Release #49

Workflow file for this run

.github/workflows/release.yml at 80f8ccf

	name: Release

	on:
	workflow_dispatch:
	inputs:
	version:
	description: 'Version'
	required: true
	type: string
	# We use SemVer, anything before 1.0.0 is a pre-release, but this could also include versions like 1.1.0-beta.
	prerelease:
	description: 'Prerelease'
	required: true
	default: true
	type: boolean

	jobs:
	# Special request from @kyle-rader and @goagain, so no one can create an invalid release.
	validate:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	- name: Setup Python
	uses: actions/setup-python@v3
	with:
	python-version: '3.10'
	- name: Validate version
	run: echo ${{ github.event.inputs.version }} \| python ./bin/version.py

	build:
	permissions:
	actions: read
	contents: read
	security-events: write
	statuses: write

	runs-on: ${{ matrix.os }}
	needs: [validate]
	strategy:
	matrix:
	# We build on Linux, but don't yet ship Linux because we can't easily sign those releases.
	runtime: [osx-x64, osx-arm64, win10-x64]
	include:
	- runtime: osx-x64
	os: macos-latest
	- runtime: osx-arm64
	os: macos-latest
	- runtime: win10-x64
	os: windows-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v3

	# Initializes the CodeQL tools for scanning.
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v2
	with:
	languages: csharp

	- name: Setup .NET 6
	uses: actions/setup-dotnet@v1
	with:
	dotnet-version: 6.0.x
	- name: Install dependencies
	run: dotnet restore --runtime ${{ matrix.runtime }}
	env:
	ADO_TOKEN: ${{ secrets.ADO_TOKEN }}
	- name: Test
	run: dotnet test --no-restore --configuration release

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v2

	- name: Build artifacts
	run: dotnet publish src/AzureAuth/AzureAuth.csproj -p:Version=${{ github.event.inputs.version }} --configuration release --self-contained true --runtime ${{ matrix.runtime }} --output dist/${{ matrix.runtime }}
	env:
	ADO_TOKEN: ${{ secrets.ADO_TOKEN }}

	- name: Upload artifacts
	uses: actions/upload-artifact@v3
	with:
	name: azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }}
	path: dist/${{ matrix.runtime }}

	sign:
	# This step has to run on Windows because ESRPClient.exe is currently only available for that platform.
	runs-on: windows-latest
	needs: [build]
	strategy:
	matrix:
	runtime: [osx-x64, osx-arm64, win10-x64]
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	- name: Setup Python
	uses: actions/setup-python@v3
	with:
	python-version: '3.10'
	- name: Setup NuGet
	uses: NuGet/setup-nuget@v1
	with:
	nuget-version: '5.x'
	- name: Download ESRPClient.exe
	env:
	ESRP_VERSION: ${{ secrets.ESRP_VERSION }}
	NUGET_CREDENTIALS: ${{ secrets.NUGET_CREDENTIALS }}
	run: \|
	nuget sources add -Name esrp -Username esrp-downloader -Password $env:NUGET_CREDENTIALS -Source https://microsoft.pkgs.visualstudio.com/_packaging/ESRP/nuget/v3/index.json
	nuget install Microsoft.EsrpClient -Version "$env:ESRP_VERSION" -OutputDirectory .\esrp -Source https://microsoft.pkgs.visualstudio.com/_packaging/ESRP/nuget/v3/index.json
	- name: Login to Azure
	uses: azure/login@v1
	with:
	creds: ${{ secrets.AZURE_CREDENTIALS }}
	# We need these certificates installed so that we can run ESRPClient.exe.
	- name: Install certificates
	env:
	AZURE_SUBSCRIPTION: ${{ secrets.AZURE_SUBSCRIPTION }}
	AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
	ESRP_AAD_CERT_NAME: ${{ secrets.AZURE_VAULT_ESRP_AAD_CERT_NAME }}
	ESRP_REQ_CERT_NAME: ${{ secrets.AZURE_VAULT_ESRP_REQ_CERT_NAME }}
	run: \|
	az keyvault secret download --subscription "$env:AZURE_SUBSCRIPTION" --vault-name "$env:AZURE_VAULT" --name "$env:ESRP_AAD_CERT_NAME" -f cert.pfx
	certutil -f -importpfx cert.pfx
	Remove-Item cert.pfx

	az keyvault secret download --subscription "$env:AZURE_SUBSCRIPTION" --vault-name "$env:AZURE_VAULT" --name "$env:ESRP_REQ_CERT_NAME" -f cert.pfx
	certutil -f -importpfx cert.pfx
	Remove-Item cert.pfx
	# We download all artifacts and overwrite them with signed files, but only upload ones which we can properly sign.
	- name: Download all artifacts
	uses: actions/download-artifact@v3
	- name: Sign artifacts
	env:
	SIGNING_AAD_ID: ${{ secrets.SIGNING_AAD_ID }}
	SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }}
	SIGNING_KEY_CODE_AUTHENTICODE: ${{ secrets.SIGNING_KEY_CODE_AUTHENTICODE }}
	SIGNING_KEY_CODE_MAC: ${{ secrets.SIGNING_KEY_CODE_MAC }}
	SIGNING_KEY_CODE_LINUX: ${{ secrets.SIGNING_KEY_CODE_LINUX }}
	SIGNING_CUSTOMER_CORRELATION_ID: ${{ secrets.SIGNING_CUSTOMER_CORRELATION_ID }}
	ESRP_CLIENT_EXE: ".\\esrp\\Microsoft.EsrpClient.${{ secrets.ESRP_VERSION }}\\tools\\EsrpClient.exe"
	run: python .\bin\sign.py "$env:ESRP_CLIENT_EXE" --runtime=${{ matrix.runtime }} --source=azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }}
	- name: Upload signed artifacts
	uses: actions/upload-artifact@v3
	with:
	name: azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }}
	path: azureauth-${{ github.event.inputs.version }}-${{ matrix.runtime }}

	# Build and sign Linux binaries on Azure DevOps and publish them to GitHub and packages.microsoft.com.
	linux_release:
	runs-on: ubuntu-latest
	needs: [validate]
	env:
	ADO_LINUX_ARTIFACT_DOWNLOAD_PATH: dist/linux
	ADO_LINUX_ARTIFACT_NAME: ${{ vars.ADO_LINUX_ARTIFACT_NAME }}
	DEBIAN_REVISION: 1
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	- name: Setup Python
	uses: actions/setup-python@v3
	with:
	python-version: '3.10'
	- name: Build, Sign and Download Linux Binaries
	run: \|
	pip install -r bin/requirements.txt
	python ./bin/trigger_azure_pipelines.py
	env:
	AZURE_DEVOPS_BUILD_PAT: ${{ secrets.AZURE_DEVOPS_BUILD_PAT }}
	ADO_ORGANIZATION: ${{ secrets.ADO_ORGANIZATION }}
	ADO_PROJECT: ${{ secrets.ADO_PROJECT}}
	ADO_AZUREAUTH_LINUX_PIPELINE_ID: ${{ secrets.ADO_AZUREAUTH_LINUX_PIPELINE_ID }}
	ADO_AZUREAUTH_LINUX_STAGE_ID: ${{ vars.ADO_AZUREAUTH_LINUX_STAGE_ID }}
	VERSION: ${{ github.event.inputs.version }}

	- name: Upload linux artifact
	uses: actions/upload-artifact@v3
	with:
	path: ${{ env.ADO_LINUX_ARTIFACT_DOWNLOAD_PATH }}/${{ env.ADO_LINUX_ARTIFACT_NAME }}/azureauth_${{ github.event.inputs.version }}-${{ env.DEBIAN_REVISION }}_*.deb

	# Currently we package artifacts into the most commonly accessible archive format for their respective platforms.
	package:
	runs-on: ubuntu-latest
	needs: [sign]
	steps:
	- name: Download all artifacts
	uses: actions/download-artifact@v3
	- name: Install Zip
	run: sudo apt install -y zip
	- name: Create win10-x64 archive
	run: \|
	cd azureauth-${{ github.event.inputs.version }}-win10-x64
	zip ../azureauth-${{ github.event.inputs.version }}-win10-x64.zip *
	- name: Upload win10-x64 artifact
	uses: actions/upload-artifact@v3
	with:
	name: azureauth-${{ github.event.inputs.version }}-win10-x64.zip
	path: azureauth-${{ github.event.inputs.version }}-win10-x64.zip
	- name: Create osx-x64 archive
	run: \|
	cd azureauth-${{ github.event.inputs.version }}-osx-x64
	chmod +x azureauth createdump *.dylib
	tar -czf ../azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz *
	- name: Upload osx-x64 artifact
	uses: actions/upload-artifact@v3
	with:
	name: azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz
	path: azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz
	- name: Create osx-arm64 archive
	run: \|
	cd azureauth-${{ github.event.inputs.version }}-osx-arm64
	chmod +x azureauth createdump *.dylib
	tar -czf ../azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz *
	- name: Upload osx-arm64 artifact
	uses: actions/upload-artifact@v3
	with:
	name: azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz
	path: azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz

	release:
	runs-on: ubuntu-latest
	needs: [package, linux_release]
	# The 'release' environment is what requires reviews before creating the release.
	environment:
	name: release
	# These permissions are required in order to use `softprops/action-gh-release` to upload.
	permissions:
	contents: write
	env:
	DEBIAN_REVISION: 1
	steps:
	- name: Download win10-x64 artifact
	uses: actions/download-artifact@v3
	with:
	name: azureauth-${{ github.event.inputs.version }}-win10-x64.zip
	- name: Download osx-x64 artifact
	uses: actions/download-artifact@v3
	with:
	name: azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz
	- name: Download osx-arm64 artifact
	uses: actions/download-artifact@v3
	with:
	name: azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz
	- name: Create Release
	uses: softprops/action-gh-release@v1
	with:
	name: ${{ github.event.inputs.version }}
	body: "Release ${{ github.event.inputs.version }}. See [`CHANGELOG.md`](https://github.com/AzureAD/microsoft-authentication-cli/blob/${{ github.event.inputs.version }}/CHANGELOG.md) for updates."
	tag_name: ${{ github.event.inputs.version }}
	prerelease: ${{ github.event.inputs.prerelease }}
	files: \|
	azureauth-${{ github.event.inputs.version }}-win10-x64.zip
	azureauth-${{ github.event.inputs.version }}-osx-x64.tar.gz
	azureauth-${{ github.event.inputs.version }}-osx-arm64.tar.gz
	azureauth_${{ github.event.inputs.version }}-${{ env.DEBIAN_REVISION }}_amd64.deb
	azureauth_${{ github.event.inputs.version }}-${{ env.DEBIAN_REVISION }}_arm64.deb

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release #49

Workflow file

Release #49

Jobs

Run details

Workflow file for this run