From b4b2077ba3a98e162415571e0d006cbac905ca32 Mon Sep 17 00:00:00 2001 From: Max Ustinov Date: Wed, 27 Mar 2024 09:47:10 -0700 Subject: [PATCH] KSM .NET SDK: GHA to publish strong named binary: - updated copyright year to 2024 - updated to the publish.nuget.strong.named.yml - updates to the publish.nuget.yml --- .github/workflows/publish.nuget.yml | 105 ++++++++++++++++++++++- .github/workflows/test.publish.nuget.yml | 80 +++-------------- 2 files changed, 114 insertions(+), 71 deletions(-) diff --git a/.github/workflows/publish.nuget.yml b/.github/workflows/publish.nuget.yml index b9fa5d4a..d4f0450a 100644 --- a/.github/workflows/publish.nuget.yml +++ b/.github/workflows/publish.nuget.yml @@ -2,6 +2,12 @@ name: Publish to NuGet on: workflow_dispatch: + inputs: + publish: + description: 'Publish to NuGet (uncheck to build only)' + required: false + default: 'true' + type: boolean jobs: publish-nuget: @@ -30,16 +36,111 @@ jobs: secrets: | Sq4nnb5HXXNp1l6KryXynw/field/password > NUGET_AUTH_TOKEN - - name: Install dependencies run: dotnet restore - name: Build run: dotnet build --configuration Release --no-restore + - name: Publish package + if: ${{ github.event.inputs.publish == 'true' }} + run: dotnet nuget push ./SecretsManager/bin/Release/*.nupkg --api-key ${{steps.ksmsecrets.outputs.NUGET_AUTH_TOKEN}} --source https://api.nuget.org/v3/index.json + + - name: Upload non-strong-named binaries + if: ${{ github.event.inputs.publish == 'false' }} + uses: actions/upload-artifact@v4 + with: + name: non-strong-named-binaries-${{ github.run_number }} + path: | + ${{ github.workspace }}/sdk/dotNet/SecretsManager/bin/Release/*.nupkg + publish-nuget-strongname: + environment: prod + runs-on: windows-latest + + defaults: + run: + shell: powershell + working-directory: .\sdk\dotNet + steps: + - name: Get the source code + uses: actions/checkout@v4 + - name: Setup .NET 6 + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 6.0.x + + - name: Retrieve secrets from KSM + id: ksmsecrets + uses: Keeper-Security/ksm-action@master + with: + keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }} + secrets: | + Sq4nnb5HXXNp1l6KryXynw/field/password > NUGET_AUTH_TOKEN + Sq4nnb5HXXNp1l6KryXynw/file/sgKSM.snk > file:${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk + + - name: Extract and Update Public Key in SecretsManagerClient.cs + run: | + $snPath = "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe" + $snkPath = "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk" + $publicKeyPath = "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.pub" + & $snPath -p $snkPath $publicKeyPath + $publicKeyInfo = & $snPath -tp $publicKeyPath + # Filter and join the lines of the public key + $publicKeyLines = $publicKeyInfo -split "`n" | Where-Object { $_ -match "^[a-f0-9\s]+$" } + $publicKey = $publicKeyLines -join "" -replace "\s", "" + + if (-not $publicKey) { + Write-Error "Failed to extract the full public key." + exit 1 + } + + Write-Output "Extracted Public Key: $publicKey" + $filePath = "${{ github.workspace }}\sdk\dotNet\SecretsManager\SecretsManagerClient.cs" + (Get-Content $filePath) -replace '\[assembly: InternalsVisibleTo\("SecretsManager.Test.Core"\)\]', "[assembly: InternalsVisibleTo(`"SecretsManager.Test.Core, PublicKey=$publicKey`")]" | Set-Content $filePath + Write-Output "First 20 lines of the modified SecretsManagerClient.cs:" + Get-Content $filePath -Head 20 + + - name: Install dependencies + run: dotnet restore + + - name: "Preparing package for strong naming" + working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ + run: | + pwd + Get-ChildItem + Copy-Item -Path "SecretsManager.csproj" -Destination "SecretsManager.StrongName.csproj" + (Get-Content -Path "SecretsManager.StrongName.csproj") -replace 'Keeper.SecretsManager', 'Keeper.SecretsManager.StrongName' | Set-Content -Path "SecretsManager.StrongName.csproj" + Get-Content "SecretsManager.StrongName.csproj" + Copy-Item -Path "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk" -Destination "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\sgKSM.snk" + Get-ChildItem "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\" + + - name: Build + working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ + run: | + pwd + Get-ChildItem + dotnet build "SecretsManager.StrongName.csproj" --configuration Release --no-restore -p:SignKSM=True + + - name: Cleanup secret files + working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ + run: | + Remove-Item -Path "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk" + Remove-Item -Path "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\sgKSM.snk" - name: Publish package - run: dotnet nuget push ./SecretsManager/bin/Release/*.nupkg --api-key ${{steps.ksmsecrets.outputs.NUGET_AUTH_TOKEN}} --source https://api.nuget.org/v3/index.json + if: ${{ github.event.inputs.publish == 'true' }} + working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ + run: | + Get-ChildItem ".\bin\Release\" + dotnet nuget push ".\bin\Release\*.nupkg" --api-key ${{steps.ksmsecrets.outputs.NUGET_AUTH_TOKEN}} --source https://api.nuget.org/v3/index.json + + - name: Upload strong-named binaries + if: ${{ github.event.inputs.publish == 'false' }} + uses: actions/upload-artifact@v4 + with: + name: strong-named-binaries-${{ github.run_number }} + path: | + ${{ github.workspace }}\sdk\dotNet\SecretsManager\bin\Release\*.nupkg \ No newline at end of file diff --git a/.github/workflows/test.publish.nuget.yml b/.github/workflows/test.publish.nuget.yml index 5cf933d9..e455734f 100644 --- a/.github/workflows/test.publish.nuget.yml +++ b/.github/workflows/test.publish.nuget.yml @@ -1,33 +1,31 @@ -name: Publish strong-named assemblies to NuGet - +name: TEST Publish to NuGet on: workflow_dispatch: - inputs: - publish: - description: 'Publish to NuGet (uncheck to build only)' - required: false - default: 'true' - type: boolean jobs: publish-nuget: environment: prod - runs-on: windows-latest + runs-on: ubuntu-latest defaults: run: - shell: powershell - working-directory: .\sdk\dotNet + working-directory: ./sdk/dotNet steps: - name: Get the source code - uses: actions/checkout@v4 + uses: actions/checkout@v3 - name: Setup .NET 6 - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@v1 with: dotnet-version: 6.0.x + - name: Install dependencies + run: dotnet restore + + - name: Build + run: dotnet build --configuration Release --no-restore + - name: Retrieve secrets from KSM id: ksmsecrets uses: Keeper-Security/ksm-action@master @@ -35,59 +33,3 @@ jobs: keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }} secrets: | Sq4nnb5HXXNp1l6KryXynw/field/password > NUGET_AUTH_TOKEN - Sq4nnb5HXXNp1l6KryXynw/file/sgKSM.snk > file:${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk - - - name: Extract and Update Public Key in SecretsManagerClient.cs - run: | - $snPath = "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe" - $snkPath = "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk" - $publicKeyInfo = & $snPath -Tp $snkPath - $publicKey = $publicKeyInfo | Select-String "Public Key:" -Context 0, 1 | ForEach-Object { $_.Context.PostContext[0] } - $publicKey = $publicKey -replace "\s", "" # Remove any whitespace from the public key string - $filePath = "${{ github.workspace }}\sdk\dotNet\SecretsManager\SecretsManagerClient.cs" - (Get-Content $filePath) -replace '\[assembly: InternalsVisibleTo\("SecretsManager.Test.Core"\)\]', "[assembly: InternalsVisibleTo(`"SecretsManager.Test.Core, PublicKey=$publicKey`")]" | Set-Content $filePath - Write-Output "First 20 lines of the modified SecretsManagerClient.cs:" - Get-Content $filePath -Head 20 - - - name: Install dependencies - run: dotnet restore - - - name: "Preparing package for strong naming" - working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ - run: | - pwd - Get-ChildItem - Copy-Item -Path "SecretsManager.csproj" -Destination "SecretsManager.StrongName.csproj" - (Get-Content -Path "SecretsManager.StrongName.csproj") -replace 'Keeper.SecretsManager', 'Keeper.SecretsManager.StrongName' | Set-Content -Path "SecretsManager.StrongName.csproj" - Get-Content "SecretsManager.StrongName.csproj" - Write-Output "Place the sgKSM.snk file in the SecretsManager.Test.Core directory" - Copy-Item -Path "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk" -Destination "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\sgKSM.snk" - Get-ChildItem "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\" - - - name: Setup tmate session - if: ${{ failure() }} - uses: mxschmitt/action-tmate@v3 - - - name: Build - working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ - run: | - pwd - Get-ChildItem - dotnet build "SecretsManager.StrongName.csproj" --configuration Release --no-restore -p:SignKSM=True - - - name: Cleanup secret files - working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ - run: | - Get-ChildItem - Remove-Item -Path ".\sgKSM.snk" - Get-ChildItem - Get-ChildItem "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\" - Remove-Item -Path "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\sgKSM.snk" - Get-ChildItem "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\" - - - name: Publish package - if: ${{ github.event.inputs.publish == 'true' }} - working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ - run: | - Get-ChildItem ".\bin\Release\" - dotnet nuget push ".\bin\Release\*.nupkg" --api-key ${{steps.ksmsecrets.outputs.NUGET_AUTH_TOKEN}} --source https://api.nuget.org/v3/index.json