Switch to centrally managed actions (#35)

.github/workflows/assert-contents.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-
-echo "Unzipping version from NuGet"
-ls from-nuget.nupkg
-mkdir from-nuget && cp from-nuget.nupkg from-nuget/zip.zip && cd from-nuget && unzip zip.zip && rm zip.zip && cd - || exit 1
-
-echo "Unzipping version from local build"
-ls packed/
-mkdir from-local && cp packed/*.nupkg from-local/zip.zip && cd from-local && unzip zip.zip && rm zip.zip && cd - || exit 1
-
-cd from-local && find . -type f -exec sha256sum {} \; | sort > ../from-local.txt && cd .. || exit 1
-cd from-nuget && find . -type f -and -not -name '.signature.p7s' -exec sha256sum {} \; | sort > ../from-nuget.txt && cd .. || exit 1
-
-diff from-local.txt from-nuget.txt

.github/workflows/dotnet.yaml

@@ -185,7 +185,7 @@ jobs:
     needs: [check-dotnet-format, check-nix-format, build, build-nix, linkcheck, flake-check, nuget-pack, expected-pack, github-release-dry-run, build-windows]
     runs-on: ubuntu-latest
     steps:
-      - uses: Smaug123/all-required-checks-complete-action@05b40a8c47ef0b175ea326e9abb09802cb67b44e
+      - uses: G-Research/common-actions/check-required-lite@2b7dc49cb14f3344fbe6019c14a31165e258c059
         with:
           needs-context: ${{ toJSON(needs) }}
 
@@ -229,26 +229,16 @@ jobs:
         with:
           name: nuget-package
           path: packed
-      - name: Publish to NuGet
-        id: publish-success
-        env:
-          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
-        run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.DotnetRuntimeLocator.*.nupkg"'
-      - name: Wait for availability
-        if: steps.publish-success.outputs.result == 'published'
-        env:
-          PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }}
-        run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.DotnetRuntimeLocator/$PACKAGE_VERSION" ; do sleep 10; done'
-      # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/).
-      # So we have to *re-attest* it after it's uploaded. Mind-blowing.
-      - name: Assert package contents
-        if: steps.publish-success.outputs.result == 'published'
-        run: 'bash ./.github/workflows/assert-contents.sh'
-      - name: Attest Build Provenance
-        if: steps.publish-success.outputs.result == 'published'
-        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
+      - name: Identify .NET
+        id: identify-dotnet
+        run: nix develop --command bash -c "echo dotnet=$(which dotnet) >> $GITHUB_OUTPUT"
+      - name: Publish NuGet package
+        uses: G-Research/common-actions/publish-nuget@2b7dc49cb14f3344fbe6019c14a31165e258c059
         with:
-          subject-path: "from-nuget.nupkg"
+          package-name: WoofWare.DotnetRuntimeLocator
+          nuget-key: ${{ secrets.NUGET_API_KEY }}
+          nupkg-dir: packed/
+          dotnet: ${{ steps.identify-dotnet.outputs.dotnet }}
 
   github-release:
     runs-on: ubuntu-latest

.github/workflows/nuget-push.sh

@@ -1,24 +0,0 @@
-#!/bin/bash
-
-SOURCE_NUPKG=$(find . -type f -name '*.nupkg')
-
-PACKAGE_VERSION=$(basename "$SOURCE_NUPKG" | rev | cut -d '.' -f 2-4 | rev)
-
-echo "version=$PACKAGE_VERSION" >> "$GITHUB_OUTPUT"
-
-tmp=$(mktemp)
-
-if ! dotnet nuget push "$SOURCE_NUPKG" --api-key "$NUGET_API_KEY" --source https://api.nuget.org/v3/index.json > "$tmp" ; then
-    cat "$tmp"
-    if grep 'already exists and cannot be modified' "$tmp" ; then
-        echo "result=skipped" >> "$GITHUB_OUTPUT"
-        exit 0
-    else
-        echo "Unexpected failure to upload"
-        exit 1
-    fi
-fi
-
-cat "$tmp"
-
-echo "result=published" >> "$GITHUB_OUTPUT"