diff --git a/.github/workflows/assert-contents.sh b/.github/workflows/assert-contents.sh deleted file mode 100644 index ebefdfb..0000000 --- a/.github/workflows/assert-contents.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -echo "Unzipping version from NuGet" -ls from-nuget.nupkg -mkdir from-nuget && cp from-nuget.nupkg from-nuget/zip.zip && cd from-nuget && unzip zip.zip && rm zip.zip && cd - || exit 1 - -echo "Unzipping version from local build" -ls packed/ -mkdir from-local && cp packed/*.nupkg from-local/zip.zip && cd from-local && unzip zip.zip && rm zip.zip && cd - || exit 1 - -cd from-local && find . -type f -exec sha256sum {} \; | sort > ../from-local.txt && cd .. || exit 1 -cd from-nuget && find . -type f -and -not -name '.signature.p7s' -exec sha256sum {} \; | sort > ../from-nuget.txt && cd .. || exit 1 - -diff from-local.txt from-nuget.txt diff --git a/.github/workflows/dotnet.yaml b/.github/workflows/dotnet.yaml index 44d6e79..96bc1df 100644 --- a/.github/workflows/dotnet.yaml +++ b/.github/workflows/dotnet.yaml @@ -185,7 +185,7 @@ jobs: needs: [check-dotnet-format, check-nix-format, build, build-nix, linkcheck, flake-check, nuget-pack, expected-pack, github-release-dry-run, build-windows] runs-on: ubuntu-latest steps: - - uses: Smaug123/all-required-checks-complete-action@05b40a8c47ef0b175ea326e9abb09802cb67b44e + - uses: G-Research/common-actions/check-required-lite@2b7dc49cb14f3344fbe6019c14a31165e258c059 with: needs-context: ${{ toJSON(needs) }} @@ -229,26 +229,16 @@ jobs: with: name: nuget-package path: packed - - name: Publish to NuGet - id: publish-success - env: - NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} - run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.DotnetRuntimeLocator.*.nupkg"' - - name: Wait for availability - if: steps.publish-success.outputs.result == 'published' - env: - PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }} - run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.DotnetRuntimeLocator/$PACKAGE_VERSION" ; do sleep 10; done' - # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/). - # So we have to *re-attest* it after it's uploaded. Mind-blowing. - - name: Assert package contents - if: steps.publish-success.outputs.result == 'published' - run: 'bash ./.github/workflows/assert-contents.sh' - - name: Attest Build Provenance - if: steps.publish-success.outputs.result == 'published' - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 + - name: Identify .NET + id: identify-dotnet + run: nix develop --command bash -c "echo dotnet=$(which dotnet) >> $GITHUB_OUTPUT" + - name: Publish NuGet package + uses: G-Research/common-actions/publish-nuget@2b7dc49cb14f3344fbe6019c14a31165e258c059 with: - subject-path: "from-nuget.nupkg" + package-name: WoofWare.DotnetRuntimeLocator + nuget-key: ${{ secrets.NUGET_API_KEY }} + nupkg-dir: packed/ + dotnet: ${{ steps.identify-dotnet.outputs.dotnet }} github-release: runs-on: ubuntu-latest diff --git a/.github/workflows/nuget-push.sh b/.github/workflows/nuget-push.sh deleted file mode 100644 index edc170d..0000000 --- a/.github/workflows/nuget-push.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -SOURCE_NUPKG=$(find . -type f -name '*.nupkg') - -PACKAGE_VERSION=$(basename "$SOURCE_NUPKG" | rev | cut -d '.' -f 2-4 | rev) - -echo "version=$PACKAGE_VERSION" >> "$GITHUB_OUTPUT" - -tmp=$(mktemp) - -if ! dotnet nuget push "$SOURCE_NUPKG" --api-key "$NUGET_API_KEY" --source https://api.nuget.org/v3/index.json > "$tmp" ; then - cat "$tmp" - if grep 'already exists and cannot be modified' "$tmp" ; then - echo "result=skipped" >> "$GITHUB_OUTPUT" - exit 0 - else - echo "Unexpected failure to upload" - exit 1 - fi -fi - -cat "$tmp" - -echo "result=published" >> "$GITHUB_OUTPUT"