- Use GPG encryption rather than base64 decoding for storing certs in…

… GitHub Actions

- New GitHub Action config to automate release process on pushing to a tag

.github/workflows/release.yml

@@ -0,0 +1,80 @@
+name: Release
+
+on:
+  push:
+    tags:
+      # ex. "v1.2.3", "v1.2.3-rc1"
+      - "v[0-9]+.[0-9]+.*"
+
+jobs:
+  publish:
+    name: Publish to NuGet
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # todo: unneeded?
+      - name: Establish variables
+        id: vars
+        run: |
+          VERSION=${{ github.event.inputs.version || github.ref_name }}
+          echo ::set-output name=version::${VERSION}
+
+      - name: Install .NET SDK
+        uses: actions/setup-dotnet@v3
+        with:
+          # .NET 3.1 and 5 are deprecated and removed from GitHub Actions, we need to manually install them
+          dotnet-version: |
+            3.1.x
+            5.x.x
+            7.x.x
+
+      - name: Setup Nuget
+        uses: NuGet/[email protected]
+
+      - name: Load NuGet package cache
+        uses: actions/cache@v3
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ matrix.framework }}-${{ hashFiles('**/packages.lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Restore NuGet Packages
+        run: make restore
+
+      - name: Set up dotnet tools and dependencies
+        run: make install
+
+      - name: Prep certificate imports
+        run: mkdir -p certs
+
+      - name: Import authenticity certificate
+        run: echo "${{ secrets.AUTHENTICITY_CERT_ENC }}" > certs/authenticity_cert.pfx.enc
+
+      - name: Import signing certificate
+        run: echo "${{ secrets.SIGNING_CERT_ENC }}" > cert/signing_cert.snk.enc
+
+      - name: Decrypt certificates
+        run: make github-actions-certs-decrypt pass=${{ secrets.ENCRYPTION_KEY }}
+
+      - name: Delete straggling .nupkg files
+        run: rm -f *.nupkg || true
+
+      - name: Build NuGet package
+        run: make prep-release cert=certs/authenticity_cert.pfx sncert=certs/signing_cert.snk pass=${{ secrets.CERT_PASSWORD }}
+
+      - name: Delete certificates
+        run: rm -rf certs
+
+      - name: Publish to NuGet
+        run: make publish key=${{ secrets.NUGET_API_KEY }}
+
+      - name: Create a GitHub release
+        uses: softprops/action-gh-release@v1
+        # ref: https://github.com/softprops/action-gh-release#-customizing
+        with:
+          body_path: RELEASE_NOTES.md
+          files: |
+            "*.nupkg"

Makefile

@@ -37,6 +37,18 @@ coverage-check:
 docs:
 	dotnet tool run docfx docs/docfx.json
 
+## github-actions-certs-decrypt - Decrypt the certificates for GitHub Actions
+# @parameters:
+# pass= - The password used for decrypting the certificates.
+github-actions-certs-decrypt:
+	bash scripts/unix/gpg_decrypt_dir.sh certs ${pass} "gpg"
+
+## github-actions-certs-encrypt - Encrypt the certificates for GitHub Actions
+# @parameters:
+# pass= - The password used for encrypting the certificates.
+github-actions-certs-encrypt:
+	bash scripts/unix/gpg_encrypt_dir.sh certs ${pass} "gpg"
+
 ## install-tools - Install required dotnet tools
 install-tools:
 	dotnet new tool-manifest || exit 0

RELEASE_NOTES.md

@@ -0,0 +1 @@
+- Notes copied from the CHANGELOG that will be included on the Release page of GitHub

scripts/unix/gpg_decrypt.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# This script will decrypt a GPG encrypted file.
+
+# Usage: gpg_decrypt.sh <input_file> <password> <output_file>
+
+INPUT_FILE=$1
+PASSWORD=$2
+OUTPUT_FILE=$3
+
+gpg --decrypt --passphrase "$PASSWORD" --batch --output "$OUTPUT_FILE" "$INPUT_FILE"
+
+# Exit with success
+exit 0

scripts/unix/gpg_decrypt_dir.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# This script will encrypt all the files in a directory using GPG.
+
+# Usage: gpg_encrypt_dir.sh <input_dir> <password> <suffix>
+
+INPUT_DIR=$1
+PASSWORD=$2
+ENCRYPTED_SUFFIX=$3
+
+# Loop through all the files in the input directory
+for file in "$INPUT_DIR"/*
+do
+    # Output is file name minus the ENCRYPTED_SUFFIX
+    output_file=${file%.$ENCRYPTED_SUFFIX}
+    # Decrypt the file
+    gpg --decrypt --passphrase "$PASSWORD" --batch --output "$output_file" "$file" 2>/dev/null # Ignore stderr
+done

scripts/unix/gpg_encrypt.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# This script will encrypt a file using GPG.
+
+# Usage: gpg_encrypt.sh <input_file> <password> <output_file>
+
+INPUT_FILE=$1
+PASSWORD=$2
+OUTPUT_FILE=$3
+
+gpg --symmetric --cipher-algo AES256 --passphrase "$PASSWORD" --batch --armor --yes --output "$OUTPUT_FILE" "$INPUT_FILE"
+
+# Exit with success
+exit 0

scripts/unix/gpg_encrypt_dir.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# This script will encrypt all the files in a directory using GPG.
+
+# Usage: gpg_encrypt_dir.sh <input_dir> <password> <suffix>
+
+INPUT_DIR=$1
+PASSWORD=$2
+OUTPUT_SUFFIX=$3
+
+# Loop through all the files in the input directory
+for file in "$INPUT_DIR"/*
+do
+    # Encrypt the file
+    gpg --symmetric --passphrase "$PASSWORD" --batch --output "$file.$OUTPUT_SUFFIX" "$file"
+done