diff --git a/.github/workflows/config.yml b/.github/workflows/config.yml index ca2ad932b..50752350b 100644 --- a/.github/workflows/config.yml +++ b/.github/workflows/config.yml @@ -15,6 +15,9 @@ env: LICENSE_KEY: ${{ secrets.LICENSE_KEY }} SQL_USER_PASSWORD: ${{ secrets.SQL_USER_PASSWORD }} S2MS_API_KEY: ${{ secrets.S2MS_API_KEY }} + AZURE_TRUSTED_SIGNING_ACCOUNT: SingleStore + AZURE_TRUSTED_SIGNING_PROFILE: ConnectorsReleaseProfile + AZURE_TRUSTED_SIGNING_ENDPOINT: https://eus.codesigning.azure.net/ jobs: fetch-s2-versions: @@ -206,11 +209,17 @@ jobs: - name: Pack NuGet run: dotnet pack .\src\EFCore.SingleStore\EFCore.SingleStore.csproj -c Release -o efcore_provider - - name: Upload Artifact - uses: actions/upload-artifact@v4 + # Authenticate to Azure via OIDC (using your App Registration) + - name: Azure Login + uses: azure/login@v2 with: - name: efcore-provider - path: efcore_provider/ + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Install Microsoft's unified Sign tool + - name: Install .NET Sign CLI Tool + run: dotnet tool install -g --prerelease sign # Get a short-lived NuGet API key - name: NuGet login (OIDC → temp API key) @@ -219,7 +228,22 @@ jobs: with: user: ${{ secrets.NUGET_USER }} - # Push the package + # Sign the .nupkg file directly + - name: Sign NuGet Package with Artifact Signing + run: | + sign code artifact-signing ` + --artifact-signing-endpoint "${{ env.AZURE_TRUSTED_SIGNING_ENDPOINT }}" ` + --artifact-signing-account "${{ env.AZURE_TRUSTED_SIGNING_ACCOUNT }}" ` + --artifact-signing-certificate-profile "${{ env.AZURE_TRUSTED_SIGNING_PROFILE }}" ` + --timestamp-url "http://timestamp.acs.microsoft.com" ` + "efcore_provider/*.nupkg" + + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: efcore-provider + path: efcore_provider/ + - name: NuGet push run: > dotnet nuget push "efcore_provider/*.nupkg"