diff --git a/.github/workflows/publish.nuget.strong.named.yml b/.github/workflows/publish.nuget.strong.named.yml new file mode 100644 index 00000000..9f1d3f5e --- /dev/null +++ b/.github/workflows/publish.nuget.strong.named.yml @@ -0,0 +1,72 @@ +name: Publish strong-named assemblies to NuGet + +on: + workflow_dispatch: + inputs: + publish: + description: 'Publish to NuGet (uncheck to build only)' + required: false + default: 'true' + type: boolean + + +jobs: + publish-nuget: + environment: prod + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + working-directory: ./sdk/dotNet + + steps: + - name: Get the source code + uses: actions/checkout@v4 + + - name: Setup .NET 6 + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 6.0.x + + - name: Retrieve secrets from KSM + id: ksmsecrets + uses: Keeper-Security/ksm-action@master + with: + keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }} + secrets: | + Sq4nnb5HXXNp1l6KryXynw/field/password > NUGET_AUTH_TOKEN + Sq4nnb5HXXNp1l6KryXynw/file/sgKSM.snk > file:${{ github.workspace }}/sdk/dotNet/SecretsManager/sgKSM.snk + + - name: Install dependencies + run: dotnet restore + + - name: "Preparing package for strong naming" + working-directory: ./SecretsManager + run: | + pwd + ls -lah + cp -f SecretsManager.csproj SecretsManager.StrongName.csproj + ls -lah + sed -i 's/Keeper.SecretsManager<\/PackageId>/Keeper.SecretsManager.StrongName<\/PackageId>/g' SecretsManager.StrongName.csproj + cat SecretsManager.StrongName.csproj + + - name: Build + working-directory: ./SecretsManager + run: | + pwd + ls -lah + dotnet build SecretsManager.StrongName.csproj --configuration Release --no-restore -p:SignKSM=True + + - name: Cleanup temp files + working-directory: ./SecretsManager + run: | + ls -lah + rm -f sgKSM.snk + + - name: Publish package + if: ${{ github.event.inputs.publish == 'true' }} + working-directory: ./SecretsManager + run: | + ls -lah ./bin/Release/ + dotnet nuget push bin/Release/*.nupkg --api-key ${{steps.ksmsecrets.outputs.NUGET_AUTH_TOKEN}} --source https://api.nuget.org/v3/index.json diff --git a/.github/workflows/publish.nuget.yml b/.github/workflows/publish.nuget.yml index 00e8c482..d4f0450a 100644 --- a/.github/workflows/publish.nuget.yml +++ b/.github/workflows/publish.nuget.yml @@ -1,6 +1,13 @@ name: Publish to NuGet + on: workflow_dispatch: + inputs: + publish: + description: 'Publish to NuGet (uncheck to build only)' + required: false + default: 'true' + type: boolean jobs: publish-nuget: @@ -9,23 +16,62 @@ jobs: defaults: run: + working-directory: ./sdk/dotNet steps: - name: Get the source code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup .NET 6 - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v4 with: dotnet-version: 6.0.x + - name: Retrieve secrets from KSM + id: ksmsecrets + uses: Keeper-Security/ksm-action@master + with: + keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }} + secrets: | + Sq4nnb5HXXNp1l6KryXynw/field/password > NUGET_AUTH_TOKEN + - name: Install dependencies run: dotnet restore - name: Build run: dotnet build --configuration Release --no-restore + - name: Publish package + if: ${{ github.event.inputs.publish == 'true' }} + run: dotnet nuget push ./SecretsManager/bin/Release/*.nupkg --api-key ${{steps.ksmsecrets.outputs.NUGET_AUTH_TOKEN}} --source https://api.nuget.org/v3/index.json + + - name: Upload non-strong-named binaries + if: ${{ github.event.inputs.publish == 'false' }} + uses: actions/upload-artifact@v4 + with: + name: non-strong-named-binaries-${{ github.run_number }} + path: | + ${{ github.workspace }}/sdk/dotNet/SecretsManager/bin/Release/*.nupkg + + publish-nuget-strongname: + environment: prod + runs-on: windows-latest + + defaults: + run: + shell: powershell + working-directory: .\sdk\dotNet + + steps: + - name: Get the source code + uses: actions/checkout@v4 + + - name: Setup .NET 6 + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 6.0.x + - name: Retrieve secrets from KSM id: ksmsecrets uses: Keeper-Security/ksm-action@master @@ -33,6 +79,68 @@ jobs: keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }} secrets: | Sq4nnb5HXXNp1l6KryXynw/field/password > NUGET_AUTH_TOKEN + Sq4nnb5HXXNp1l6KryXynw/file/sgKSM.snk > file:${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk + + - name: Extract and Update Public Key in SecretsManagerClient.cs + run: | + $snPath = "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe" + $snkPath = "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk" + $publicKeyPath = "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.pub" + & $snPath -p $snkPath $publicKeyPath + $publicKeyInfo = & $snPath -tp $publicKeyPath + # Filter and join the lines of the public key + $publicKeyLines = $publicKeyInfo -split "`n" | Where-Object { $_ -match "^[a-f0-9\s]+$" } + $publicKey = $publicKeyLines -join "" -replace "\s", "" + + if (-not $publicKey) { + Write-Error "Failed to extract the full public key." + exit 1 + } + + Write-Output "Extracted Public Key: $publicKey" + $filePath = "${{ github.workspace }}\sdk\dotNet\SecretsManager\SecretsManagerClient.cs" + (Get-Content $filePath) -replace '\[assembly: InternalsVisibleTo\("SecretsManager.Test.Core"\)\]', "[assembly: InternalsVisibleTo(`"SecretsManager.Test.Core, PublicKey=$publicKey`")]" | Set-Content $filePath + Write-Output "First 20 lines of the modified SecretsManagerClient.cs:" + Get-Content $filePath -Head 20 + + - name: Install dependencies + run: dotnet restore + + - name: "Preparing package for strong naming" + working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ + run: | + pwd + Get-ChildItem + Copy-Item -Path "SecretsManager.csproj" -Destination "SecretsManager.StrongName.csproj" + (Get-Content -Path "SecretsManager.StrongName.csproj") -replace 'Keeper.SecretsManager', 'Keeper.SecretsManager.StrongName' | Set-Content -Path "SecretsManager.StrongName.csproj" + Get-Content "SecretsManager.StrongName.csproj" + Copy-Item -Path "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk" -Destination "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\sgKSM.snk" + Get-ChildItem "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\" + + - name: Build + working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ + run: | + pwd + Get-ChildItem + dotnet build "SecretsManager.StrongName.csproj" --configuration Release --no-restore -p:SignKSM=True + + - name: Cleanup secret files + working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ + run: | + Remove-Item -Path "${{ github.workspace }}\sdk\dotNet\SecretsManager\sgKSM.snk" + Remove-Item -Path "${{ github.workspace }}\sdk\dotNet\SecretsManager.Test.Core\sgKSM.snk" - name: Publish package - run: dotnet nuget push ./SecretsManager/bin/Release/*.nupkg --api-key ${{steps.ksmsecrets.outputs.NUGET_AUTH_TOKEN}} --source https://api.nuget.org/v3/index.json + if: ${{ github.event.inputs.publish == 'true' }} + working-directory: ${{ github.workspace }}\sdk\dotNet\SecretsManager\ + run: | + Get-ChildItem ".\bin\Release\" + dotnet nuget push ".\bin\Release\*.nupkg" --api-key ${{steps.ksmsecrets.outputs.NUGET_AUTH_TOKEN}} --source https://api.nuget.org/v3/index.json + + - name: Upload strong-named binaries + if: ${{ github.event.inputs.publish == 'false' }} + uses: actions/upload-artifact@v4 + with: + name: strong-named-binaries-${{ github.run_number }} + path: | + ${{ github.workspace }}\sdk\dotNet\SecretsManager\bin\Release\*.nupkg \ No newline at end of file diff --git a/sdk/dotNet/README.md b/sdk/dotNet/README.md index 9deb1b5c..8fe9b97a 100644 --- a/sdk/dotNet/README.md +++ b/sdk/dotNet/README.md @@ -5,6 +5,7 @@ ## 16.6.6 +* KSM-360 - GHA to build and release strong named assemblies * KSM-490 - Switch some internal classes to public - for use in plugins * KSM-515 - Update to Bouncy Castle 2.4.0 diff --git a/sdk/dotNet/SecretsManager.Test.Core/SecretsManager.Test.Core.csproj b/sdk/dotNet/SecretsManager.Test.Core/SecretsManager.Test.Core.csproj index 598ad363..b70d7b7b 100644 --- a/sdk/dotNet/SecretsManager.Test.Core/SecretsManager.Test.Core.csproj +++ b/sdk/dotNet/SecretsManager.Test.Core/SecretsManager.Test.Core.csproj @@ -19,4 +19,9 @@ + + True + sgKSM.snk + + diff --git a/sdk/dotNet/SecretsManager/SecretsManager.csproj b/sdk/dotNet/SecretsManager/SecretsManager.csproj index 69535524..d66ed58b 100644 --- a/sdk/dotNet/SecretsManager/SecretsManager.csproj +++ b/sdk/dotNet/SecretsManager/SecretsManager.csproj @@ -16,7 +16,7 @@ https://github.com/Keeper-Security/secrets-manager GitHub keeper secrets manager passwords - © 2023 Keeper Security, Inc. + © 2024 Keeper Security, Inc. https://raw.githubusercontent.com/Keeper-Security/secrets-manager/master/LICENSE?token=AACNMRVMD5L3PYT3C5MTNF3BEAFZY true @@ -26,4 +26,9 @@ + + + True + sgKSM.snk +