Skip to content

Publish Attested

Publish Attested #2

name: Publish Attested
on:
workflow_dispatch:
inputs:
version:
description: Release version without the leading "v"
required: false
type: string
workflow_call:
inputs:
version:
description: Release version without the leading "v"
required: false
type: string
secrets:
NUGET_SIGN_CERTIFICATE_BASE64:
required: false
NUGET_SIGN_CERTIFICATE_PASSWORD:
required: false
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT:
required: false
NUGET_SIGN_TIMESTAMP_URL:
required: false
NUGET_SIGN_SKIP_VERIFICATION:
required: false
permissions:
contents: write
id-token: write
attestations: write
artifact-metadata: write
jobs:
publish:
uses: ./.github/workflows/publish-artifacts.yml
with:
package_version: ${{ inputs.version }}
secrets:
NUGET_SIGN_CERTIFICATE_BASE64: ${{ secrets.NUGET_SIGN_CERTIFICATE_BASE64 }}
NUGET_SIGN_CERTIFICATE_PASSWORD: ${{ secrets.NUGET_SIGN_CERTIFICATE_PASSWORD }}
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT: ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
NUGET_SIGN_TIMESTAMP_URL: ${{ secrets.NUGET_SIGN_TIMESTAMP_URL }}
NUGET_SIGN_SKIP_VERIFICATION: ${{ secrets.NUGET_SIGN_SKIP_VERIFICATION }}
release:
name: Upload artifacts to draft release
runs-on: ubuntu-latest
needs: publish
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Download published artifacts
uses: actions/download-artifact@v6
with:
pattern: ModularityKit-packages
path: dist
merge-multiple: true
- name: Attest package artifacts
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/*.nupkg
- name: Create or update draft release
env:
GITHUB_TOKEN: ${{ github.token }}
REPOSITORY: ${{ github.repository }}
DIST_DIR: dist
FIND_DRAFT: "true"
ENSURE_DRAFT: "true"
FAIL_MESSAGE: "No draft release found. Release Drafter must create the draft before artifacts can be uploaded."
ASSET_PATTERNS: |
*
run: python3 -m scripts.releases.upload_release_assets