feat: adding Nuget signing workflow #29
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new NuGet package signing workflow to the shared workflows repository. The workflow enables automatic signing of NuGet packages using SSL.com certificates with both artifact download and local build fallback capabilities.
- Adds comprehensive documentation for the new NuGet signing workflow in README.md
- Creates a reusable workflow for signing NuGet packages with SSL.com certificates
- Includes both artifact-based and local build approaches for package signing
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| README.md | Adds comprehensive documentation for the new NuGet signing workflow including usage examples and configuration options |
| .vscode/settings.json | Minor VS Code configuration update to disable postman notification |
| .github/workflows/sign-nuget-package.yaml | Implements the main NuGet signing workflow with artifact detection, local build fallback, and verification |
README.md
Outdated
|
|
||
| If these properties are not found, the workflow uses sensible defaults. | ||
|
|
||
| # shared-workflows |
There was a problem hiding this comment.
I think somehow this file was garbled in the commits. Looks like the readme was duplicated?
| echo "⚠️ No artifacts found, attempting to build locally" | ||
| fi | ||
| - name: Build locally if no artifacts found |
There was a problem hiding this comment.
I think we may be stepping outside of our bounds by building artifacts in this step. We should really just be signing artifacts here.
| uses: actions/download-artifact@v4 | ||
| continue-on-error: true | ||
| with: | ||
| name: nuget-package |
There was a problem hiding this comment.
Let us use an input to give the name of the package to download.
| @@ -1,4 +1,9 @@ | |||
| { | |||
| "yaml.schemas": {}, | |||
| "cSpell.words": ["aerospike", "kennylong", "kennylong's"] | |||
There was a problem hiding this comment.
This looks like there is a war between formatters but please use the default trunk from this repository.
| - name: Sign NuGet Package with CodeSignTool | ||
| uses: sslcom/esigner-codesign@a272724cb13abe0abc579c6c40f7899969b6942b | ||
| with: | ||
| command: sign | ||
| username: ${{secrets.ES_USERNAME}} | ||
| password: ${{secrets.ES_PASSWORD}} | ||
| credential_id: ${{secrets.CREDENTIAL_ID}} | ||
| totp_secret: ${{secrets.ES_TOTP_SECRET}} | ||
| file_path: ${{ steps.find-package.outputs.package_file }} | ||
| output_path: ${{github.workspace}}/signed-artifacts | ||
| malware_block: false | ||
| override: false | ||
| environment_name: PROD | ||
| clean_logs: true | ||
| jvm_max_memory: 1024M | ||
| signing_method: v1 |
There was a problem hiding this comment.
Is this really all that is needed to sign nuget packages? If so we should just integrate it into the reusable_sign-artifacts.yaml
… workflow - Add NuGet package signing with SSL.com certificates - Support multiple signing types (gpg, nuget, both) - Add configurable input parameters for nuget signing options - Maintain backward compatibility with existing GPG signing - Updated documentation with comprehensive usage examples
| chmod +x ${{ github.workspace }}/.github/workflows/sign-artifacts/entrypoint.sh | ||
| ${{ github.workspace }}/.github/workflows/sign-artifacts/entrypoint.sh "${{ inputs.artifact-glob }}" "${{ inputs.output-dir }}" | ||
| - name: Check for NuGet packages and sign if enabled |
There was a problem hiding this comment.
Does the step after this not actually list out the files that it signs? this seems like a weird step? Just here to print information out?
There was a problem hiding this comment.
The previous commit had an all in one workflow that built the packages then signed them, the build step was removed.
| jvm_max_memory: ${{ inputs.jvm-max-memory }} | ||
| signing_method: v1 | ||
|
|
||
| - name: Verify NuGet Packages (if NuGet signing was performed) |
There was a problem hiding this comment.
do we want to capture the names of the signed package from the previous step? this is probably fine... but feels odd to run a find on something you should know.
| echo " Sig Checksum: $file.asc.sha256" | ||
|
|
||
| # Note about NuGet packages | ||
| if [[ "$ext" == "nupkg" ]]; then |
There was a problem hiding this comment.
would it be better to change the logic of the script to only pick up files it could sign, aka, this bash script only signs rpms, and debs right? Or is this echo important?
There was a problem hiding this comment.
i added the nuget signing to the reusable-sign artifacts file. so this just confirms if theres a nupkg to be signed if not it skips the signing
- Merge NuGet signing functionality from HEAD branch - Merge Artifactory/OIDC inputs from origin/main branch - Fix parameter naming consistency (artifact-name vs output-dir)
- Create dedicated nuget-sign-artifacts.yaml workflow for NuGet package signing - Remove NuGet-specific functionality from reusable_sign-artifacts.yaml - Update secret names to match existing team workflows (ES_USERNAME, ES_PASSWORD, etc.) - Use batch_sign command and dir_path/output_path parameters for compatibility - Add malware-block and override configuration options - Fix YAML formatting issues in reusable workflow - Maintain backward compatibility for existing GPG signing workflows
- Add better debugging output when no packages are found - Add skip-package-check option for workflows that handle package preparation - Check packages in the correct input directory instead of current directory - Provide detailed directory structure information on failure
- Support both relative and absolute output paths - Convert 'artifacts' to full workspace path when needed - Update SSL.com action and verification steps to use correct paths - Ensure compatibility with calling workflows that pass relative paths
- Add better debugging output to show current directory and workspace - Handle both relative and absolute paths for artifact-glob - Provide detailed directory contents when packages not found - Fix issue where /sign path was not resolving correctly
…ts before signing
Adding an additional workflow yaml in shared_workflows to sign nuget packages. when invoked the workflow will either search for artifacts within the github actions artifact pipeline or build locally . signing and verification are included.