Skip to content

feat: adding Nuget signing workflow #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: adding Nuget signing workflow #29

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e404ba7
feat: adding Nuget signing workflow
Aug 6, 2025
c33cd29
updating trunk errors
svivesaero Aug 11, 2025
e48b302
feat(workflows): integrate NuGet signing into reusable sign-artifacts…
svivesaero Aug 14, 2025
71ff744
fix: resolve merge conflicts in reusable_sign-artifacts.yaml
svivesaero Aug 19, 2025
a542129
feat: extract nuget signing workflow from reusable workflow
svivesaero Sep 3, 2025
2084359
fix: improve nuget package detection and error handling
svivesaero Sep 9, 2025
46e24dd
fix: handle relative output paths in nuget signing workflow
svivesaero Sep 17, 2025
617a3a8
fix: improve path handling for artifact-glob input
svivesaero Sep 17, 2025
2f13b9a
feat: add download-artifact-name input to support downloading artifac…
svivesaero Sep 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 75 additions & 2 deletions .github/workflows/reusable_sign-artifacts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
workflow_call:
inputs:
artifact-glob:
description: Glob pattern to match artifacts to sign (e.g. dist/**/*.{jar,deb,rpm})
description: Glob pattern to match artifacts to sign (e.g. dist/**/*.{jar,deb,rpm,nupkg})
required: true
type: string
output-dir:
Expand All @@ -17,16 +17,45 @@ on:
required: false
type: number
default: 7
enable-nuget-signing:
description: Enable SSL.com signing for NuGet packages
required: false
type: boolean
default: false
nuget-environment:
description: SSL.com environment name for NuGet signing
required: false
type: string
default: PROD
jvm-max-memory:
description: Maximum JVM memory for NuGet signing process
required: false
type: string
default: 1024M
secrets:
gpg-private-key:
required: true
gpg-public-key:
required: true
gpg-key-pass:
required: true
es-username:
description: SSL.com username for NuGet signing
required: false
es-password:
description: SSL.com password for NuGet signing
required: false
credential-id:
description: SSL.com credential ID for NuGet signing
required: false
es-totp-secret:
description: SSL.com TOTP secret for NuGet signing
required: false

permissions:
contents: read
packages: read

jobs:
sign:
runs-on: ubuntu-22.04
Expand All @@ -44,10 +73,54 @@ jobs:
run: |
sudo apt-get update && sudo apt-get install dpkg-sig dpkg-dev -y

- name: Sign Artifacts
- name: Sign Artifacts with GPG
run: |
chmod +x ${{ github.workspace }}/.github/workflows/sign-artifacts/entrypoint.sh
${{ github.workspace }}/.github/workflows/sign-artifacts/entrypoint.sh "${{ inputs.artifact-glob }}" "${{ inputs.output-dir }}"

- name: Check for NuGet packages and sign if enabled
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the step after this not actually list out the files that it signs? this seems like a weird step? Just here to print information out?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous commit had an all in one workflow that built the packages then signed them, the build step was removed.

if: inputs.enable-nuget-signing
run: |
echo "Checking for NuGet packages..."
NUGET_PACKAGES=$(find "${{ inputs.output-dir }}" -name "*.nupkg" -type f)
if [ -n "$NUGET_PACKAGES" ]; then
echo "Found NuGet packages, signing with SSL.com..."
echo "$NUGET_PACKAGES" | while read -r file; do
echo "Signing: $file"
done
else
echo "No NuGet packages found"
fi

- name: Sign NuGet Packages with SSL.com
if: inputs.enable-nuget-signing
uses: sslcom/esigner-codesign@a272724cb13abe0abc579c6c40f7899969b6942b
with:
command: sign
username: ${{secrets.es-username}}
password: ${{secrets.es-password}}
credential_id: ${{secrets.credential-id}}
totp_secret: ${{secrets.es-totp-secret}}
file_path: ${{ inputs.output-dir }}/**/*.nupkg
output_path: ${{github.workspace}}/${{ inputs.output-dir }}
malware_block: false
override: false
environment_name: ${{ inputs.nuget-environment }}
clean_logs: true
jvm_max_memory: ${{ inputs.jvm-max-memory }}
signing_method: v1

- name: Verify NuGet Packages (if NuGet signing was performed)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want to capture the names of the signed package from the previous step? this is probably fine... but feels odd to run a find on something you should know.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as prior

if: inputs.enable-nuget-signing
run: |
echo "Verifying signed NuGet packages..."
if [ -d "${{ inputs.output-dir }}" ]; then
find "${{ inputs.output-dir }}" -name "*.nupkg" -type f | while read -r file; do
echo "Verifying: $file"
dotnet nuget verify "$file" --all || echo "Warning: Could not verify $file"
done
fi

- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/sign-artifacts/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ echo "Processing all files in target directory: $TARGET_DIR"
find "$TARGET_DIR" -type f | while read -r file; do
echo "Processing: $file"


# Skip signature and checksum files to prevent infinite loops
if [[ "$file" =~ \.(asc|sha256)$ ]]; then
continue
Expand Down Expand Up @@ -80,8 +79,13 @@ find "$TARGET_DIR" -type f | while read -r file; do
# SHA256 checksum for signature file
shasum -a 256 "$file.asc" > "$file.asc.sha256"

echo "Signed: $file"
echo "GPG Signed: $file"
echo " Signature: $file.asc"
echo " Checksum: $file.sha256"
echo " Sig Checksum: $file.asc.sha256"

# Note about NuGet packages
if [[ "$ext" == "nupkg" ]]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be better to change the logic of the script to only pick up files it could sign, aka, this bash script only signs rpms, and debs right? Or is this echo important?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i added the nuget signing to the reusable-sign artifacts file. so this just confirms if theres a nupkg to be signed if not it skips the signing

echo " Note: NuGet package detected - will be signed by SSL.com if enabled in workflow"
fi
done
143 changes: 0 additions & 143 deletions .github/workflows/sign-nuget-package.yaml
View file
Open in desktop

This file was deleted.

6 changes: 1 addition & 5 deletions .vscode/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
{
"yaml.schemas": {},
"cSpell.words": [
"aerospike",
"kennylong",
"kennylong's"
],
"cSpell.words": ["aerospike", "kennylong", "kennylong's"],
"postman.settings.dotenv-detection-notification-visibility": false
}
Loading