Use managed identity for signing

Author: bradwilson

.config/dotnet-tools.json

@@ -3,10 +3,11 @@
   "isRoot": true,
   "tools": {
     "sign": {
-      "version": "0.9.1-beta.23203.3",
+      "version": "0.9.1-beta.25330.2",
       "commands": [
         "sign"
-      ]
+      ],
+      "rollForward": false
     }
   }
-}
+}

.github/workflows/push-main.yaml renamed to .github/workflows/ci-signed.yaml

@@ -1,14 +1,18 @@
-name: "CI Build (main)"
+name: "CI Build (signed)"
 on:
   push:
     branches:
       - main
+      - 'rel/**'
   workflow_dispatch:
 
 jobs:
-  build:
+  deployment:
     name: "Build"
     runs-on: windows-latest
+    environment: signing
+    permissions:
+      id-token: write  # Required for Azure CLI Login
     env:
       DOTNET_CLI_WORKLOAD_UPDATE_NOTIFY_DISABLE: true
       DOTNET_NOLOGO: true
@@ -32,17 +36,21 @@ jobs:
       - name: Get .NET information
         run: dotnet --info
 
+      - name: Login to Azure CLI
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.KEYVAULT_APP_ID }}
+          tenant-id: ${{ vars.KEYVAULT_TENANT_ID }}
+          subscription-id: ${{ vars.KEYVAULT_SUBSCRIPTION_ID }}
+
       - name: "Build target: BuildAll & PublishPackages"
         env:
-          PUSH_APIKEY: ${{ secrets.PUSH_APIKEY }}
-          PUSH_URI: ${{ secrets.PUSH_URI }}
-          SIGN_APP_ID: ${{ secrets.SIGN_APP_ID }}
-          SIGN_APP_SECRET: ${{ secrets.SIGN_APP_SECRET }}
-          SIGN_CERT_NAME: ${{ secrets.SIGN_CERT_NAME }}
-          SIGN_SUBSCRIPTION: ${{ secrets.SIGN_SUBSCRIPTION }}
-          SIGN_TENANT: ${{ secrets.SIGN_TENANT }}
-          SIGN_TIMESTAMP_URI: ${{ secrets.SIGN_TIMESTAMP_URI }}
-          SIGN_VAULT_URI: ${{ secrets.SIGN_VAULT_URI }}
+          PUSH_APIKEY: ${{ secrets.FEEDZ_PUSH_KEY }}
+          PUSH_URI: ${{ vars.FEEDZ_PUSH_URL }}
+          SIGN_APP_ID: ${{ vars.KEYVAULT_APP_ID }}
+          SIGN_CERT_NAME: ${{ vars.KEYVAULT_CERT_NAME }}
+          SIGN_TIMESTAMP_URI: ${{ vars.KEYVAULT_TIMESTAMP_URL }}
+          SIGN_VAULT_URI: ${{ vars.KEYVAULT_URL }}
         run: dotnet run --project tools/builder --no-launch-profile -- BuildAll PublishPackages --timing
 
       - name: "Upload artifact: test"
@@ -65,6 +73,5 @@ jobs:
         uses: ctrf-io/github-test-reporter@v1
         with:
           report-path: './artifacts/test/*.ctrf'
-          summary-report: true
           github-report: true
         if: always()

.github/workflows/ci-unsigned.yaml

@@ -0,0 +1,60 @@
+name: "CI Build (unsigned)"
+on:
+  push:
+    branches-ignore:
+      - main
+      - 'rel/**'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: "Build"
+    runs-on: windows-latest
+    env:
+      DOTNET_CLI_WORKLOAD_UPDATE_NOTIFY_DISABLE: true
+      DOTNET_NOLOGO: true
+    steps:
+      - name: Clone source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Add MSBuild to PATH
+        uses: microsoft/setup-msbuild@v2
+
+      - name: Install .NET SDK
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: |
+            8.0.x
+            9.0.x
+
+      - name: Get .NET information
+        run: dotnet --info
+
+      - name: "Build target: BuildAll"
+        run: dotnet run --project tools/builder --no-launch-profile -- BuildAll --timing
+
+      - name: "Upload artifact: test"
+        uses: actions/upload-artifact@v4
+        with:
+          name: test
+          path: artifacts/test
+          compression-level: 9
+        if: always()
+
+      - name: "Upload artifact: packages"
+        uses: actions/upload-artifact@v4
+        with:
+          name: packages
+          path: artifacts/packages
+          compression-level: 0
+        if: always()
+
+      - name: Publish Test Report
+        uses: ctrf-io/github-test-reporter@v1
+        with:
+          report-path: './artifacts/test/*.ctrf'
+          github-report: true
+        if: always()

.github/workflows/pull-request.yaml

@@ -45,7 +45,6 @@ jobs:
         uses: ctrf-io/github-test-reporter@v1
         with:
           report-path: './artifacts/test/*.ctrf'
-          summary-report: true
           github-report: true
           pull-request: true
           update-comment: true

src/Directory.Build.props

@@ -101,6 +101,7 @@
       <PrereleaseSuffix Condition=" '$(GITHUB_ACTIONS)' != 'true' ">-dev</PrereleaseSuffix>
       <!-- Never put the Git hash in the package version -->
       <PackageVersion>$(BuildVersionSimple)$(PrereleaseVersion)$(PrereleaseSuffix)</PackageVersion>
+      <PackageReleaseNotes>https://xunit.net/releases/visualstudio/$(PackageVersion)</PackageReleaseNotes>
       <!-- Pass through values we don't know ahead of time for any hand-crafted .nuspec files -->
       <NuspecProperties>
         Configuration=$(Configuration);