Use managed identity for signing

Author: bradwilson

.config/dotnet-tools.json

@@ -3,10 +3,11 @@
   "isRoot": true,
   "tools": {
     "sign": {
-      "version": "0.9.1-beta.23203.3",
+      "version": "0.9.1-beta.25330.2",
       "commands": [
         "sign"
-      ]
+      ],
+      "rollForward": false
     }
   }
-}
+}

.github/workflows/push-main.yaml renamed to .github/workflows/ci-signed.yaml

@@ -1,4 +1,4 @@
-name: xUnit.net Analyzers CI Build
+name: xUnit.net Analyzers CI Build (signed)
 on:
   push:
     branches:
@@ -7,9 +7,10 @@ on:
   workflow_dispatch:
 
 jobs:
-  build:
+  deployment:
     name: "Build"
     runs-on: windows-latest
+    environment: signing
     env:
       DOTNET_CLI_WORKLOAD_UPDATE_NOTIFY_DISABLE: true
       DOTNET_NOLOGO: true
@@ -30,20 +31,24 @@ jobs:
       - name: Get .NET information
         run: dotnet --info
 
+      - name: Login to Azure CLI
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.KEYVAULT_APP_ID }}
+          tenant-id: ${{ vars.KEYVAULT_TENANT_ID }}
+          subscription-id: ${{ vars.KEYVAULT_SUBSCRIPTION_ID }}
+
       - name: "Build target: BuildAll"
         run: dotnet run --project tools/builder --no-launch-profile -- BuildAll --timing
 
       - name: "Build target: PublishPackages"
         env:
-          PUSH_APIKEY: ${{ secrets.PUSH_APIKEY }}
-          PUSH_URI: ${{ secrets.PUSH_URI }}
-          SIGN_APP_ID: ${{ secrets.SIGN_APP_ID }}
-          SIGN_APP_SECRET: ${{ secrets.SIGN_APP_SECRET }}
-          SIGN_CERT_NAME: ${{ secrets.SIGN_CERT_NAME }}
-          SIGN_SUBSCRIPTION: ${{ secrets.SIGN_SUBSCRIPTION }}
-          SIGN_TENANT: ${{ secrets.SIGN_TENANT }}
-          SIGN_TIMESTAMP_URI: ${{ secrets.SIGN_TIMESTAMP_URI }}
-          SIGN_VAULT_URI: ${{ secrets.SIGN_VAULT_URI }}
+          PUSH_APIKEY: ${{ secrets.FEEDZ_PUSH_KEY }}
+          PUSH_URI: ${{ vars.FEEDZ_PUSH_URL }}
+          SIGN_APP_ID: ${{ vars.KEYVAULT_APP_ID }}
+          SIGN_CERT_NAME: ${{ vars.KEYVAULT_CERT_NAME }}
+          SIGN_TIMESTAMP_URI: ${{ vars.KEYVAULT_TIMESTAMP_URL }}
+          SIGN_VAULT_URI: ${{ vars.KEYVAULT_URL }}
         run: dotnet run --project tools/builder --no-launch-profile -- PublishPackages --timing
 
       - name: "Upload artifact: test"
@@ -66,6 +71,5 @@ jobs:
         uses: ctrf-io/github-test-reporter@v1
         with:
           report-path: './artifacts/test/*.ctrf'
-          summary-report: true
           github-report: true
         if: always()

.github/workflows/ci-unsigned.yaml

@@ -0,0 +1,57 @@
+name: xUnit.net Analyzers CI Build (unsigned)
+on:
+  push:
+    branches-ignore:
+      - main
+      - 'rel/**'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: "Build"
+    runs-on: windows-latest
+    env:
+      DOTNET_CLI_WORKLOAD_UPDATE_NOTIFY_DISABLE: true
+      DOTNET_NOLOGO: true
+    steps:
+      - name: Clone source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Install .NET SDK
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: |
+            8.0.x
+            9.0.x
+
+      - name: Get .NET information
+        run: dotnet --info
+
+      - name: "Build target: BuildAll"
+        run: dotnet run --project tools/builder --no-launch-profile -- BuildAll --timing
+
+      - name: "Upload artifact: test"
+        uses: actions/upload-artifact@v4
+        with:
+          name: test
+          path: artifacts/test
+          compression-level: 9
+        if: always()
+
+      - name: "Upload artifact: packages"
+        uses: actions/upload-artifact@v4
+        with:
+          name: packages
+          path: artifacts/packages
+          compression-level: 0
+        if: always()
+
+      - name: Publish Test Report
+        uses: ctrf-io/github-test-reporter@v1
+        with:
+          report-path: './artifacts/test/*.ctrf'
+          github-report: true
+        if: always()

.github/workflows/pull-request.yaml

@@ -59,7 +59,6 @@ jobs:
         uses: ctrf-io/github-test-reporter@v1
         with:
           report-path: './artifacts/test/*.ctrf'
-          summary-report: true
           github-report: true
           pull-request: true
           update-comment: true

src/Directory.Build.targets

@@ -32,15 +32,19 @@
 
   <Target Name="UpdateNuSpecProperties" BeforeTargets="GenerateNuspec" DependsOnTargets="GetBuildVersion">
     <PropertyGroup>
+      <SignedPath />
+      <SignedPath Condition=" '$(SIGN_APP_ID)' != '' ">signed\</SignedPath>
       <!-- Local builds should have a '-dev' suffix on the build number -->
       <PrereleaseSuffix Condition=" '$(GITHUB_ACTIONS)' != 'true' ">-dev</PrereleaseSuffix>
       <!-- Never put the Git hash in the package version -->
       <PackageVersion>$(BuildVersionSimple)$(PrereleaseVersion)$(PrereleaseSuffix)</PackageVersion>
+      <PackageReleaseNotes>https://xunit.net/releases/analyzers/$(PackageVersion)</PackageReleaseNotes>
       <!-- Pass through values we don't know ahead of time for any hand-crafted .nuspec files -->
       <NuspecProperties>
         Configuration=$(Configuration);
         GitCommitId=$(GitCommitId);
         PackageVersion=$(PackageVersion);
+        SignedPath=$(SignedPath);
       </NuspecProperties>
     </PropertyGroup>
   </Target>

src/xunit.analyzers/xunit.analyzers.nuspec

@@ -23,8 +23,8 @@ Installing this package provides code analyzers to help developers find and fix
 		<file target="_content\" src="..\..\README.md" />
 		<file target="_content\" src="..\..\tools\media\logo-128-transparent.png" />
 
-		<file target="analyzers\dotnet\cs\" src="..\xunit.analyzers.fixes\bin\$Configuration$\netstandard2.0\xunit.analyzers.dll" />
-		<file target="analyzers\dotnet\cs\" src="..\xunit.analyzers.fixes\bin\$Configuration$\netstandard2.0\xunit.analyzers.fixes.dll" />
+		<file target="analyzers\dotnet\cs\" src="..\xunit.analyzers\bin\$Configuration$\netstandard2.0\$SignedPath$xunit.analyzers.dll" />
+		<file target="analyzers\dotnet\cs\" src="..\xunit.analyzers.fixes\bin\$Configuration$\netstandard2.0\$SignedPath$xunit.analyzers.fixes.dll" />
 
 		<file target="tools\" src="..\xunit.analyzers.fixes\tools\*.ps1" />
 	</files>

tools/builder/common

@@ -0,0 +1,39 @@
+using System;
+using System.IO;
+using System.Linq;
+using System.Threading.Tasks;
+using Xunit.BuildTools.Models;
+
+namespace Xunit.BuildTools.Targets;
+
+public static partial class SignAssemblies
+{
+	public static Task OnExecute(BuildContext context)
+	{
+		// Check early because we don't need to make copies or show the banner for non-signed scenarios
+		if (!context.CanSign)
+			return Task.CompletedTask;
+
+		context.BuildStep("Signing binaries");
+
+		// Note that any changes to .nuspec files means this list needs to be updated, and nuspec files should
+		// always reference the original signed paths, and not dependency copies (i.e., xunit.v3.common.dll)
+		var binaries =
+			new[] {
+				Path.Combine(context.BaseFolder, "src", "xunit.analyzers",       "bin", context.ConfigurationText, "netstandard2.0", "xunit.analyzers.dll"),
+				Path.Combine(context.BaseFolder, "src", "xunit.analyzers.fixes", "bin", context.ConfigurationText, "netstandard2.0", "xunit.analyzers.fixes.dll"),
+			}.Select(unsignedPath =>
+			{
+				var unsignedFolder = Path.GetDirectoryName(unsignedPath) ?? throw new InvalidOperationException($"Path '{unsignedPath}' did not have a folder");
+				var signedFolder = Path.Combine(unsignedFolder, "signed");
+				Directory.CreateDirectory(signedFolder);
+
+				var signedPath = Path.Combine(signedFolder, Path.GetFileName(unsignedPath));
+				File.Copy(unsignedPath, signedPath, overwrite: true);
+
+				return signedPath;
+			}).ToArray();
+
+		return context.SignFiles(context.BaseFolder, binaries);
+	}
+}