3636 default : true
3737
3838 workflow_call :
39- outputs :
40- signing_enabled :
41- description : " Whether package signing was enabled for this run."
42- value : ${{ jobs.package.outputs.signing_enabled }}
43- signature_verification_enabled :
44- description : " Whether signed package verification was enabled for this run."
45- value : ${{ jobs.package.outputs.signature_verification_enabled }}
4639 inputs :
4740 package_version :
4841 description : " Optional package version, usually the release tag without the leading v."
7568 required : false
7669 type : boolean
7770 default : true
78- secrets :
79- NUGET_SIGN_CERTIFICATE_BASE64 :
80- required : false
81- NUGET_SIGN_CERTIFICATE_PASSWORD :
82- required : false
83- NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT :
84- required : false
85- NUGET_SIGN_TIMESTAMP_URL :
86- required : false
87- NUGET_SIGN_SKIP_VERIFICATION :
88- required : false
89-
71+
9072permissions :
9173 contents : read
9274
9375jobs :
9476 package :
9577 name : Pack packages
9678 runs-on : ubuntu-latest
97- outputs :
98- signing_enabled : ${{ steps.signing.outputs.enabled }}
99- signature_verification_enabled : ${{ steps.signing.outputs.verify_enabled }}
10079
10180 steps :
10281 - name : Checkout
11796 CORE_VERSION : ${{ inputs.core_version }}
11897 GOVERNANCE_VERSION : ${{ inputs.governance_version }}
11998 REDIS_VERSION : ${{ inputs.redis_version }}
120- REF_NAME : ${{ github.ref_name }}
12199 run : |
122100 resolve_version() {
123101 local value="$1"
@@ -128,13 +106,15 @@ jobs:
128106 fi
129107
130108 if [ -z "$value" ]; then
131- value="$REF_NAME"
109+ echo "Missing package version input. Pass a release tag version explicitly." >&2
110+ exit 1
132111 fi
133112
134113 value="${value#v}"
135114
136115 if ! printf '%s' "$value" | grep -Eq '^[0-9]+(\.[0-9]+){1,2}([-+][0-9A-Za-z.-]+)?$'; then
137- value="0.1.0"
116+ echo "Invalid package version: $value" >&2
117+ exit 1
138118 fi
139119
140120 printf '%s' "$value"
@@ -183,72 +163,6 @@ jobs:
183163 -o nupkg
184164 -p:PackageVersion=${{ steps.version.outputs.redis_version }}
185165
186- - name : Resolve signing mode
187- id : signing
188- env :
189- NUGET_SIGN_CERTIFICATE_BASE64 : ${{ secrets.NUGET_SIGN_CERTIFICATE_BASE64 }}
190- NUGET_SIGN_CERTIFICATE_PASSWORD : ${{ secrets.NUGET_SIGN_CERTIFICATE_PASSWORD }}
191- NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT : ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
192- NUGET_SIGN_TIMESTAMP_URL : ${{ secrets.NUGET_SIGN_TIMESTAMP_URL }}
193- NUGET_SIGN_SKIP_VERIFICATION : ${{ secrets.NUGET_SIGN_SKIP_VERIFICATION }}
194- run : |
195- if [ -n "$NUGET_SIGN_CERTIFICATE_BASE64" ] \
196- && [ -n "$NUGET_SIGN_CERTIFICATE_PASSWORD" ] \
197- && [ -n "$NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT" ] \
198- && [ -n "$NUGET_SIGN_TIMESTAMP_URL" ]; then
199- echo "enabled=true" >> "$GITHUB_OUTPUT"
200- echo "Package signing enabled."
201- else
202- echo "enabled=false" >> "$GITHUB_OUTPUT"
203- echo "Package signing disabled. Continuing with unsigned packages."
204- fi
205-
206- if [ "${NUGET_SIGN_SKIP_VERIFICATION,,}" = "true" ]; then
207- echo "verify_enabled=false" >> "$GITHUB_OUTPUT"
208- echo "Signed package verification disabled by NUGET_SIGN_SKIP_VERIFICATION."
209- else
210- echo "verify_enabled=true" >> "$GITHUB_OUTPUT"
211- echo "Signed package verification enabled."
212- fi
213-
214- - name : Import signing certificate
215- if : ${{ steps.signing.outputs.enabled == 'true' }}
216- env :
217- NUGET_SIGN_CERTIFICATE_BASE64 : ${{ secrets.NUGET_SIGN_CERTIFICATE_BASE64 }}
218- run : |
219- printf '%s' "$NUGET_SIGN_CERTIFICATE_BASE64" | base64 --decode > signing-cert.pfx
220-
221- - name : Sign packages
222- if : ${{ steps.signing.outputs.enabled == 'true' }}
223- env :
224- NUGET_SIGN_CERTIFICATE_PASSWORD : ${{ secrets.NUGET_SIGN_CERTIFICATE_PASSWORD }}
225- NUGET_SIGN_TIMESTAMP_URL : ${{ secrets.NUGET_SIGN_TIMESTAMP_URL }}
226- run : |
227- for package in nupkg/*.nupkg; do
228- dotnet nuget sign "$package" \
229- --certificate-path signing-cert.pfx \
230- --certificate-password "$NUGET_SIGN_CERTIFICATE_PASSWORD" \
231- --timestamper "$NUGET_SIGN_TIMESTAMP_URL" \
232- --timestamp-hash-algorithm SHA256 \
233- --hash-algorithm SHA256 \
234- --overwrite
235- done
236-
237- - name : Verify signed packages
238- if : ${{ steps.signing.outputs.enabled == 'true' && steps.signing.outputs.verify_enabled == 'true' }}
239- env :
240- NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT : ${{ secrets.NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT }}
241- run : |
242- for package in nupkg/*.nupkg; do
243- dotnet nuget verify "$package" \
244- --all \
245- --certificate-fingerprint "$NUGET_SIGN_CERTIFICATE_SHA256_FINGERPRINT"
246- done
247-
248- - name : Remove signing certificate
249- if : ${{ always() }}
250- run : rm -f signing-cert.pfx
251-
252166 - name : Upload packages
253167 uses : actions/upload-artifact@v4
254168 with :
0 commit comments