patrick/WoofWare.DotnetRuntimeLocator
1
0
Fork 0
mirror of https://github.com/Smaug123/WoofWare.DotnetRuntimeLocator synced 2025-10-09 09:18:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Wait for NuGet readiness and assert package contents (#8)

Browse Source
This commit is contained in:
Patrick Stevens
2024-06-17 21:46:09 +01:00
committed by GitHub
parent ad1bef7a06
commit e71418a46d
3 changed files with 55 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/assert-contents.sh vendored Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
mkdir from-nuget && cp from-nuget.nupkg from-nuget/zip.zip && cd from-nuget && unzip zip.zip && cd - || exit 1
mkdir from-local && cp packed/*.nupkg from-local/zip.zip && cd from-local && unzip zip.zip && cd - || exit 1
find from-local -type f -exec sha256sum {} \; | sort > from-local.txt
find from-nuget -type f -and -not -name '.signature.p7s' -exec sha256sum {} \; | sort > from-nuget.txt
diff from-local.txt from-nuget.txt

24
.github/workflows/dotnet.yaml vendored
View File

@@ -208,6 +208,10 @@ jobs:
if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
needs: [attestation] needs: [attestation]
environment: main-deploy environment: main-deploy
permissions:
id-token: write
attestations: write
contents: read
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Install Nix - name: Install Nix
@@ -221,7 +225,25 @@ jobs:
name: nuget-package name: nuget-package
path: packed path: packed
- name: Publish to NuGet - name: Publish to NuGet
run: nix develop --command dotnet nuget push "packed/WoofWare.DotnetRuntimeLocator.*.nupkg" --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json --skip-duplicate id: publish-success
env:
NUGET_API_KEY: ${{ secrets.GITHUB_TOKEN }}
run: 'nix develop --command ./.github/workflows/nuget-push.sh "packed/WoofWare.DotnetRuntimeLocator.*.nupkg"'
- name: Wait for availability
if: steps.publish-success.outputs.result == 'published'
env:
PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }}
run: 'echo "$PACKAGE_VERSION" && while ! curl --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.DotnetRuntimeLocator/$PACKAGE_VERSION" ; do sleep 10; done'
# Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/).
# So we have to *re-attest* it after it's uploaded. Mind-blowing.
- name: Assert package contents
if: steps.publish-success.outputs.result == 'published'
run: 'bash ./.github/workflows/assert-contents.sh'
- name: Attest Build Provenance
if: steps.publish-success.outputs.result == 'published'
uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
with:
subject-path: "from-nuget.nupkg"
github-release: github-release:
runs-on: ubuntu-latest runs-on: ubuntu-latest

22
.github/workflows/nuget-push.sh vendored Normal file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
SOURCE_NUPKG=$(find . type f -name '*.nupkg')
PACKAGE_VERSION=$(basename "$SOURCE_NUPKG" | rev | cut -d '.' -f 2-4 | rev)
echo "version=$PACKAGE_VERSION" >> "$GITHUB_OUTPUT"
tmp=$(mktemp)
if ! dotnet nuget push "$SOURCE_NUPKG" --api-key "$NUGET_API_KEY" --source https://api.nuget.org/v3/index.json --skip-duplicate > "$tmp" ; then
cat "$tmp"
if grep 'already exists at feed' "$tmp" ; then
echo "result=skipped" >> "$GITHUB_OUTPUT"
exit 0
else
echo "Unexpected failure to upload"
exit 1
fi
fi
echo "result=published" >> "$GITHUB_OUTPUT"