diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 70c00732e40..19e11ba6345 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,8 +22,7 @@ env: NUGET_XMLDOC_MODE: skip TERM: xterm -permissions: - contents: read +permissions: {} jobs: build: @@ -39,6 +38,9 @@ jobs: package-names: ${{ steps.build.outputs.package-names }} package-version: ${{ steps.build.outputs.package-version }} + permissions: + contents: read + strategy: fail-fast: false matrix: @@ -187,6 +189,9 @@ jobs: github.event.repository.fork == false && startsWith(github.ref, 'refs/tags/') + permissions: + id-token: write + steps: - name: Download unsigned packages @@ -211,14 +216,18 @@ jobs: DOTNET_SIGN_VERSION: ${{ needs.build.outputs.dotnet-sign-version }} run: dotnet tool install --tool-path . sign --version ${env:DOTNET_SIGN_VERSION} + - name: Azure log in + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.SIGN_CLI_APPLICATION_ID }} + subscription-id: ${{ secrets.SIGN_CLI_SUBSCRIPTION_ID }} + tenant-id: ${{ secrets.SIGN_CLI_TENANT_ID }} + - name: Sign artifacts shell: pwsh env: - AZURE_CLIENT_ID: ${{ secrets.SIGN_CLI_APPLICATION_ID }} - AZURE_CLIENT_SECRET: ${{ secrets.SIGN_CLI_SECRET }} AZURE_KEY_VAULT_CERTIFICATE: ${{ secrets.SIGN_CLI_CERT_NAME }} AZURE_KEY_VAULT_URL: ${{ secrets.SIGN_CLI_VAULT_URI }} - AZURE_TENANT_ID: ${{ secrets.SIGN_CLI_TENANT_ID }} VERBOSITY: ${{ runner.debug == '1' && 'Debug' || 'Warning' }} run: | ./sign code azure-key-vault ` @@ -247,6 +256,7 @@ jobs: validate-signed-packages: needs: [ build, sign ] runs-on: windows-latest + steps: - name: Download packages @@ -337,6 +347,7 @@ jobs: publish-nuget: needs: [ build, validate-signed-packages ] runs-on: ubuntu-latest + steps: - name: Download signed packages