EPPlus/.github/workflows/Build-Release.yml at develop8 · EPPlusSoftware/EPPlus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# This workflow will build, test, sign and pack the release branches for EPPlus.
# It will also generate and publish an SBOM per target framework.
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net

name: Build Release Branches

on:
  push:
    branches: [ "release/**" ]
  pull_request:
    branches: [ "release/**" ]

jobs:
  build:

    runs-on: windows-latest
    steps:
    - uses: actions/checkout@v4
    - name: Setup .NET
      uses: actions/setup-dotnet@v4
      with:
        dotnet-version: '9.0.x'

    # --- Read version and TFMs from csproj ---
    - name: Read version and target frameworks from csproj
      id: read_csproj
      run: |
        $xml = [xml](Get-Content ./src/EPPlus/EPPlus.csproj)
        $version = $xml.Project.PropertyGroup.Version | Where-Object { $_ } | Select-Object -First 1
        $tfms = $xml.Project.PropertyGroup.TargetFrameworks | Where-Object { $_ } | Select-Object -First 1
        echo "VERSION=$version" >> $env:GITHUB_ENV
        echo "TFMS=$tfms" >> $env:GITHUB_ENV
      shell: pwsh

    - name: Restore dependencies
      run: dotnet restore ./src/EPPlus.sln
    - name: Build
      run: dotnet build ./src/EPPlus.sln --no-restore --configuration Release
    - name: Test
      run: dotnet test ./src/EPPlus.sln --no-build --verbosity normal --configuration Release
    - name: Install AzureSignTool
      run: dotnet tool install --global AzureSignTool --version 6.0.0
    - name: Install NuGetKeyVaultSignTool
      run: dotnet tool install --global NuGetKeyVaultSignTool

    - name: Add .NET tools to PATH
      run: echo "${{ runner.tool_cache }}/.dotnet/tools" >> $env:GITHUB_PATH
    - name: Authenticate to Azure
      uses: Azure/login@v2
      with:
        creds: '{"clientId":"${{ secrets.EPPLUS_CODE_SIGNING_APPLICATION_ID }}","clientSecret":"${{ secrets.EPPLUS_CODE_SIGNING_SECRET }}","subscriptionId":"${{ secrets.EPPLUS_CODE_SIGNING_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.EPPLUS_CODE_SIGNING_TENENT_ID }}"}'

    # --- Sign DLLs ---
    - name: Sign EPPlus.dll with AzureSignTool
      run: |
        $tfms = "${{ env.TFMS }}" -split ";"
        foreach ($tfm in $tfms) {
          $tfm = $tfm.Trim()
          if ([string]::IsNullOrEmpty($tfm)) { continue }
          $dll = ".\src\EPPlus\bin\Release\$tfm\EPPlus.dll"
          Write-Host "Signing $dll"
          azuresigntool.exe sign -kvu ${{ secrets.EPPLUS_CODE_SIGNING_KEY_VAULT_URL }} -kvi ${{ secrets.EPPLUS_CODE_SIGNING_APPLICATION_ID }} -kvt ${{ secrets.EPPLUS_CODE_SIGNING_TENENT_ID }} -kvs ${{ secrets.EPPLUS_CODE_SIGNING_SECRET }} -kvc ${{ secrets.EPPLUS_CODE_SIGNING_CERTIFICATE_NAME }} -tr http://timestamp.globalsign.com/tsa/advanced -td sha256 "$dll"
        }
      shell: pwsh
    - name: Sign EPPlus.Interfaces.dll with AzureSignTool
      run: |
        $tfms = "${{ env.TFMS }}" -split ";"
        foreach ($tfm in $tfms) {
          $tfm = $tfm.Trim()
          if ([string]::IsNullOrEmpty($tfm)) { continue }
          $dll = ".\src\EPPlus.Interfaces\bin\Release\$tfm\EPPlus.Interfaces.dll"
          Write-Host "Signing $dll"
          azuresigntool.exe sign -kvu ${{ secrets.EPPLUS_CODE_SIGNING_KEY_VAULT_URL }} -kvi ${{ secrets.EPPLUS_CODE_SIGNING_APPLICATION_ID }} -kvt ${{ secrets.EPPLUS_CODE_SIGNING_TENENT_ID }} -kvs ${{ secrets.EPPLUS_CODE_SIGNING_SECRET }} -kvc ${{ secrets.EPPLUS_CODE_SIGNING_CERTIFICATE_NAME }} -tr http://timestamp.globalsign.com/tsa/advanced -td sha256 "$dll"
        }
      shell: pwsh
    - name: Sign EPPlus.System.Drawing.dll with AzureSignTool
      run: |
        $tfms = "${{ env.TFMS }}" -split ";"
        foreach ($tfm in $tfms) {
          $tfm = $tfm.Trim()
          if ([string]::IsNullOrEmpty($tfm)) { continue }
          $dll = ".\src\EPPlus.System.Drawing\bin\Release\$tfm\EPPlus.System.Drawing.dll"
          Write-Host "Signing $dll"
          azuresigntool.exe sign -kvu ${{ secrets.EPPLUS_CODE_SIGNING_KEY_VAULT_URL }} -kvi ${{ secrets.EPPLUS_CODE_SIGNING_APPLICATION_ID }} -kvt ${{ secrets.EPPLUS_CODE_SIGNING_TENENT_ID }} -kvs ${{ secrets.EPPLUS_CODE_SIGNING_SECRET }} -kvc ${{ secrets.EPPLUS_CODE_SIGNING_CERTIFICATE_NAME }} -tr http://timestamp.globalsign.com/tsa/advanced -td sha256 "$dll"
        }
      shell: pwsh
    # --- Sign DLLs ---

    - name: Pack NuGet package
      run: dotnet pack ./src/EPPlus.sln --configuration Release --output ./output
    - name: Sign NuGet package
      run: |
        NuGetKeyVaultSignTool.exe sign -kvu ${{ secrets.EPPLUS_CODE_SIGNING_KEY_VAULT_URL }} -kvc ${{ secrets.EPPLUS_CODE_SIGNING_CERTIFICATE_NAME }} -kvi ${{ secrets.EPPLUS_CODE_SIGNING_APPLICATION_ID }} -kvs ${{ secrets.EPPLUS_CODE_SIGNING_SECRET }} -kvt ${{ secrets.EPPLUS_CODE_SIGNING_TENENT_ID }} -tr http://timestamp.globalsign.com/tsa/advanced -fd sha256 -td sha256 -own EPPlusSoftware ".\output\*.nupkg"
    - name: Upload NuGet package as artifact
      uses: actions/upload-artifact@v4
      with:
        name: signed-nuget-package
        path: ./output/*.nupkg

    # --- SBOM (after build to avoid CycloneDX overwriting project.assets.json) ---
    - name: Install CycloneDX
      run: dotnet tool install --global CycloneDX
    - name: Generate combined SBOM
      run: dotnet CycloneDX ./src/EPPlus/EPPlus.csproj -o ./sbom -F Json -st Library -sv ${{ env.VERSION }} -fn epplus-${{ env.VERSION }}.sbom.json -imp ./src/EPPlus/sbom-metadata-template.xml --spec-version 1.6
    - name: Generate per-TFM SBOMs
      run: |
        $tfms = "${{ env.TFMS }}" -split ";"
        foreach ($tfm in $tfms) {
          $tfm = $tfm.Trim()
          if ([string]::IsNullOrEmpty($tfm)) { continue }
          Write-Host "Generating SBOM for $tfm"
          dotnet CycloneDX ./src/EPPlus/EPPlus.csproj -o ./sbom -F Json -st Library -sv ${{ env.VERSION }} -fn "epplus-${{ env.VERSION }}.$tfm.sbom.json" -imp ./src/EPPlus/sbom-metadata-template.xml --framework $tfm --spec-version 1.6
        }
      shell: pwsh
    - name: Generate SHA-256 checksums for all SBOMs
      run: |
        Get-ChildItem -Path "./sbom" -Filter "*.sbom.json" | ForEach-Object {
          $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash.ToLower()
          "$hash  $($_.Name)" | Out-File -FilePath "$($_.FullName).sha256" -Encoding utf8NoBOM
          Write-Host "Checksum generated for $($_.Name): $hash"
        }
      shell: pwsh
    - name: Upload all SBOMs to Azure Blob Storage
      run: |
        Get-ChildItem -Path "./sbom" | ForEach-Object {
          Write-Host "Uploading $($_.Name)"
          az storage blob upload `
            --account-name eppluswebprod `
            --container-name sbom `
            --name $_.Name `
            --file $_.FullName `
            --auth-mode login `
            --overwrite
        }
      shell: pwsh
    - name: Upload all SBOMs as artifact
      uses: actions/upload-artifact@v4
      with:
        name: sbom
        path: ./sbom/
    # --- SBOM ---