code-signing-action/action.yml at main · ImageMagick/code-signing-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Code Signing
description: Sign files using Azure Trusted Signing
inputs:
  client-id:
    description: Azure Client ID
  tenant-id:
    description: Azure Tenant ID
  subscription-id:
    description: Azure Subscription ID
  directory:
    description: Directory containing files to sign
    required: true
  files:
    description: The files to sign
    required: true

runs:
  using: composite
  steps:
    - name: Check if signing should be performed
      id: should_sign
      shell: pwsh
      run: |
        $shouldSign = $true

        if ("${{inputs.client-id}}" -eq "") {
          echo "Missing required value: client-id"
          $shouldSign = $false
        }

        if ("${{inputs.tenant-id}}" -eq "") {
          echo "Missing required value: tenant-id"
          $shouldSign = $false
        }

        if ("${{inputs.subscription-id}}" -eq "") {
          echo "Missing required value: subscription-id"
          $shouldSign = $false
        }

        echo "should_sign=$shouldSign" >> $env:GITHUB_OUTPUT
        echo "Should sign: $shouldSign"

    - name: Azure CLI login with federated credential
      if: steps.should_sign.outputs.should_sign == 'true'
      uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 #v3.0.0
      with:
        client-id: ${{ inputs.client-id }}
        tenant-id: ${{ inputs.tenant-id }}
        subscription-id: ${{ inputs.subscription-id }}

    - name: Install sign cli
      if: steps.should_sign.outputs.should_sign == 'true'
      shell: cmd
      run: dotnet tool restore
      working-directory: ${{ github.action_path }}

    - name: Sign executables and libraries
      if: steps.should_sign.outputs.should_sign == 'true'
      shell: pwsh
      run: |
        dotnet tool run sign code artifact-signing `
          --base-directory ${{ inputs.directory }} `
          --artifact-signing-account ImageMagick `
          --artifact-signing-certificate-profile ImageMagick2028 `
          --artifact-signing-endpoint https://wus2.codesigning.azure.net `
          --azure-credential-type azure-cli `
          --verbosity information `
          ${{ inputs.files }}
      working-directory: ${{ github.action_path }}