Skip to content
Release

Release #57

Sign in to view logs

Release

Release #57

Workflow file for this run

.github/workflows/release.yml at 2378278
name: Release
on:
workflow_dispatch:
inputs:
version:
description: 'Version'
required: true
type: string
# We use SemVer, anything before 1.0.0 is a pre-release, but this could also include versions like 1.1.0-beta.
prerelease:
description: 'Prerelease'
required: true
default: true
type: boolean
jobs:
# Special request from @kyle-rader and @goagain, so no one can create an invalid release.
validate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Validate version
run: echo ${{ github.event.inputs.version }} | python ./bin/version.py
build:
permissions:
actions: read
contents: read
security-events: write
statuses: write
runs-on: ${{ matrix.os }}
needs: [validate]
strategy:
matrix:
# We build on Linux, but don't yet ship Linux because we can't easily sign those releases.
runtime: [osx-x64, osx-arm64, win10-x64]
include:
- runtime: osx-x64
os: macos-latest
- runtime: osx-arm64
os: macos-latest
- runtime: win10-x64
os: windows-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: csharp
- name: Setup .NET 6
uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
- name: Install dependencies
run: dotnet restore --runtime ${{ matrix.runtime }}
env:
ADO_TOKEN: ${{ secrets.ADO_TOKEN }}
- name: Test
run: dotnet test --no-restore --configuration release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
- name: Build artifacts
run: dotnet publish src/AzureAuth/AzureAuth.csproj -p:Version=${{ github.event.inputs.version }} --configuration release --self-contained true --runtime ${{ matrix.runtime }} --output dist/${{ matrix.runtime }}
env:
ADO_TOKEN: ${{ secrets.ADO_TOKEN }}
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }}
path: dist/${{ matrix.runtime }}
sign:
# This step has to run on Windows because ESRPClient.exe is currently only available for that platform.
runs-on: windows-latest
needs: [build]
strategy:
matrix:
runtime: [osx-x64, osx-arm64, win10-x64]
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Setup NuGet
uses: NuGet/setup-nuget@v1
with:
nuget-version: '5.x'
- name: Download ESRPClient.exe
env:
ESRP_VERSION: ${{ secrets.ESRP_VERSION }}
NUGET_CREDENTIALS: ${{ secrets.ADO_TOKEN }}
run: |
nuget sources add -Name esrp -Username esrp-downloader -Password $env:NUGET_CREDENTIALS -Source https://pkgs.dev.azure.com/office/_packaging/Office/nuget/v3/index.json
nuget install Microsoft.EsrpClient -Version "$env:ESRP_VERSION" -OutputDirectory .\esrp -Source https://pkgs.dev.azure.com/office/_packaging/Office/nuget/v3/index.json
- name: Login to Azure
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
# We need these certificates installed so that we can run ESRPClient.exe.
- name: Install certificates
env:
AZURE_SUBSCRIPTION: ${{ secrets.AZURE_SUBSCRIPTION }}
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
ESRP_AAD_CERT_NAME: ${{ secrets.AZURE_VAULT_ESRP_AAD_CERT_NAME }}
ESRP_REQ_CERT_NAME: ${{ secrets.AZURE_VAULT_ESRP_REQ_CERT_NAME }}
run: |
az keyvault secret download --subscription "$env:AZURE_SUBSCRIPTION" --vault-name "$env:AZURE_VAULT" --name "$env:ESRP_AAD_CERT_NAME" -f cert.pfx
certutil -f -importpfx cert.pfx
Remove-Item cert.pfx
az keyvault secret download --subscription "$env:AZURE_SUBSCRIPTION" --vault-name "$env:AZURE_VAULT" --name "$env:ESRP_REQ_CERT_NAME" -f cert.pfx
certutil -f -importpfx cert.pfx
Remove-Item cert.pfx
# We download all artifacts and overwrite them with signed files, but only upload ones which we can properly sign.
- name: Download all artifacts
uses: actions/download-artifact@v3
- name: Sign artifacts
env:
SIGNING_AAD_ID: ${{ secrets.SIGNING_AAD_ID }}
SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }}
SIGNING_KEY_CODE_AUTHENTICODE: ${{ secrets.SIGNING_KEY_CODE_AUTHENTICODE }}
SIGNING_KEY_CODE_MAC: ${{ secrets.SIGNING_KEY_CODE_MAC }}
SIGNING_KEY_CODE_LINUX: ${{ secrets.SIGNING_KEY_CODE_LINUX }}
SIGNING_CUSTOMER_CORRELATION_ID: ${{ secrets.SIGNING_CUSTOMER_CORRELATION_ID }}
ESRP_CLIENT_EXE: ".\\esrp\\Microsoft.EsrpClient.${{ secrets.ESRP_VERSION }}\\tools\\EsrpClient.exe"
run: python .\bin\sign.py "$env:ESRP_CLIENT_EXE" --runtime=${{ matrix.runtime }} --source=azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }}
- name: Upload signed artifacts
uses: actions/upload-artifact@v3
with:
name: azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }}
path: azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }}
# Build and sign Linux binaries on Azure DevOps and publish them to GitHub and packages.microsoft.com.
linux_release:
runs-on: ubuntu-latest
needs: [validate]
env:
ADO_LINUX_ARTIFACT_DOWNLOAD_PATH: dist/linux
ADO_LINUX_ARTIFACT_NAME: ${{ vars.ADO_LINUX_ARTIFACT_NAME }}
DEBIAN_REVISION: 1
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Build, Sign and Download Linux Binaries
run: |
pip install -r bin/requirements.txt
python ./bin/trigger_azure_pipelines.py
env:
AZURE_DEVOPS_BUILD_PAT: ${{ secrets.AZURE_DEVOPS_BUILD_PAT }}
ADO_ORGANIZATION: ${{ secrets.ADO_ORGANIZATION }}
ADO_PROJECT: ${{ secrets.ADO_PROJECT}}
ADO_AZUREAUTH_LINUX_PIPELINE_ID: ${{ secrets.ADO_AZUREAUTH_LINUX_PIPELINE_ID }}
ADO_AZUREAUTH_LINUX_STAGE_ID: ${{ vars.ADO_AZUREAUTH_LINUX_STAGE_ID }}
VERSION: ${{ github.event.inputs.version }}
- name: Rename linux artifact
env:
DEB_AMD64_SOURCE: ${{ env.ADO_LINUX_ARTIFACT_DOWNLOAD_PATH }}/${{ env.ADO_LINUX_ARTIFACT_NAME }}/azureauth_${{ github.event.inputs.version }}-${{ env.DEBIAN_REVISION }}_amd64.deb
DEB_AMD64_TARGET: azureauth-${{ github.event.inputs.version }}-linux-x64.deb
DEB_ARM64_SOURCE: ${{ env.ADO_LINUX_ARTIFACT_DOWNLOAD_PATH }}/${{ env.ADO_LINUX_ARTIFACT_NAME }}/azureauth_${{ github.event.inputs.version }}-${{ env.DEBIAN_REVISION }}_arm64.deb
DEB_ARM64_TARGET: azureauth-${{ github.event.inputs.version }}-linux-arm64.deb
run: |
mv ${{ env.DEB_AMD64_SOURCE }} ${{ env.DEB_AMD64_TARGET }}
mv ${{ env.DEB_ARM64_SOURCE }} ${{ env.DEB_ARM64_TARGET }}
- name: Upload linux artifact
uses: actions/upload-artifact@v3
with:
name: azureauth-linux
path: |
azureauth-${{ github.event.inputs.version }}-linux-x64.deb
azureauth-${{ github.event.inputs.version }}-linux-arm64.deb
# Currently we package artifacts into the most commonly accessible archive format for their respective platforms.
package:
runs-on: ubuntu-latest
needs: [sign]
steps:
- name: Download all artifacts
uses: actions/download-artifact@v3
- name: Install Zip
run: sudo apt install -y zip
- name: Create win10-x64 archive
run: |
cd azureauth-${{ github.event.inputs.version }}-win10-x64
zip ../azureauth-${{ github.event.inputs.version }}-win10-x64.zip *
- name: Upload win10-x64 artifact
uses: actions/upload-artifact@v3
with:
name: azureauth-${{ github.event.inputs.version }}-win10-x64.zip
path: azureauth-${{ github.event.inputs.version }}-win10-x64.zip
- name: Create osx-x64 archive
run: |
cd azureauth-${{ github.event.inputs.version }}-osx-x64
chmod +x azureauth createdump *.dylib
tar -czf ../azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz *
- name: Upload osx-x64 artifact
uses: actions/upload-artifact@v3
with:
name: azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz
path: azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz
- name: Create osx-arm64 archive
run: |
cd azureauth-${{ github.event.inputs.version }}-osx-arm64
chmod +x azureauth createdump *.dylib
tar -czf ../azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz *
- name: Upload osx-arm64 artifact
uses: actions/upload-artifact@v3
with:
name: azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz
path: azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz
release:
runs-on: ubuntu-latest
needs: [package, linux_release]
# The 'release' environment is what requires reviews before creating the release.
environment:
name: release
# These permissions are required in order to use `softprops/action-gh-release` to upload.
permissions:
contents: write
steps:
- name: Download win10-x64 artifact
uses: actions/download-artifact@v3
with:
name: azureauth-${{ github.event.inputs.version }}-win10-x64.zip
- name: Download osx-x64 artifact
uses: actions/download-artifact@v3
with:
name: azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz
- name: Download osx-arm64 artifact
uses: actions/download-artifact@v3
with:
name: azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz
- name: Download linux-x64 artifact
uses: actions/download-artifact@v3
with:
name: azureauth-linux
- name: Create Release
uses: softprops/action-gh-release@v1
with:
name: ${{ github.event.inputs.version }}
body: "Release ${{ github.event.inputs.version }}. See [`CHANGELOG.md`](https://github.com/AzureAD/microsoft-authentication-cli/blob/${{ github.event.inputs.version }}/CHANGELOG.md) for updates."
tag_name: ${{ github.event.inputs.version }}
prerelease: ${{ github.event.inputs.prerelease }}
files: |
azureauth-${{ github.event.inputs.version }}-win10-x64.zip
azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz
azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz
azureauth-${{ github.event.inputs.version }}-linux-x64.deb
azureauth-${{ github.event.inputs.version }}-linux-arm64.deb