dotnet-sdk/.github/workflows/release.yml at main · open-feature/dotnet-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: Run Release Release

on:
  push:
    branches:
      - main

permissions:
  contents: write
  pull-requests: write

jobs:
  release-please:
    permissions:
      id-token: write # for googleapis/release-please-action to create release tag
      contents: write # for googleapis/release-please-action to create release commit
      pull-requests: write # for googleapis/release-please-action to create release PR

    runs-on: ubuntu-latest

    steps:
      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
        id: release
        with:
          token: ${{secrets.RELEASE_PLEASE_ACTION_TOKEN}}
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      release_tag_name: ${{ steps.release.outputs.tag_name }}

  release:
    environment: publish
    runs-on: ubuntu-latest
    needs: release-please
    permissions:
      id-token: write # enable GitHub OIDC token issuance for this job (NuGet login)
      contents: write # for SBOM release
      attestations: write # for actions/attest to create attestation
      packages: read # for internal nuget reading
    if: ${{ fromJSON(needs.release-please.outputs.release_created || false) }}

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0

      - name: Setup .NET SDK
        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
        with:
          global-json-file: global.json

      - name: Cache NuGet packages
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ~/.nuget/packages
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', 'Directory.Packages.props', 'global.json') }}
          restore-keys: |
            ${{ runner.os }}-nuget-

      - name: Install dependencies
        run: dotnet restore

      - name: Pack
        run: dotnet pack -c Release --no-restore

        # Get a short-lived NuGet API key
      - name: NuGet login (OIDC → temp API key)
        uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544 # v1
        id: login
        with:
          user: ${{secrets.NUGET_USER}}

      - name: Publish to Nuget
        run: dotnet nuget push "src/**/*.nupkg" --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json

      - name: Generate artifact attestation
        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-path: "src/**/*.nupkg"

      # Process OpenFeature project
      - name: Generate and Attest SBOM for OpenFeature
        uses: ./.github/actions/sbom-generator
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          project-name: OpenFeature
          release-tag: ${{ needs.release-please.outputs.release_tag_name }}

      # Process OpenFeature.Hosting project
      - name: Generate and Attest SBOM for OpenFeature.Hosting
        uses: ./.github/actions/sbom-generator
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          project-name: OpenFeature.Hosting
          release-tag: ${{ needs.release-please.outputs.release_tag_name }}

      # Process OpenFeature.Providers.MultiProvider project
      - name: Generate and Attest SBOM for OpenFeature.Providers.MultiProvider
        uses: ./.github/actions/sbom-generator
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          project-name: OpenFeature.Providers.MultiProvider
          release-tag: ${{ needs.release-please.outputs.release_tag_name }}