From 8434730ba78e54ee8e74677042d25a15103f960f Mon Sep 17 00:00:00 2001 From: Patrick Stevens <3138005+Smaug123@users.noreply.github.com> Date: Tue, 13 Aug 2024 22:54:14 +0100 Subject: [PATCH] Migrate to dedicated publish action (#210) --- .github/workflows/assert-contents.sh | 14 -------- .github/workflows/dotnet.yaml | 50 +++++++++------------------- .github/workflows/nuget-push.sh | 24 ------------- 3 files changed, 16 insertions(+), 72 deletions(-) delete mode 100644 .github/workflows/assert-contents.sh delete mode 100644 .github/workflows/nuget-push.sh diff --git a/.github/workflows/assert-contents.sh b/.github/workflows/assert-contents.sh deleted file mode 100644 index ebefdfb..0000000 --- a/.github/workflows/assert-contents.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -echo "Unzipping version from NuGet" -ls from-nuget.nupkg -mkdir from-nuget && cp from-nuget.nupkg from-nuget/zip.zip && cd from-nuget && unzip zip.zip && rm zip.zip && cd - || exit 1 - -echo "Unzipping version from local build" -ls packed/ -mkdir from-local && cp packed/*.nupkg from-local/zip.zip && cd from-local && unzip zip.zip && rm zip.zip && cd - || exit 1 - -cd from-local && find . -type f -exec sha256sum {} \; | sort > ../from-local.txt && cd .. || exit 1 -cd from-nuget && find . -type f -and -not -name '.signature.p7s' -exec sha256sum {} \; | sort > ../from-nuget.txt && cd .. || exit 1 - -diff from-local.txt from-nuget.txt diff --git a/.github/workflows/dotnet.yaml b/.github/workflows/dotnet.yaml index d1e53e5..1223168 100644 --- a/.github/workflows/dotnet.yaml +++ b/.github/workflows/dotnet.yaml @@ -285,26 +285,17 @@ jobs: with: name: nuget-package-attribute path: packed + - name: Identify `dotnet` + id: dotnet-identify + run: nix develop --command bash -c 'echo "dotnet=$(which dotnet)" >> $GITHUB_OUTPUT' - name: Publish to NuGet id: publish-success - env: - NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} - run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.Myriad.Plugins.Attributes.*.nupkg"' - - name: Wait for availability - if: steps.publish-success.outputs.result == 'published' - env: - PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }} - run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.Myriad.Plugins.Attributes/$PACKAGE_VERSION" ; do sleep 10; done' - # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/). - # So we have to *re-attest* it after it's uploaded. Mind-blowing. - - name: Assert package contents - if: steps.publish-success.outputs.result == 'published' - run: 'bash ./.github/workflows/assert-contents.sh' - - name: Attest Build Provenance - if: steps.publish-success.outputs.result == 'published' - uses: actions/attest-build-provenance@310b0a4a3b0b78ef57ecda988ee04b132db73ef8 # v1.4.1 + uses: Smaug123/publish-nuget-action@76df889166633c2dc613560c092882aabe260df0 with: - subject-path: "from-nuget.nupkg" + package-name: WoofWare.Myriad.Plugins.Attributes + nuget-key: ${{ secrets.NUGET_API_KEY }} + nupkg-dir: packed/ + dotnet: ${{ steps.dotnet-identify.outputs.dotnet }} nuget-publish-plugin: runs-on: ubuntu-latest @@ -327,26 +318,17 @@ jobs: with: name: nuget-package-plugin path: packed + - name: Identify `dotnet` + id: dotnet-identify + run: nix develop --command bash -c 'echo "dotnet=$(which dotnet)" >> $GITHUB_OUTPUT' - name: Publish to NuGet id: publish-success - env: - NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} - run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.Myriad.Plugins.*.nupkg"' - - name: Wait for availability - if: steps.publish-success.outputs.result == 'published' - env: - PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }} - run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.Myriad.Plugins/$PACKAGE_VERSION" ; do sleep 10; done' - # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/). - # So we have to *re-attest* it after it's uploaded. Mind-blowing. - - name: Assert package contents - if: steps.publish-success.outputs.result == 'published' - run: 'bash ./.github/workflows/assert-contents.sh' - - name: Attest Build Provenance - if: steps.publish-success.outputs.result == 'published' - uses: actions/attest-build-provenance@310b0a4a3b0b78ef57ecda988ee04b132db73ef8 # v1.4.1 + uses: Smaug123/publish-nuget-action@76df889166633c2dc613560c092882aabe260df0 with: - subject-path: "from-nuget.nupkg" + package-name: WoofWare.Myriad.Plugins + nuget-key: ${{ secrets.NUGET_API_KEY }} + nupkg-dir: packed/ + dotnet: ${{ steps.dotnet-identify.outputs.dotnet }} github-release-plugin: runs-on: ubuntu-latest diff --git a/.github/workflows/nuget-push.sh b/.github/workflows/nuget-push.sh deleted file mode 100644 index edc170d..0000000 --- a/.github/workflows/nuget-push.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -SOURCE_NUPKG=$(find . -type f -name '*.nupkg') - -PACKAGE_VERSION=$(basename "$SOURCE_NUPKG" | rev | cut -d '.' -f 2-4 | rev) - -echo "version=$PACKAGE_VERSION" >> "$GITHUB_OUTPUT" - -tmp=$(mktemp) - -if ! dotnet nuget push "$SOURCE_NUPKG" --api-key "$NUGET_API_KEY" --source https://api.nuget.org/v3/index.json > "$tmp" ; then - cat "$tmp" - if grep 'already exists and cannot be modified' "$tmp" ; then - echo "result=skipped" >> "$GITHUB_OUTPUT" - exit 0 - else - echo "Unexpected failure to upload" - exit 1 - fi -fi - -cat "$tmp" - -echo "result=published" >> "$GITHUB_OUTPUT"