-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (137 loc) · 6.04 KB
/
Copy pathrelease.yml
File metadata and controls
161 lines (137 loc) · 6.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# Release oficial: strong-name + NuGet.org vía Trusted Publishing (OIDC)
# Disparador: tag semver v*.*.* (ej. v1.0.5)
#
# Environment "nuget-publish" (Settings → Environments):
# NUGET_USER — username nuget.org de quien CREÓ la política Trusted Publishing
# EMZAPPS_SNK — strong-name .snk en base64
# NUGET_SIGN_CERT_PFX — (opcional) certificado Authenticode .pfx en base64
# NUGET_SIGN_CERT_PASSWORD — (opcional) contraseña del .pfx
#
# Sin certificado: el .nupkg se publica sin Author Signing; nuget.org aplica Repository Signing.
name: Release
on:
push:
tags:
- 'v*.*.*'
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
permissions:
contents: write
jobs:
release:
name: Build, sign and publish
runs-on: windows-latest
environment: nuget-publish
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Extract version from tag
id: version
shell: pwsh
run: |
$tag = '${{ github.ref_name }}'
if ($tag -notmatch '^v(?<ver>.+)$') {
throw "Tag inválido: $tag (esperado vMAJOR.MINOR.PATCH)"
}
"version=$($Matches['ver'])" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- name: Setup NuGet
uses: nuget/setup-nuget@v4
with:
nuget-version: 6.x
- name: Setup .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: 8.0.x
- name: Setup MSBuild
uses: microsoft/setup-msbuild@v2
- name: Restore packages
run: nuget restore NETFastSearchLibrary.sln
- name: Install .NET Framework 4.0 reference assemblies
shell: pwsh
run: |
nuget install Microsoft.NETFramework.ReferenceAssemblies.net40 -Version 1.0.3 -OutputDirectory $env:RUNNER_TEMP\refassemblies
$src = Join-Path $env:RUNNER_TEMP 'refassemblies\Microsoft.NETFramework.ReferenceAssemblies.net40.1.0.3\build\.NETFramework\v4.0'
$dest = 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.0'
New-Item -ItemType Directory -Force -Path $dest | Out-Null
Copy-Item "$src\*" -Destination $dest -Recurse -Force
- name: Prepare signing keys
id: prepare
shell: pwsh
env:
EMZAPPS_SNK: ${{ secrets.EMZAPPS_SNK }}
NUGET_SIGN_CERT_PFX: ${{ secrets.NUGET_SIGN_CERT_PFX }}
run: |
if ([string]::IsNullOrWhiteSpace($env:EMZAPPS_SNK)) {
throw 'Falta el secreto EMZAPPS_SNK (strong-name, base64).'
}
$snkPath = Join-Path $env:GITHUB_WORKSPACE 'NETFastSearchLibrary\EMZApps.snk'
[IO.File]::WriteAllBytes($snkPath, [Convert]::FromBase64String($env:EMZAPPS_SNK))
if (-not [string]::IsNullOrWhiteSpace($env:NUGET_SIGN_CERT_PFX)) {
$pfxPath = Join-Path $env:GITHUB_WORKSPACE 'nuget-sign.pfx'
[IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($env:NUGET_SIGN_CERT_PFX))
"author_sign=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Write-Host "Author Signing: habilitado (certificado presente)."
} else {
"author_sign=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Write-Host "Author Signing: omitido (sin NUGET_SIGN_CERT_PFX). nuget.org firmará el repositorio."
}
- name: Build Release (strong-name)
run: msbuild NETFastSearchLibrary\NETFastSearchLibrary.csproj /p:Configuration=Release /p:Platform=AnyCPU /p:OfficialBuild=true /t:Rebuild /verbosity:minimal
- name: Pack NuGet
shell: pwsh
run: |
New-Item -ItemType Directory -Force -Path artifacts | Out-Null
nuget pack NETFastSearchLibrary\NETFastSearchLibrary.Legacy.nuspec `
-Version '${{ steps.version.outputs.version }}' `
-OutputDirectory artifacts `
-Properties "Configuration=Release;commit=${{ github.sha }}"
- name: Sign NuGet package (Author / Authenticode)
if: steps.prepare.outputs.author_sign == 'true'
shell: pwsh
env:
NUGET_SIGN_CERT_PASSWORD: ${{ secrets.NUGET_SIGN_CERT_PASSWORD }}
run: |
if ([string]::IsNullOrWhiteSpace($env:NUGET_SIGN_CERT_PASSWORD)) {
throw 'NUGET_SIGN_CERT_PFX está definido pero falta NUGET_SIGN_CERT_PASSWORD.'
}
$nupkg = Get-ChildItem artifacts\*.nupkg | Select-Object -First 1
if (-not $nupkg) { throw 'No se generó ningún .nupkg.' }
nuget sign $nupkg.FullName `
-CertificatePath "$env:GITHUB_WORKSPACE\nuget-sign.pfx" `
-CertificatePassword "$env:NUGET_SIGN_CERT_PASSWORD" `
-Timestamper http://timestamp.digicert.com `
-TimestampHashAlgorithm SHA256 `
-HashAlgorithm SHA256 `
-NonInteractive
- name: Verify NuGet Author signature
if: steps.prepare.outputs.author_sign == 'true'
shell: pwsh
run: |
$nupkg = Get-ChildItem artifacts\*.nupkg | Select-Object -First 1
nuget verify -Signatures $nupkg.FullName
- name: NuGet login (Trusted Publishing)
uses: NuGet/login@v1
id: nuget_login
with:
user: ${{ secrets.NUGET_USER }}
- name: Push to NuGet.org
shell: pwsh
run: |
$nupkg = Get-ChildItem artifacts\*.nupkg | Select-Object -First 1
if (-not $nupkg) { throw 'No se generó ningún .nupkg.' }
dotnet nuget push $nupkg.FullName `
--api-key "${{ steps.nuget_login.outputs.NUGET_API_KEY }}" `
--source https://api.nuget.org/v3/index.json `
--skip-duplicate
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
name: ${{ github.ref_name }}
files: |
artifacts/*.nupkg
NETFastSearchLibrary/bin/Release/NETFastSearchLibrary.dll
NETFastSearchLibrary/bin/Release/NETFastSearchLibrary.XML
generate_release_notes: true