name: Console (.NET) - Trusted Signing on: workflow_dispatch: defaults: run: shell: pwsh permissions: id-token: write # For OIDC auth env: CSPROJ_PATH: src/Console/MyDocProcApp/MyDocProcApp.csproj NUGETCONFIG_PATH: src/NuGet.Config BUILD_CONFIGURATION: Release jobs: build_console: runs-on: ubuntu-22.04 strategy: matrix: os: [linux, win] config: [x64, arm64] env: OUTPUT_DIR: ${{github.workspace}}/output/${{matrix.os}}-${{matrix.config}}/ steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup .NET SDK uses: actions/setup-dotnet@v4 with: dotnet-version: '10.0.x' - name: Update NuGet Package Sources run: dotnet nuget update source 'Telerik_v3_Feed' -s 'https://nuget.telerik.com/v3/index.json' -u "api-key" -p ${{secrets.TELERIK_NUGET_KEY}} --configfile ${{env.NUGETCONFIG_PATH}} --store-password-in-clear-text - name: Restore NuGet packages run: dotnet restore ${{env.CSPROJ_PATH}} --configfile ${{env.NUGETCONFIG_PATH}} --runtime ${{matrix.os}}-${{matrix.config}} - name: Build project run: dotnet publish ${{env.CSPROJ_PATH}} --configuration ${{env.BUILD_CONFIGURATION}} --runtime ${{matrix.os}}-${{matrix.config}} --no-self-contained --no-restore --output ${{env.OUTPUT_DIR}} env: TELERIK_LICENSE: ${{secrets.TELERIK_LICENSE_KEY}} - name: Attach artifacts id: upload-artifact uses: actions/upload-artifact@v4 with: name: "Console_${{matrix.os}}-${{matrix.config}}" path: ${{env.OUTPUT_DIR}} if-no-files-found: error retention-days: 30 codesign_release: name: Codesign Release if: ${{ success() }} runs-on: windows-latest needs: [build_console] steps: - name: Download artifacts uses: actions/download-artifact@v4 with: path: ${{github.workspace}}/artifacts/ # No secrets needed, uses the GitHub OIDC token to authenticate. - name: Azure login using OIDC via GitHub uses: azure/login@v2 id: azlogin with: client-id: "32daa13b-f4bb-4809-8ef6-58cb39051acd" tenant-id: "bd47e796-3473-4b8a-9101-1f4c0c7af31a" subscription-id: "48ab4839-62af-4ab3-afe6-043ea4d7c137" # Codesign files with Azure Trusted Signing - name: Sign files with Trusted Signing uses: azure/trusted-signing-action@v0.4.0 with: endpoint: https://eus.codesigning.azure.net/ trusted-signing-account-name: PrimaryCodeSign certificate-profile-name: lancemccarthylivepublic timestamp-rfc3161: http://timestamp.acs.microsoft.com timestamp-digest: SHA256 file-digest: SHA256 files-folder: ${{github.workspace}}/artifacts/ files-folder-filter: exe files-folder-depth: 3 exclude-azure-cli-credential: false exclude-environment-credential: true exclude-workload-identity-credential: true exclude-managed-identity-credential: true exclude-shared-token-cache-credential: true exclude-visual-studio-credential: true exclude-visual-studio-code-credential: true exclude-azure-powershell-credential: true exclude-azure-developer-cli-credential: true exclude-interactive-browser-credential: true - name: Attach signed artifact id: upload-artifact uses: actions/upload-artifact@v4 with: name: "Console_Codesigned" path: ${{github.workspace}}/artifacts/ if-no-files-found: error retention-days: 30 - name: Delete unsigned artifacts from run uses: geekyeggo/delete-artifact@v5 with: name: | Console_linux-x64 Console_linux-arm64 Console_win-x64 Console_win-arm64 failOnError: false