Skip to content

Commit cbd6dc0

Browse files
martincostellomartincostello
authored
Fix package signing (#2631)
- Use a federated credential to access Azure Key Vault for the code-signing certificate instead of the now-expired secrets. - Remove all permissions by default. - Add `contents: read` for building the packages. - Add `id-token: write` to sign the packages.
1 parent 31e9775 commit cbd6dc0

File tree

1 file changed

+16
-5
lines changed

1 file changed

+16
-5
lines changed

.github/workflows/build.yml

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,7 @@ env:
2222
NUGET_XMLDOC_MODE: skip
2323
TERM: xterm
2424

25-
permissions:
26-
contents: read
25+
permissions: {}
2726

2827
jobs:
2928
build:
@@ -39,6 +38,9 @@ jobs:
3938
package-names: ${{ steps.build.outputs.package-names }}
4039
package-version: ${{ steps.build.outputs.package-version }}
4140

41+
permissions:
42+
contents: read
43+
4244
strategy:
4345
fail-fast: false
4446
matrix:
@@ -187,6 +189,9 @@ jobs:
187189
github.event.repository.fork == false &&
188190
startsWith(github.ref, 'refs/tags/')
189191
192+
permissions:
193+
id-token: write
194+
190195
steps:
191196

192197
- name: Download unsigned packages
@@ -211,14 +216,18 @@ jobs:
211216
DOTNET_SIGN_VERSION: ${{ needs.build.outputs.dotnet-sign-version }}
212217
run: dotnet tool install --tool-path . sign --version ${env:DOTNET_SIGN_VERSION}
213218

219+
- name: Azure log in
220+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
221+
with:
222+
client-id: ${{ secrets.SIGN_CLI_APPLICATION_ID }}
223+
subscription-id: ${{ secrets.SIGN_CLI_SUBSCRIPTION_ID }}
224+
tenant-id: ${{ secrets.SIGN_CLI_TENANT_ID }}
225+
214226
- name: Sign artifacts
215227
shell: pwsh
216228
env:
217-
AZURE_CLIENT_ID: ${{ secrets.SIGN_CLI_APPLICATION_ID }}
218-
AZURE_CLIENT_SECRET: ${{ secrets.SIGN_CLI_SECRET }}
219229
AZURE_KEY_VAULT_CERTIFICATE: ${{ secrets.SIGN_CLI_CERT_NAME }}
220230
AZURE_KEY_VAULT_URL: ${{ secrets.SIGN_CLI_VAULT_URI }}
221-
AZURE_TENANT_ID: ${{ secrets.SIGN_CLI_TENANT_ID }}
222231
VERBOSITY: ${{ runner.debug == '1' && 'Debug' || 'Warning' }}
223232
run: |
224233
./sign code azure-key-vault `
@@ -247,6 +256,7 @@ jobs:
247256
validate-signed-packages:
248257
needs: [ build, sign ]
249258
runs-on: windows-latest
259+
250260
steps:
251261

252262
- name: Download packages
@@ -337,6 +347,7 @@ jobs:
337347
publish-nuget:
338348
needs: [ build, validate-signed-packages ]
339349
runs-on: ubuntu-latest
350+
340351
steps:
341352

342353
- name: Download signed packages

0 commit comments

Comments
 (0)