Skip to content

Commit 3f644ab

Browse files
committed
ci: remove nuget signing path
1 parent e163234 commit 3f644ab

4 files changed

Lines changed: 7 additions & 143 deletions

File tree

.github/workflows/publish-artifacts.yml

Lines changed: 5 additions & 91 deletions
Original file line numberDiff line numberDiff line change
@@ -36,13 +36,6 @@ on:
3636
default: true
3737

3838
workflow_call:
39-
outputs:
40-
signing_enabled:
41-
description: "Whether package signing was enabled for this run."
42-
value: ${{ jobs.package.outputs.signing_enabled }}
43-
signature_verification_enabled:
44-
description: "Whether signed package verification was enabled for this run."
45-
value: ${{ jobs.package.outputs.signature_verification_enabled }}
4639
inputs:
4740
package_version:
4841
description: "Optional package version, usually the release tag without the leading v."
@@ -75,28 +68,14 @@ on:
7568
required: false
7669
type: boolean
7770
default: true
78-
secrets:
79-
NUGET_SIGN_CERTIFICATE_BASE64:
80-
required: false
81-
NUGET_SIGN_CERTIFICATE_PASSWORD:
82-
required: false
83-
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT:
84-
required: false
85-
NUGET_SIGN_TIMESTAMP_URL:
86-
required: false
87-
NUGET_SIGN_SKIP_VERIFICATION:
88-
required: false
89-
71+
9072
permissions:
9173
contents: read
9274

9375
jobs:
9476
package:
9577
name: Pack packages
9678
runs-on: ubuntu-latest
97-
outputs:
98-
signing_enabled: ${{ steps.signing.outputs.enabled }}
99-
signature_verification_enabled: ${{ steps.signing.outputs.verify_enabled }}
10079

10180
steps:
10281
- name: Checkout
@@ -117,7 +96,6 @@ jobs:
11796
CORE_VERSION: ${{ inputs.core_version }}
11897
GOVERNANCE_VERSION: ${{ inputs.governance_version }}
11998
REDIS_VERSION: ${{ inputs.redis_version }}
120-
REF_NAME: ${{ github.ref_name }}
12199
run: |
122100
resolve_version() {
123101
local value="$1"
@@ -128,13 +106,15 @@ jobs:
128106
fi
129107
130108
if [ -z "$value" ]; then
131-
value="$REF_NAME"
109+
echo "Missing package version input. Pass a release tag version explicitly." >&2
110+
exit 1
132111
fi
133112
134113
value="${value#v}"
135114
136115
if ! printf '%s' "$value" | grep -Eq '^[0-9]+(\.[0-9]+){1,2}([-+][0-9A-Za-z.-]+)?$'; then
137-
value="0.1.0"
116+
echo "Invalid package version: $value" >&2
117+
exit 1
138118
fi
139119
140120
printf '%s' "$value"
@@ -183,72 +163,6 @@ jobs:
183163
-o nupkg
184164
-p:PackageVersion=${{ steps.version.outputs.redis_version }}
185165
186-
- name: Resolve signing mode
187-
id: signing
188-
env:
189-
NUGET_SIGN_CERTIFICATE_BASE64: ${{ secrets.NUGET_SIGN_CERTIFICATE_BASE64 }}
190-
NUGET_SIGN_CERTIFICATE_PASSWORD: ${{ secrets.NUGET_SIGN_CERTIFICATE_PASSWORD }}
191-
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT: ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
192-
NUGET_SIGN_TIMESTAMP_URL: ${{ secrets.NUGET_SIGN_TIMESTAMP_URL }}
193-
NUGET_SIGN_SKIP_VERIFICATION: ${{ secrets.NUGET_SIGN_SKIP_VERIFICATION }}
194-
run: |
195-
if [ -n "$NUGET_SIGN_CERTIFICATE_BASE64" ] \
196-
&& [ -n "$NUGET_SIGN_CERTIFICATE_PASSWORD" ] \
197-
&& [ -n "$NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT" ] \
198-
&& [ -n "$NUGET_SIGN_TIMESTAMP_URL" ]; then
199-
echo "enabled=true" >> "$GITHUB_OUTPUT"
200-
echo "Package signing enabled."
201-
else
202-
echo "enabled=false" >> "$GITHUB_OUTPUT"
203-
echo "Package signing disabled. Continuing with unsigned packages."
204-
fi
205-
206-
if [ "${NUGET_SIGN_SKIP_VERIFICATION,,}" = "true" ]; then
207-
echo "verify_enabled=false" >> "$GITHUB_OUTPUT"
208-
echo "Signed package verification disabled by NUGET_SIGN_SKIP_VERIFICATION."
209-
else
210-
echo "verify_enabled=true" >> "$GITHUB_OUTPUT"
211-
echo "Signed package verification enabled."
212-
fi
213-
214-
- name: Import signing certificate
215-
if: ${{ steps.signing.outputs.enabled == 'true' }}
216-
env:
217-
NUGET_SIGN_CERTIFICATE_BASE64: ${{ secrets.NUGET_SIGN_CERTIFICATE_BASE64 }}
218-
run: |
219-
printf '%s' "$NUGET_SIGN_CERTIFICATE_BASE64" | base64 --decode > signing-cert.pfx
220-
221-
- name: Sign packages
222-
if: ${{ steps.signing.outputs.enabled == 'true' }}
223-
env:
224-
NUGET_SIGN_CERTIFICATE_PASSWORD: ${{ secrets.NUGET_SIGN_CERTIFICATE_PASSWORD }}
225-
NUGET_SIGN_TIMESTAMP_URL: ${{ secrets.NUGET_SIGN_TIMESTAMP_URL }}
226-
run: |
227-
for package in nupkg/*.nupkg; do
228-
dotnet nuget sign "$package" \
229-
--certificate-path signing-cert.pfx \
230-
--certificate-password "$NUGET_SIGN_CERTIFICATE_PASSWORD" \
231-
--timestamper "$NUGET_SIGN_TIMESTAMP_URL" \
232-
--timestamp-hash-algorithm SHA256 \
233-
--hash-algorithm SHA256 \
234-
--overwrite
235-
done
236-
237-
- name: Verify signed packages
238-
if: ${{ steps.signing.outputs.enabled == 'true' && steps.signing.outputs.verify_enabled == 'true' }}
239-
env:
240-
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT: ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
241-
run: |
242-
for package in nupkg/*.nupkg; do
243-
dotnet nuget verify "$package" \
244-
--all \
245-
--certificate-fingerprint "$NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT"
246-
done
247-
248-
- name: Remove signing certificate
249-
if: ${{ always() }}
250-
run: rm -f signing-cert.pfx
251-
252166
- name: Upload packages
253167
uses: actions/upload-artifact@v4
254168
with:

.github/workflows/publish-attested.yml

Lines changed: 0 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -13,17 +13,6 @@ on:
1313
description: Release version without the leading "v"
1414
required: false
1515
type: string
16-
secrets:
17-
NUGET_SIGN_CERTIFICATE_BASE64:
18-
required: false
19-
NUGET_SIGN_CERTIFICATE_PASSWORD:
20-
required: false
21-
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT:
22-
required: false
23-
NUGET_SIGN_TIMESTAMP_URL:
24-
required: false
25-
NUGET_SIGN_SKIP_VERIFICATION:
26-
required: false
2716

2817
permissions:
2918
contents: write
@@ -36,12 +25,6 @@ jobs:
3625
uses: ./.github/workflows/publish-artifacts.yml
3726
with:
3827
package_version: ${{ inputs.version }}
39-
secrets:
40-
NUGET_SIGN_CERTIFICATE_BASE64: ${{ secrets.NUGET_SIGN_CERTIFICATE_BASE64 }}
41-
NUGET_SIGN_CERTIFICATE_PASSWORD: ${{ secrets.NUGET_SIGN_CERTIFICATE_PASSWORD }}
42-
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT: ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
43-
NUGET_SIGN_TIMESTAMP_URL: ${{ secrets.NUGET_SIGN_TIMESTAMP_URL }}
44-
NUGET_SIGN_SKIP_VERIFICATION: ${{ secrets.NUGET_SIGN_SKIP_VERIFICATION }}
4528

4629
release:
4730
name: Upload artifacts to draft release

.github/workflows/publish-packages.yml

Lines changed: 2 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ on:
3737
publish_nuget:
3838
description: Publish to NuGet.org
3939
required: false
40-
default: true
40+
default: false
4141
type: boolean
4242
publish_github_packages:
4343
description: Publish to GitHub Packages
@@ -80,6 +80,7 @@ on:
8080
publish_nuget:
8181
description: Publish to NuGet.org
8282
required: false
83+
default: false
8384
type: boolean
8485
publish_github_packages:
8586
description: Publish to GitHub Packages
@@ -101,12 +102,6 @@ jobs:
101102
publish_core: ${{ inputs.publish_core }}
102103
publish_governance: ${{ inputs.publish_governance }}
103104
publish_redis: ${{ inputs.publish_redis }}
104-
secrets:
105-
NUGET_SIGN_CERTIFICATE_BASE64: ${{ secrets.NUGET_SIGN_CERTIFICATE_BASE64 }}
106-
NUGET_SIGN_CERTIFICATE_PASSWORD: ${{ secrets.NUGET_SIGN_CERTIFICATE_PASSWORD }}
107-
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT: ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
108-
NUGET_SIGN_TIMESTAMP_URL: ${{ secrets.NUGET_SIGN_TIMESTAMP_URL }}
109-
NUGET_SIGN_SKIP_VERIFICATION: ${{ secrets.NUGET_SIGN_SKIP_VERIFICATION }}
110105

111106
publish-nuget:
112107
name: Publish to NuGet.org
@@ -130,17 +125,6 @@ jobs:
130125
path: dist
131126
merge-multiple: true
132127

133-
- name: Verify signed packages
134-
if: ${{ needs.package.outputs.signing_enabled == 'true' && needs.package.outputs.signature_verification_enabled == 'true' }}
135-
env:
136-
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT: ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
137-
run: |
138-
for package in dist/*.nupkg; do
139-
dotnet nuget verify "$package" \
140-
--all \
141-
--certificate-fingerprint "$NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT"
142-
done
143-
144128
- name: NuGet login
145129
id: login
146130
uses: NuGet/login@v1
@@ -180,17 +164,6 @@ jobs:
180164
path: dist
181165
merge-multiple: true
182166

183-
- name: Verify signed packages
184-
if: ${{ needs.package.outputs.signing_enabled == 'true' && needs.package.outputs.signature_verification_enabled == 'true' }}
185-
env:
186-
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT: ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
187-
run: |
188-
for package in dist/*.nupkg; do
189-
dotnet nuget verify "$package" \
190-
--all \
191-
--certificate-fingerprint "$NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT"
192-
done
193-
194167
- name: Push packages to GitHub Packages
195168
env:
196169
GITHUB_TOKEN: ${{ github.token }}

.github/workflows/release-drafter.yml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -41,9 +41,3 @@ jobs:
4141
uses: ./.github/workflows/publish-attested.yml
4242
with:
4343
version: ${{ needs.update-release-draft.outputs.tag_name }}
44-
secrets:
45-
NUGET_SIGN_CERTIFICATE_BASE64: ${{ secrets.NUGET_SIGN_CERTIFICATE_BASE64 }}
46-
NUGET_SIGN_CERTIFICATE_PASSWORD: ${{ secrets.NUGET_SIGN_CERTIFICATE_PASSWORD }}
47-
NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT: ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
48-
NUGET_SIGN_TIMESTAMP_URL: ${{ secrets.NUGET_SIGN_TIMESTAMP_URL }}
49-
NUGET_SIGN_SKIP_VERIFICATION: ${{ secrets.NUGET_SIGN_SKIP_VERIFICATION }}

0 commit comments

Comments
 (0)