
steps:
- name: Download NuGet Packages
uses: actions/download-artifact@v4
with:
name: NuGet
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: 8.x
- name: Publish NuGet Packages
run: |
dotnet nuget push *.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ secrets.NUGET_GALLERY_APIKEY }} --skip-duplicate
psgallery:
name: 'Publish to PowerShell Gallery'
if: ${{ inputs.publish_powershell }}
runs-on: ubuntu-latest
needs: build
steps:
- name: Download PowerShell Module
uses: actions/download-artifact@v4
with:
name: PowerShell
- name: Publish PowerShell Module
shell: pwsh
run: |
Publish-Module -Path .\DSInternals.Passkeys -NuGetApiKey ${{ secrets.POWERSHELL_GALLERY_APIKEY }} -Repository PSGallery -Force
release:
name: 'Create GitHub Release Draft'
if: ${{ inputs.create_github_release }}
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Download PowerShell Module
uses: actions/download-artifact@v4
with:
name: PowerShell
path: GitHub/Module
- name: Download Desktop App
uses: actions/download-artifact@v4
with:
name: Fido2UI
path: GitHub/Fido2UI
- name: Create Module ZIP for GitHub Release
shell: pwsh
working-directory: GitHub
run: Compress-Archive -Path ./Module/* -DestinationPath ./DSInternals.Passkeys_v${{ inputs.release_version }}.zip -CompressionLevel Optimal -Force
- name: Create Application ZIP for GitHub Release
shell: pwsh
working-directory: GitHub
run: Compress-Archive -Path ./Fido2UI/* -DestinationPath ./FIDO2UI_v${{ inputs.release_version }}.zip -CompressionLevel Optimal -Force
- name: Create GitHub Release
shell: pwsh
working-directory: GitHub
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
@'
## Notable Changes
TODO
## DSInternals.Passkeys PowerShell Module
- The module is available in the [PowerShell Gallery](https://www.powershellgallery.com/packages/DSInternals.Passkeys).
- As an alternative, the attached `DSInternals.Passkeys_v${{ inputs.release_version }}.zip` file can be used for offline module installation.
## FIDO2 UI Desktop Application
- Application binaries are in the attached `FIDO2UI_v${{ inputs.release_version }}.zip` file.
## NuGet Packages
- Packages are [published in the NuGet Gallery](https://www.nuget.org/packages?q=DSInternals.Win32.WebAuthn).
'@ > release-notes.md
gh release create v${{ inputs.release_version }} ./*.zip --draft --latest --title "WebAuthn Interop Assembly ${{ inputs.release_version }}" --notes-file release-notes.md