Sign nuget package using dotnet sign tool

NetOfficeFw · Dec 7, 2024 · 5388dd3 · 5388dd3
1 parent 9434246
commit 5388dd3
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,6 +5,10 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
 
   build:
@@ -32,6 +36,16 @@ jobs:
     - name: setup msbuild
       uses: microsoft/setup-msbuild@v2
 
+    - name: setup dotnet sign
+      run: dotnet tool install --tool-path . --prerelease sign
+
+    - name: azure login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.TRUSTED_SIGNING_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
     - name: build
       run: dotnet build -c ${{ env.Configuration }}
 
@@ -41,6 +55,19 @@ jobs:
     - name: pack
       run: dotnet pack --no-build --no-restore src/NetOfficeFw.Build.csproj -c ${{ env.Configuration }} -o dist
 
+    - name: sign
+      run: >
+        ./sign code trusted-signing
+        **/*.nupkg
+        --base-directory "${{ github.workspace }}/dist"
+        --publisher-name "NetOffice"
+        --description "NetOffice Build Tasks"
+        --description-url "https://github.com/NetOfficeFw/BuildTasks/"
+        --azure-key-vault-managed-identity true
+        --trusted-signing-endpoint "https://weu.codesigning.azure.net/",
+        --trusted-signing-account "OpenSourceSigning",
+        --trusted-signing-certificate-profile "JozefIzsoOpenSourceProfile"
+
     - name: archive
       if: always()
       uses: actions/upload-artifact@v4