Skip to content

Commit 8d08398

Browse files
jeromelabanjeromelaban
committed
ci: Update signing
1 parent 9bd2247 commit 8d08398

3 files changed

Lines changed: 30 additions & 43 deletions

File tree

.github/workflows/runtime-ci.yml

Lines changed: 30 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -347,6 +347,10 @@ jobs:
347347
name: Sign Package
348348
if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) }}
349349
runs-on: windows-latest
350+
351+
permissions:
352+
id-token: write # Required for requesting the JWT
353+
350354
needs: [package_job,build_aot_windows_job,build_aot_linux_job]
351355
steps:
352356
- name: Checkout
@@ -362,22 +366,40 @@ jobs:
362366
- name: Setup .NET SDK
363367
uses: actions/setup-dotnet@v4
364368
with:
365-
dotnet-version: '3.1.x'
369+
dotnet-version: '9.0.x'
366370

367-
- name: Setup SignClient
368-
run: |
369-
dotnet tool install --tool-path build SignClient
371+
# Install the code signing tool
372+
- name: Install Sign CLI tool
373+
run: dotnet tool install --tool-path . sign --version 0.9.1-beta.25278.1
370374

371-
- name: SignClient
375+
# Login to Azure using a ServicePrincipal configured to authenticate against a GitHub Action
376+
- name: 'Az CLI login'
377+
uses: azure/login@v1
378+
with:
379+
allow-no-subscriptions: true
380+
client-id: ${{ secrets.SIGN_AZURE_CLIENT_ID }}
381+
tenant-id: ${{ secrets.SIGN_AZURE_TENANT_ID }}
382+
subscription-id: ${{ secrets.SIGN_AZURE_SUBSCRIPTION_ID }}
383+
384+
# Run the signing command
385+
- name: Sign artifacts
372386
shell: pwsh
373-
run: |
374-
build\SignClient sign -i artifacts\*.nupkg -c build\signing\SignClient.json -r "${{ secrets.UNO_PLATFORM_CODESIGN_USERNAME }}" -s "${{ secrets.UNO_PLATFORM_CODESIGN_SECRET }}" -n "dotnet runtime" -d "dotnet runtime" -u "https://github.dev/unoplatform/Uno.DotnetRuntime.WebAssembly"
387+
run: >
388+
./sign code azure-key-vault
389+
artifacts/*.nupkg
390+
--publisher-name "Uno.DotnetRuntime.WebAssembly"
391+
--description "Uno.DotnetRuntime.WebAssembly"
392+
--description-url "https://github.com/${{ github.repository }}"
393+
--azure-key-vault-managed-identity true
394+
--azure-key-vault-url "${{ secrets.SIGN_KEY_VAULT_URL }}"
395+
--azure-key-vault-certificate "${{ secrets.SIGN_KEY_VAULT_CERTIFICATE_ID }}"
396+
--verbosity information
375397
376398
- name: Upload Signed Artifacts
377399
uses: actions/upload-artifact@v4
378400
with:
379401
name: nuget-signed
380-
path: .\artifacts
402+
path: .\artifacts
381403

382404
publish_dev:
383405
name: Publish Dev

build/signing/SignClient.json

Lines changed: 0 additions & 13 deletions
This file was deleted.

build/signing/sign-package.ps1

Lines changed: 0 additions & 22 deletions
This file was deleted.

0 commit comments

Comments
 (0)