Rename Azure CTS to Microsoft's Signing Transparency (MST) #937
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #### Build, Test, and Publish #### | |
| # This is the main workflow for the CoseSignTool project. It handles the following events: | |
| # - Pull requests: When a user submits a pull request, or pushes a commit to an existing pull request, this workflow | |
| # - generates a changelog and commits it to the working branch, and then | |
| # - builds and tests the code. | |
| # - Pushes to the main branch: When a user pushes a commit to the main branch, this workflow | |
| # - creates a semantically versioned tag, | |
| # - creates a release with the new tag, and then | |
| # - triggers the release portion of the workflow. | |
| # - Releases: When a user creates a release, or a release is created in response to a push event, this workflow | |
| # - builds, publishes, and zips the outputs, and then | |
| # - uploads the zipped assets to the release. | |
| name: Build, Test, and Publish | |
| on: | |
| pull_request: | |
| branches: [ "*" ] # Trigger on all branches for pull requests. | |
| push: | |
| branches: [ "main" ] # Trigger on pushes to the main branch. | |
| release: | |
| types: [ created ] # Trigger on new releases. | |
| jobs: | |
| #### PULL REQUEST EVENTS #### | |
| # Build and test the code. | |
| build: | |
| name: build-${{matrix.os}}${{matrix.runtime_id && format('-{0}', matrix.runtime_id) || ''}} | |
| if: ${{ github.event_name == 'pull_request' }} | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| include: | |
| - os: windows-latest | |
| dir_command: gci -Recurse | |
| - os: ubuntu-latest | |
| dir_command: ls -a -R | |
| - os: macos-latest | |
| runtime_id: osx-x64 | |
| dir_command: ls -a -R | |
| - os: macos-latest | |
| runtime_id: osx-arm64 | |
| dir_command: ls -a -R | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@v3 | |
| with: | |
| dotnet-version: 8.0.x | |
| # Show dotnet info for debugging architecture issues | |
| - name: Show .NET info | |
| run: dotnet --info | |
| # Use the Dotnet Test command to load dependencies, build, and test the code. | |
| # We have to run the test projects individually so CoseSignTool.Tests can run under arm64 on the Mac runner. | |
| - name: Build and Test debug | |
| id: build-test | |
| run: | | |
| dotnet build --configuration Debug CoseSignTool.sln | |
| dotnet test --no-restore CoseSign1.Tests/CoseSign1.Tests.csproj | |
| dotnet test --no-restore CoseSign1.Certificates.Tests/CoseSign1.Certificates.Tests.csproj | |
| dotnet test --no-restore CoseSign1.Certificates.AzureTrustedSigning.Tests/CoseSign1.Certificates.AzureTrustedSigning.Tests.csproj | |
| dotnet test --no-restore CoseSign1.Headers.Tests/CoseSign1.Headers.Tests.csproj | |
| dotnet test --no-restore CoseIndirectSignature.Tests/CoseIndirectSignature.Tests.csproj | |
| dotnet test --no-restore CoseSign1.Transparent.Tests/CoseSign1.Transparent.Tests.csproj | |
| dotnet test --no-restore CoseSign1.Transparent.MST.Tests/CoseSign1.Transparent.MST.Tests.csproj | |
| dotnet test --no-restore CoseHandler.Tests/CoseHandler.Tests.csproj | |
| dotnet test --no-restore CoseSignTool.Tests/CoseSignTool.Tests.csproj | |
| dotnet test --no-restore CoseSignTool.Abstractions.Tests/CoseSignTool.Abstractions.Tests.csproj | |
| dotnet test --no-restore CoseSignTool.MST.Plugin.Tests/CoseSignTool.MST.Plugin.Tests.csproj | |
| dotnet test --no-restore CoseSignTool.IndirectSignature.Plugin.Tests/CoseSignTool.IndirectSignature.Plugin.Tests.csproj | |
| # List the contents of the working directory to make sure all the artifacts are there. | |
| - name: List working directory | |
| run: ${{ matrix.dir_command }} | |
| # Create a changelog that includes all the PRs merged since the last release. | |
| # If it's not a pull request, skip to the build job. | |
| create_changelog: | |
| needs: [ build ] # Wait here so we don't create any race conditions. | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: write | |
| contents: write | |
| deployments: write | |
| packages: write | |
| pull-requests: write | |
| security-events: write | |
| statuses: write | |
| steps: | |
| # Checkout the working branch. | |
| - name: Checkout code | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/checkout@v2 | |
| # Sync the changelog version. | |
| - name: Fetch and checkout | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| git config --local user.email "action@github.com" | |
| git config --local user.name "GitHub Action" | |
| echo "Fetch from repository." | |
| git fetch | |
| echo "Undo any user changes to CHANGELOG.md. This is needed because the user's copy becomes obsolete after every checkin." | |
| git reset -- CHANGELOG.md | |
| echo "Checkout the working branch." | |
| git checkout $GITHUB_HEAD_REF | |
| # Generate the new changelog. | |
| - name: Generate changelog | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: tj-actions/github-changelog-generator@v1.19 | |
| with: | |
| output: CHANGELOG.md | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # Commit the changelog. | |
| - name: Commit changelog | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| git add CHANGELOG.md | |
| if git diff-index --quiet HEAD; then | |
| echo "No changes were logged." | |
| else | |
| git commit --allow-empty -m "Update changelog for release" | |
| git push | |
| fi | |
| # Print default message if changelog is not updated. | |
| - name: Print exit message when changelog is not updated | |
| if: ${{ github.event_name != 'pull_request' }} | |
| run: echo "Changelog is already up to date." | |
| #### PUSH EVENTS #### | |
| # Create a semantically versioned release. | |
| # A prerelease is created for every push to the main branch. | |
| # Official releases are created manually on GitHub. | |
| create_release: | |
| name: Create Release | |
| if: ${{ github.event_name == 'push' || github.event_name == 'release'}} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: write | |
| contents: write | |
| deployments: write | |
| packages: write | |
| pull-requests: write | |
| security-events: write | |
| statuses: write | |
| outputs: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} | |
| tag_name: ${{ steps.output_tag_name.outputs.tag_name }} | |
| steps: | |
| # Checkout the main branch and fetch tags. | |
| - name: Checkout code | |
| if: ${{ github.event_name == 'push' }} | |
| uses: actions/checkout@v3 | |
| # Checkout the main branch so we can see the correct tag set. | |
| - name: Fetch and checkout main | |
| if: ${{ github.event_name == 'push' }} | |
| run: | | |
| git config --local user.email "action@github.com" | |
| git config --local user.name "GitHub Action" | |
| git fetch | |
| git checkout main | |
| # Create a semantically versioned tag that increments the last release. | |
| # If the last release is a pre-release, increment the pre-release number, so v1.2.3-pre4 becomes v1.2.3-pre5. | |
| # If the last release is an official release, create a new pre-release, so v1.2.3 becomes v1.2.3-pre1. | |
| - name: Increment pre-release tag | |
| if: ${{ github.event_name == 'push' }} | |
| id: new-tag # Output: ${{ steps.new-tag.outputs.newtag }} | |
| run: | | |
| CURRENT_TAG=$(git tag | sort --version-sort | tail -n1) | |
| echo "Current tag is $CURRENT_TAG" | |
| if [[ $CURRENT_TAG =~ ^v([0-9]+\.[0-9]+\.[0-9]+)(-pre([0-9]+))?$ ]]; then | |
| BASE_VERSION=${BASH_REMATCH[1]} | |
| PRE_VERSION=${BASH_REMATCH[3]} | |
| if [ -z "$PRE_VERSION" ]; then | |
| NEW_TAG="v$BASE_VERSION-pre1" | |
| else | |
| NEW_TAG="v$BASE_VERSION-pre$((PRE_VERSION + 1))" | |
| fi | |
| echo "New tag is $NEW_TAG" | |
| echo "Let's make sure this tag doesn't already exist..." | |
| tries=0 | |
| maxTries=5 | |
| while true; do | |
| echo "This is try $tries" | |
| RESPONSE=$(curl -sl https://api.github.com/repos/microsoft/CoseSignTool/releases/tags/$NEW_TAG) | |
| if [ "$(echo "$RESPONSE" | jq -r '.message')" == "Not Found" ]; then | |
| echo "Tag not found. We're good to go." | |
| break | |
| else | |
| if [ $tries -ge $maxTries ]; then | |
| echo "Max tries reached. Exiting." | |
| exit 1 | |
| fi | |
| echo "Oops! That tag already exists!" | |
| NEW_TAG="${NEW_TAG%-*}-pre$(( ${NEW_TAG##*-pre} + 1 ))" # Increment the prerelease number. | |
| echo "Let's try $NEW_TAG" | |
| tries=$((tries+1)) | |
| fi | |
| done | |
| echo "::set-output name=newtag::$NEW_TAG" | |
| else | |
| echo "Invalid tag format" | |
| exit 1 | |
| fi | |
| # Create the release. This should generate a release event, which will trigger the release_assets job. | |
| - name: Create Release | |
| if: ${{ github.event_name == 'push' }} | |
| id: create_release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| # Get the tag name and release name from the previous step. | |
| tag_name: ${{ steps.new-tag.outputs.newtag }} | |
| release_name: Release ${{ steps.new-tag.outputs.newtag }} | |
| # Generate release text from changelog. | |
| body_path: ./CHANGELOG.md | |
| # Always use prerelease for automated releases. Official releases are created manually. | |
| prerelease: true | |
| # Output the semver tag if it's a push event, or the most recent tag if it's a release event. | |
| - name: Output tag name | |
| id: output_tag_name | |
| run: | | |
| if [ "${{ github.event_name }}" == "push" ]; then | |
| echo "::set-output name=tag_name::${{ steps.new-tag.outputs.newtag }}" | |
| echo "Generated semver tag is ${{ steps.new-tag.outputs.newtag }}." | |
| else | |
| echo "::set-output name=tag_name::${{ github.event.release.tag_name }}" | |
| echo "Current release tag is ${{ github.event.release.tag_name }}." | |
| fi | |
| #### RELEASE EVENTS #### | |
| # Build, publish, and zip the outputs, and then upload them to the release. | |
| # We include the push event and the dependency on create_release to support automatic releases, because | |
| # automatic release creation does not trigger the release event. | |
| release_assets: | |
| name: release-assets | |
| if: ${{ github.event_name == 'release' || github.event_name == 'push'}} | |
| needs: [ create_release ] | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| actions: write | |
| contents: write | |
| deployments: write | |
| packages: write | |
| pull-requests: write | |
| security-events: write | |
| statuses: write | |
| strategy: | |
| matrix: | |
| include: | |
| - os: windows-latest | |
| dir_command: gci -Recurse | |
| zip_command_debug: Compress-Archive -Path ./debug/ -DestinationPath CoseSignTool-Windows-debug.zip | |
| zip_command_release: Compress-Archive -Path ./release/ -DestinationPath CoseSignTool-Windows-release.zip | |
| - os: ubuntu-latest | |
| dir_command: ls -a -R | |
| zip_command_debug: zip -r CoseSignTool-Linux-debug.zip ./debug/ | |
| zip_command_release: zip -r CoseSignTool-Linux-release.zip ./release/ | |
| - os: macos-latest | |
| runtime_id: osx-x64 | |
| dir_command: ls -a -R | |
| zip_command_debug: zip -r CoseSignTool-MacOS-x64-debug.zip ./debug/ | |
| zip_command_release: zip -r CoseSignTool-MacOS-x64-release.zip ./release/ | |
| - os: macos-latest | |
| runtime_id: osx-arm64 | |
| dir_command: ls -a -R | |
| zip_command_debug: zip -r CoseSignTool-MacOS-arm64-debug.zip ./debug/ | |
| zip_command_release: zip -r CoseSignTool-MacOS-arm64-release.zip ./release/ | |
| steps: | |
| # Checkout the branch. | |
| - name: Checkout code again | |
| uses: actions/checkout@v3 | |
| # Build and publish the binaries to ./published. | |
| # The publish command will automatically deploy plugins via the DeployAllPluginsForPublish target in CoseSignTool.csproj | |
| - name: Publish outputs | |
| run: | | |
| VERSION=${{ needs.create_release.outputs.tag_name }} | |
| # Remove the 'v' prefix from VERSION for VersionNgt property | |
| VERSION_WITHOUT_V=$(echo "$VERSION" | sed 's/^v//') | |
| RUNTIME_ID=${{ matrix.runtime_id || '' }} | |
| if [ -n "$RUNTIME_ID" ]; then | |
| echo "Publishing for runtime: $RUNTIME_ID" | |
| dotnet publish --configuration Debug --self-contained true --runtime $RUNTIME_ID --output published/debug --property:FileVersion=$VERSION --property:VersionNgt=$VERSION_WITHOUT_V --property:DeployPlugins=true CoseSignTool/CoseSignTool.csproj | |
| dotnet publish --configuration Release --self-contained true --runtime $RUNTIME_ID --output published/release --property:FileVersion=$VERSION --property:VersionNgt=$VERSION_WITHOUT_V --property:DeployPlugins=true CoseSignTool/CoseSignTool.csproj | |
| else | |
| echo "Publishing for current platform" | |
| dotnet publish --configuration Debug --self-contained true --output published/debug --property:FileVersion=$VERSION --property:VersionNgt=$VERSION_WITHOUT_V --property:DeployPlugins=true CoseSignTool/CoseSignTool.csproj | |
| dotnet publish --configuration Release --self-contained true --output published/release --property:FileVersion=$VERSION --property:VersionNgt=$VERSION_WITHOUT_V --property:DeployPlugins=true CoseSignTool/CoseSignTool.csproj | |
| fi | |
| # Self-contained is needed. Must use .csproj instead of .sln. | |
| # DeployPlugins=true enables automatic plugin deployment during publish | |
| # RUNTIME_ID specifies the target runtime (e.g., osx-x64, osx-arm64) for cross-platform builds | |
| # Ideally we should also verify in the Build and Test job, but that will require pre-caulculating the version number and either | |
| # Running build and test separately because we can't pass the version number to dotnet test, or | |
| # Setting the version number dynamically in the csproj files, using <FileVersion>$(VersionBin)</FileVersion> | |
| shell: bash | |
| # List the contents of the published directory to make sure all the artifacts are there. | |
| - name: List published directory | |
| run: ${{ matrix.dir_command }} | |
| working-directory: ./published | |
| # Verify that the file versions on the DLLs match the release version | |
| - name: Check File Version | |
| run: | | |
| $file = Get-Item "CoseSignTool.dll" | |
| $version = $file.VersionInfo.FileVersion | |
| Write-Output "File Version is $version" | |
| shell: pwsh | |
| working-directory: ./published/debug | |
| # Create NuGet packages for library projects (commented out for now) | |
| - name: Create NuGet packages | |
| run: | | |
| echo "📦 Creating NuGet packages for library projects..." | |
| VERSION=${{ needs.create_release.outputs.tag_name }} | |
| # Remove the 'v' prefix from VERSION for VersionNgt property | |
| VERSION_WITHOUT_V=$(echo "$VERSION" | sed 's/^v//') | |
| # Define library projects that should be packaged (excluding plugins and test projects) | |
| LIBRARY_PROJECTS=( | |
| "CoseHandler/CoseHandler.csproj" | |
| "CoseIndirectSignature/CoseIndirectSignature.csproj" | |
| "CoseSign1/CoseSign1.csproj" | |
| "CoseSign1.Abstractions/CoseSign1.Abstractions.csproj" | |
| "CoseSign1.Certificates/CoseSign1.Certificates.csproj" | |
| "CoseSign1.Headers/CoseSign1.Headers.csproj" | |
| "CoseSign1.Transparent/CoseSign1.Transparent.csproj" | |
| "CoseSign1.Transparent.MST/CoseSign1.Transparent.MST.csproj" | |
| "CoseSignTool.Abstractions/CoseSignTool.Abstractions.csproj" | |
| ) | |
| # Create packages directory | |
| mkdir -p published/packages | |
| # Pack each library project | |
| for project in "${LIBRARY_PROJECTS[@]}"; do | |
| if [ -f "$project" ]; then | |
| project_name=$(basename "${project%.*}") | |
| echo "📦 Creating package for $project_name..." | |
| dotnet pack "$project" \ | |
| --configuration Release \ | |
| --property:FileVersion=$VERSION \ | |
| --property:PackageVersion=$VERSION_WITHOUT_V \ | |
| --property:VersionNgt=$VERSION_WITHOUT_V \ | |
| --output published/packages \ | |
| --verbosity minimal | |
| if [ $? -eq 0 ]; then | |
| echo "✅ Successfully created package for $project_name" | |
| else | |
| echo "❌ Failed to create package for $project_name" | |
| fi | |
| else | |
| echo "⚠️ Project file not found: $project" | |
| fi | |
| done | |
| # List created packages | |
| echo "" | |
| echo "📋 Created NuGet packages:" | |
| if [ -d "published/packages" ]; then | |
| ls -la published/packages/*.nupkg | while read -r line; do | |
| echo " 📦 $(echo "$line" | awk '{print $9}')" | |
| done | |
| else | |
| echo "❌ No packages directory found" | |
| fi | |
| echo "🎯 NuGet package creation completed." | |
| shell: bash | |
| # Copy the docs, license, and markdown files to the release folders. | |
| - name: Copy docs to release folders | |
| run: | | |
| mkdir -p published/debug/docs | |
| cp -r docs/* published/debug/docs/ | |
| mkdir -p published/release/docs | |
| cp -r docs/* published/release/docs/ | |
| cp -r LICENSE published/debug/ | |
| cp -r LICENSE published/release/ | |
| cp -r *.md published/debug/ | |
| cp -r *.md published/release/ | |
| # Create zip files for release. | |
| - name: Create zip files for the release | |
| run: | | |
| ${{ matrix.zip_command_debug }} | |
| ${{ matrix.zip_command_release }} | |
| working-directory: ./published | |
| # List the contents of the published directory to make sure all the artifacts are there. | |
| - name: List published directory | |
| run: ${{ matrix.dir_command }} | |
| working-directory: ./published | |
| # Upload the zipped assets to the release. | |
| - name: Upload binary archives | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: ./published/CoseSignTool-*.zip | |
| file_glob: true | |
| overwrite: true | |
| tag: ${{ needs.create_release.outputs.tag_name }} | |
| # Commented out until we decide to support publishing of nuget packages. | |
| # Upload the NuGet packages to the release (commented out for now) | |
| # - name: Upload NuGet packages | |
| # uses: svenstaro/upload-release-action@v2 | |
| # with: | |
| # repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| # file: ./published/packages/*.nupkg | |
| # file_glob: true | |
| # overwrite: true | |
| # tag: ${{ needs.create_release.outputs.tag_name }} |