Change namespace, and attest contents of NuGet package (#21)

2025-10-11 04:18:38 +00:00 · 2024-06-17 23:22:27 +01:00
parent 4d4aa25825
commit 2655682e32
10 changed files with 106 additions and 27 deletions
--- a/.github/workflows/dotnet.yaml
+++ b/.github/workflows/dotnet.yaml
@@ -182,11 +182,34 @@ jobs:
    steps:
      - run: echo "All required checks complete."

+  attestation:
+    runs-on: ubuntu-latest
+    needs: [all-required-checks-complete]
+    if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
+    steps:
+      - name: Download NuGet artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: nuget-package
+          path: packed
+      - name: Attest Build Provenance
+        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        with:
+          subject-path: "packed/WoofWare.PrattParser.*.nupkg"
+
  nuget-publish:
    runs-on: ubuntu-latest
    if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
    needs: [all-required-checks-complete]
    environment: main-deploy
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
    steps:
      - uses: actions/checkout@v4
      - name: Install Nix
@@ -200,7 +223,25 @@ jobs:
          name: nuget-package
          path: packed
      - name: Publish to NuGet
-        run: nix develop --command dotnet nuget push "packed/WoofWare.PrattParser.*.nupkg" --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json --skip-duplicate
+        id: publish-success
+        env:
+          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
+        run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.PrattParser.*.nupkg"'
+      - name: Wait for availability
+        if: steps.publish-success.outputs.result == 'published'
+        env:
+          PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }}
+        run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.PrattParser/$PACKAGE_VERSION" ; do sleep 10; done'
+      # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/).
+      # So we have to *re-attest* it after it's uploaded. Mind-blowing.
+      - name: Assert package contents
+        if: steps.publish-success.outputs.result == 'published'
+        run: 'bash ./.github/workflows/assert-contents.sh'
+      - name: Attest Build Provenance
+        if: steps.publish-success.outputs.result == 'published'
+        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        with:
+          subject-path: "from-nuget.nupkg"

  github-release:
    runs-on: ubuntu-latest