Migrate to dedicated publish action (#210)

.github/workflows/assert-contents.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-
-echo "Unzipping version from NuGet"
-ls from-nuget.nupkg
-mkdir from-nuget && cp from-nuget.nupkg from-nuget/zip.zip && cd from-nuget && unzip zip.zip && rm zip.zip && cd - || exit 1
-
-echo "Unzipping version from local build"
-ls packed/
-mkdir from-local && cp packed/*.nupkg from-local/zip.zip && cd from-local && unzip zip.zip && rm zip.zip && cd - || exit 1
-
-cd from-local && find . -type f -exec sha256sum {} \; | sort > ../from-local.txt && cd .. || exit 1
-cd from-nuget && find . -type f -and -not -name '.signature.p7s' -exec sha256sum {} \; | sort > ../from-nuget.txt && cd .. || exit 1
-
-diff from-local.txt from-nuget.txt

.github/workflows/dotnet.yaml

@@ -285,26 +285,17 @@ jobs:
         with:
           name: nuget-package-attribute
           path: packed
+      - name: Identify `dotnet`
+        id: dotnet-identify
+        run: nix develop --command bash -c 'echo "dotnet=$(which dotnet)" >> $GITHUB_OUTPUT'
       - name: Publish to NuGet
         id: publish-success
-        env:
-          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
-        run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.Myriad.Plugins.Attributes.*.nupkg"'
-      - name: Wait for availability
-        if: steps.publish-success.outputs.result == 'published'
-        env:
-          PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }}
-        run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.Myriad.Plugins.Attributes/$PACKAGE_VERSION" ; do sleep 10; done'
-      # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/).
-      # So we have to *re-attest* it after it's uploaded. Mind-blowing.
-      - name: Assert package contents
-        if: steps.publish-success.outputs.result == 'published'
-        run: 'bash ./.github/workflows/assert-contents.sh'
-      - name: Attest Build Provenance
-        if: steps.publish-success.outputs.result == 'published'
-        uses: actions/attest-build-provenance@310b0a4a3b0b78ef57ecda988ee04b132db73ef8 # v1.4.1
+        uses: Smaug123/publish-nuget-action@76df889166633c2dc613560c092882aabe260df0
         with:
-          subject-path: "from-nuget.nupkg"
+          package-name: WoofWare.Myriad.Plugins.Attributes
+          nuget-key: ${{ secrets.NUGET_API_KEY }}
+          nupkg-dir: packed/
+          dotnet: ${{ steps.dotnet-identify.outputs.dotnet }}
 
   nuget-publish-plugin:
     runs-on: ubuntu-latest
@@ -327,26 +318,17 @@ jobs:
         with:
           name: nuget-package-plugin
           path: packed
+      - name: Identify `dotnet`
+        id: dotnet-identify
+        run: nix develop --command bash -c 'echo "dotnet=$(which dotnet)" >> $GITHUB_OUTPUT'
       - name: Publish to NuGet
         id: publish-success
-        env:
-          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
-        run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.Myriad.Plugins.*.nupkg"'
-      - name: Wait for availability
-        if: steps.publish-success.outputs.result == 'published'
-        env:
-          PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }}
-        run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.Myriad.Plugins/$PACKAGE_VERSION" ; do sleep 10; done'
-      # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/).
-      # So we have to *re-attest* it after it's uploaded. Mind-blowing.
-      - name: Assert package contents
-        if: steps.publish-success.outputs.result == 'published'
-        run: 'bash ./.github/workflows/assert-contents.sh'
-      - name: Attest Build Provenance
-        if: steps.publish-success.outputs.result == 'published'
-        uses: actions/attest-build-provenance@310b0a4a3b0b78ef57ecda988ee04b132db73ef8 # v1.4.1
+        uses: Smaug123/publish-nuget-action@76df889166633c2dc613560c092882aabe260df0
         with:
-          subject-path: "from-nuget.nupkg"
+          package-name: WoofWare.Myriad.Plugins
+          nuget-key: ${{ secrets.NUGET_API_KEY }}
+          nupkg-dir: packed/
+          dotnet: ${{ steps.dotnet-identify.outputs.dotnet }}
 
   github-release-plugin:
     runs-on: ubuntu-latest

.github/workflows/nuget-push.sh

@@ -1,24 +0,0 @@
-#!/bin/bash
-
-SOURCE_NUPKG=$(find . -type f -name '*.nupkg')
-
-PACKAGE_VERSION=$(basename "$SOURCE_NUPKG" | rev | cut -d '.' -f 2-4 | rev)
-
-echo "version=$PACKAGE_VERSION" >> "$GITHUB_OUTPUT"
-
-tmp=$(mktemp)
-
-if ! dotnet nuget push "$SOURCE_NUPKG" --api-key "$NUGET_API_KEY" --source https://api.nuget.org/v3/index.json > "$tmp" ; then
-    cat "$tmp"
-    if grep 'already exists and cannot be modified' "$tmp" ; then
-        echo "result=skipped" >> "$GITHUB_OUTPUT"
-        exit 0
-    else
-        echo "Unexpected failure to upload"
-        exit 1
-    fi
-fi
-
-cat "$tmp"
-
-echo "result=published" >> "$GITHUB_OUTPUT"