Release #65
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: 'Version' | |
required: true | |
type: string | |
# We use SemVer, anything before 1.0.0 is a pre-release, but this could also include versions like 1.1.0-beta. | |
prerelease: | |
description: 'Prerelease' | |
required: true | |
default: true | |
type: boolean | |
jobs: | |
# Special request from @kyle-rader and @goagain, so no one can create an invalid release. | |
validate: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.10' | |
- name: Validate version | |
run: echo ${{ github.event.inputs.version }} | python ./bin/version.py | |
build: | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
statuses: write | |
runs-on: ${{ matrix.os }} | |
needs: [validate] | |
strategy: | |
matrix: | |
# We build on Linux, but don't yet ship Linux because we can't easily sign those releases. | |
runtime: [osx-x64, osx-arm64, win10-x64] | |
include: | |
- runtime: osx-x64 | |
os: macos-latest | |
- runtime: osx-arm64 | |
os: macos-latest | |
- runtime: win10-x64 | |
os: windows-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: csharp | |
- name: Setup .NET 6 | |
uses: actions/setup-dotnet@v4 | |
with: | |
dotnet-version: 6.0.x | |
- name: Install dependencies | |
run: dotnet restore --runtime ${{ matrix.runtime }} | |
env: | |
ADO_TOKEN: ${{ secrets.ADO_TOKEN }} | |
- name: Test | |
run: dotnet test --no-restore --configuration release | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
- name: Build artifacts | |
run: dotnet publish src/AzureAuth/AzureAuth.csproj -p:Version=${{ github.event.inputs.version }} --configuration release --self-contained true --runtime ${{ matrix.runtime }} --output dist/${{ matrix.runtime }} | |
env: | |
ADO_TOKEN: ${{ secrets.ADO_TOKEN }} | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }} | |
path: dist/${{ matrix.runtime }} | |
sign: | |
# This step has to run on Windows because ESRPClient.exe is currently only available for that platform. | |
runs-on: windows-latest | |
needs: [build] | |
strategy: | |
matrix: | |
runtime: [osx-x64, osx-arm64, win10-x64] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.10' | |
- name: Setup NuGet | |
uses: NuGet/setup-nuget@v1 | |
with: | |
nuget-version: '5.x' | |
- name: Download ESRPClient.exe | |
env: | |
ESRP_VERSION: ${{ secrets.ESRP_VERSION }} | |
NUGET_CREDENTIALS: ${{ secrets.ADO_TOKEN }} | |
run: | | |
nuget sources add -Name esrp -Username esrp-downloader -Password $env:NUGET_CREDENTIALS -Source https://pkgs.dev.azure.com/office/_packaging/Office/nuget/v3/index.json | |
nuget install Microsoft.EsrpClient -Version "$env:ESRP_VERSION" -OutputDirectory .\esrp -Source https://pkgs.dev.azure.com/office/_packaging/Office/nuget/v3/index.json | |
- name: Login to Azure | |
uses: azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
# We need these certificates installed so that we can run ESRPClient.exe. | |
- name: Install certificates | |
env: | |
AZURE_SUBSCRIPTION: ${{ secrets.AZURE_SUBSCRIPTION }} | |
AZURE_VAULT: ${{ secrets.AZURE_VAULT }} | |
ESRP_AAD_CERT_NAME: ${{ secrets.AZURE_VAULT_ESRP_AAD_CERT_NAME }} | |
ESRP_REQ_CERT_NAME: ${{ secrets.AZURE_VAULT_ESRP_REQ_CERT_NAME }} | |
run: | | |
az keyvault secret download --subscription "$env:AZURE_SUBSCRIPTION" --vault-name "$env:AZURE_VAULT" --name "$env:ESRP_AAD_CERT_NAME" -f cert.pfx | |
certutil -f -importpfx cert.pfx | |
Remove-Item cert.pfx | |
az keyvault secret download --subscription "$env:AZURE_SUBSCRIPTION" --vault-name "$env:AZURE_VAULT" --name "$env:ESRP_REQ_CERT_NAME" -f cert.pfx | |
certutil -f -importpfx cert.pfx | |
Remove-Item cert.pfx | |
# We download all artifacts and overwrite them with signed files, but only upload ones which we can properly sign. | |
- name: Download all artifacts | |
uses: actions/download-artifact@v3 | |
- name: Sign artifacts | |
env: | |
SIGNING_AAD_ID: ${{ secrets.SIGNING_AAD_ID }} | |
SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }} | |
SIGNING_KEY_CODE_AUTHENTICODE: ${{ secrets.SIGNING_KEY_CODE_AUTHENTICODE }} | |
SIGNING_KEY_CODE_MAC: ${{ secrets.SIGNING_KEY_CODE_MAC }} | |
SIGNING_KEY_CODE_LINUX: ${{ secrets.SIGNING_KEY_CODE_LINUX }} | |
SIGNING_CUSTOMER_CORRELATION_ID: ${{ secrets.SIGNING_CUSTOMER_CORRELATION_ID }} | |
ESRP_CLIENT_EXE: ".\\esrp\\Microsoft.EsrpClient.${{ secrets.ESRP_VERSION }}\\tools\\EsrpClient.exe" | |
run: python .\bin\sign.py "$env:ESRP_CLIENT_EXE" --runtime=${{ matrix.runtime }} --source=azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }} | |
- name: Upload signed artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }} | |
path: azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }} | |
# Build and sign Linux binaries on Azure DevOps and publish them to GitHub and packages.microsoft.com. | |
linux_release: | |
runs-on: ubuntu-latest | |
needs: [validate] | |
env: | |
ADO_LINUX_ARTIFACT_DOWNLOAD_PATH: dist/linux | |
ADO_LINUX_ARTIFACT_NAME: ${{ vars.ADO_LINUX_ARTIFACT_NAME }} | |
DEBIAN_REVISION: 1 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.10' | |
- name: Build, Sign and Download Linux Binaries | |
run: | | |
pip install -r bin/requirements.txt | |
python ./bin/trigger_azure_pipelines.py | |
env: | |
AZURE_DEVOPS_BUILD_PAT: ${{ secrets.AZURE_DEVOPS_BUILD_PAT }} | |
ADO_ORGANIZATION: ${{ secrets.ADO_ORGANIZATION }} | |
ADO_PROJECT: ${{ secrets.ADO_PROJECT}} | |
ADO_AZUREAUTH_LINUX_PIPELINE_ID: ${{ secrets.ADO_AZUREAUTH_LINUX_PIPELINE_ID }} | |
ADO_AZUREAUTH_LINUX_STAGE_ID: ${{ vars.ADO_AZUREAUTH_LINUX_STAGE_ID }} | |
VERSION: ${{ github.event.inputs.version }} | |
- name: Rename linux artifact | |
env: | |
DEB_AMD64_SOURCE: ${{ env.ADO_LINUX_ARTIFACT_DOWNLOAD_PATH }}/${{ env.ADO_LINUX_ARTIFACT_NAME }}/azureauth_${{ github.event.inputs.version }}-${{ env.DEBIAN_REVISION }}_amd64.deb | |
DEB_AMD64_TARGET: azureauth-${{ github.event.inputs.version }}-linux-x64.deb | |
DEB_ARM64_SOURCE: ${{ env.ADO_LINUX_ARTIFACT_DOWNLOAD_PATH }}/${{ env.ADO_LINUX_ARTIFACT_NAME }}/azureauth_${{ github.event.inputs.version }}-${{ env.DEBIAN_REVISION }}_arm64.deb | |
DEB_ARM64_TARGET: azureauth-${{ github.event.inputs.version }}-linux-arm64.deb | |
run: | | |
mv ${{ env.DEB_AMD64_SOURCE }} ${{ env.DEB_AMD64_TARGET }} | |
mv ${{ env.DEB_ARM64_SOURCE }} ${{ env.DEB_ARM64_TARGET }} | |
- name: Upload linux artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: azureauth-linux | |
path: | | |
azureauth-${{ github.event.inputs.version }}-linux-x64.deb | |
azureauth-${{ github.event.inputs.version }}-linux-arm64.deb | |
# Currently we package artifacts into the most commonly accessible archive format for their respective platforms. | |
package: | |
runs-on: ubuntu-latest | |
needs: [sign] | |
steps: | |
- name: Download all artifacts | |
uses: actions/download-artifact@v3 | |
- name: Install Zip | |
run: sudo apt install -y zip | |
- name: Create win10-x64 archive | |
run: | | |
cd azureauth-${{ github.event.inputs.version }}-win10-x64 | |
zip ../azureauth-${{ github.event.inputs.version }}-win10-x64.zip * | |
- name: Upload win10-x64 artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: azureauth-${{ github.event.inputs.version }}-win10-x64.zip | |
path: azureauth-${{ github.event.inputs.version }}-win10-x64.zip | |
- name: Create osx-x64 archive | |
run: | | |
cd azureauth-${{ github.event.inputs.version }}-osx-x64 | |
chmod +x azureauth createdump *.dylib | |
tar -czf ../azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz * | |
- name: Upload osx-x64 artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz | |
path: azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz | |
- name: Create osx-arm64 archive | |
run: | | |
cd azureauth-${{ github.event.inputs.version }}-osx-arm64 | |
chmod +x azureauth createdump *.dylib | |
tar -czf ../azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz * | |
- name: Upload osx-arm64 artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz | |
path: azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz | |
release: | |
runs-on: ubuntu-latest | |
needs: [package, linux_release] | |
# The 'release' environment is what requires reviews before creating the release. | |
environment: | |
name: release | |
# These permissions are required in order to use `softprops/action-gh-release` to upload. | |
permissions: | |
contents: write | |
steps: | |
- name: Download win10-x64 artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: azureauth-${{ github.event.inputs.version }}-win10-x64.zip | |
- name: Download osx-x64 artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz | |
- name: Download osx-arm64 artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz | |
- name: Download linux-x64 artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: azureauth-linux | |
- name: Create Release | |
uses: softprops/action-gh-release@v1 | |
with: | |
name: ${{ github.event.inputs.version }} | |
body: "Release ${{ github.event.inputs.version }}. See [`CHANGELOG.md`](https://github.com/AzureAD/microsoft-authentication-cli/blob/${{ github.event.inputs.version }}/CHANGELOG.md) for updates." | |
tag_name: ${{ github.event.inputs.version }} | |
prerelease: ${{ github.event.inputs.prerelease }} | |
files: | | |
azureauth-${{ github.event.inputs.version }}-win10-x64.zip | |
azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz | |
azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz | |
azureauth-${{ github.event.inputs.version }}-linux-x64.deb | |
azureauth-${{ github.event.inputs.version }}-linux-arm64.deb |