diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dc7c355c18f..7de8c755596 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -160,6 +160,7 @@ jobs: validate-packages: needs: build runs-on: ubuntu-latest + steps: - name: Download packages @@ -266,6 +267,11 @@ jobs: needs: [ build, sign ] runs-on: windows-latest + permissions: + attestations: write + contents: read + id-token: write + steps: - name: Download packages @@ -273,6 +279,12 @@ jobs: with: name: signed-packages + - name: Download SBOM + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: polly.spdx.json + path: ./artifacts + - name: Setup .NET SDK uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 with: @@ -353,6 +365,30 @@ jobs: Write-Output "All $($packages.Length) NuGet packages have valid signatures." } + - name: Extract NuGet package contents + shell: pwsh + run: | + $packages = Get-ChildItem -Filter "*.nupkg" | ForEach-Object { $_.FullName } + $artifactsPath = Join-Path ${env:GITHUB_WORKSPACE} "artifacts" + + foreach ($package in $packages) { + $packageName = [System.IO.Path]::GetFileNameWithoutExtension($package) + $packagePath = Join-Path $artifactsPath $packageName + + if (-Not (Test-Path -Path $packagePath)) { + New-Item -ItemType Directory -Path $packagePath | Out-Null + } + + Expand-Archive -Path $package -DestinationPath $packagePath -Force | Out-Null + } + + - name: Attest artifacts + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 + with: + subject-path: | + ./artifacts/polly.spdx.json + ./artifacts/*/lib/**/* + publish-nuget: needs: [ build, validate-signed-packages ] runs-on: ubuntu-latest