-
Notifications
You must be signed in to change notification settings - Fork 91
/
azdo-build-and-sign.yml
97 lines (83 loc) · 2.79 KB
/
azdo-build-and-sign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
trigger:
- main
- rel/*
pr:
- main
- rel/*
stages:
- stage: Build
jobs:
- job: Build
pool:
vmImage: ubuntu-latest
variables:
BuildConfiguration: Release
steps:
# Build steps
- task: UseDotNet@2
displayName: 'Use .NET SDK 6.x'
inputs:
version: 6.x
- task: DotNetCoreCLI@2
inputs:
command: pack
packagesToPack: src/AClassLibrary/AClassLibrary.csproj
configuration: $(BuildConfiguration)
packDirectory: $(Build.ArtifactStagingDirectory)/Packages
verbosityPack: Minimal
displayName: Build Package
# Publish the artifacts to sign and the file list, if any, as artifacts for the signing stage
- publish: $(Build.ArtifactStagingDirectory)/Packages
displayName: Publish Build Artifacts
artifact: BuildPackages
- publish: config
displayName: Publish signing file list
artifact: config
- stage: CodeSign
dependsOn: Build
condition: and(succeeded('Build'), not(eq(variables['build.reason'], 'PullRequest'))) # Only run this stage on pushes to the main branch
jobs:
- job: CodeSign
displayName: Code Signing
pool:
vmImage: windows-latest # Code signing must run on a Windows agent for Authenticode signing (dll/exe)
variables:
- group: Sign Client Credentials # This is a variable group with secrets in it
steps:
# Retreive unsigned artifacts and file list
- download: current
artifact: config
displayName: Download signing file list
- download: current
artifact: BuildPackages
displayName: Download build artifacts
- task: UseDotNet@2
displayName: 'Use .NET SDK 6.x'
inputs:
version: 6.x
# Install the code signing tool
- task: DotNetCoreCLI@2
inputs:
command: custom
custom: tool
arguments: install --tool-path . sign --version 0.9.0-beta.23127.3
displayName: Install SignTool tool
# Run the signing command
- pwsh: |
.\sign code azure-key-vault `
"**/*.nupkg" `
--base-directory "$(Pipeline.Workspace)\BuildPackages" `
--file-list "$(Pipeline.Workspace)\config\filelist.txt" `
--publisher-name "Contoso" `
--description "One Sign CLI demo" `
--description-url "https://github.com/dotnet/sign" `
--azure-key-vault-tenant-id "$(SignTenantId)" `
--azure-key-vault-client-id "$(SignClientId)" `
--azure-key-vault-client-secret '$(SignClientSecret)' `
--azure-key-vault-certificate "$(SignKeyVaultCertificate)" `
--azure-key-vault-url "$(SignKeyVaultUrl)"
displayName: Sign packages
# Publish the signed packages
- publish: $(Pipeline.Workspace)/BuildPackages
displayName: Publish Signed Packages
artifact: SignedPackages