-
Notifications
You must be signed in to change notification settings - Fork 7
257 lines (228 loc) · 11.4 KB
/
Copy pathrelease.yml
File metadata and controls
257 lines (228 loc) · 11.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
name: Release
on:
push:
tags:
- 'v*.*.*'
jobs:
release:
runs-on: windows-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: |
8.0.x
9.0.x
- name: Derive version from tag
id: ver
shell: pwsh
run: |
$tag = "${env:GITHUB_REF_NAME}"
$v = $tag.TrimStart('v')
"version=$v" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
"tag=$tag" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- name: Verify version consistency across psd1 and csproj
shell: pwsh
run: |
$expected = '${{ steps.ver.outputs.version }}'
$expectedCsproj = "$expected.0" # csproj carries 4-part assembly version, psd1 carries 3-part
# psd1
$data = Import-PowerShellDataFile Staging/PowerShell.MCP.psd1
if ($data.ModuleVersion -ne $expected) {
throw "Staging/PowerShell.MCP.psd1 ModuleVersion $($data.ModuleVersion) != tag v$expected"
}
# PowerShell.MCP.csproj
[xml]$mainProj = Get-Content 'PowerShell.MCP/PowerShell.MCP.csproj'
$mainVer = $mainProj.Project.PropertyGroup.Version | Where-Object { $_ } | Select-Object -First 1
if ($mainVer -ne $expectedCsproj) {
throw "PowerShell.MCP.csproj Version $mainVer != $expectedCsproj"
}
# PowerShell.MCP.Proxy.csproj
[xml]$proxyProj = Get-Content 'PowerShell.MCP.Proxy/PowerShell.MCP.Proxy.csproj'
$proxyVer = $proxyProj.Project.PropertyGroup.Version | Where-Object { $_ } | Select-Object -First 1
if ($proxyVer -ne $expectedCsproj) {
throw "PowerShell.MCP.Proxy.csproj Version $proxyVer != $expectedCsproj"
}
Write-Host "All three version sources match: psd1=$expected, csproj=$expectedCsproj"
- name: Restore
shell: pwsh
run: |
dotnet restore PowerShell.MCP/PowerShell.MCP.csproj --source https://api.nuget.org/v3/index.json --ignore-failed-sources
dotnet restore PowerShell.MCP.Proxy/PowerShell.MCP.Proxy.csproj --source https://api.nuget.org/v3/index.json --ignore-failed-sources
- name: Build PowerShell.MCP.dll (net8.0)
shell: pwsh
run: |
dotnet build PowerShell.MCP/PowerShell.MCP.csproj -c Release -f net8.0 --no-restore
- name: Publish PowerShell.MCP.Proxy for all RIDs
shell: pwsh
run: |
# Each `dotnet publish -r <rid>` does its OWN RID-specific
# restore (the project.assets.json from the upstream Restore
# step has no per-RID targets, so passing --no-restore here
# would fail with "Assets file ... doesn't have a target for
# 'net9.0/<rid>'"). Letting publish restore is the simplest
# path to a self-contained per-RID build; the time cost
# (4 restores instead of 1) is small relative to the publish
# itself.
foreach ($rid in 'win-x64','linux-x64','osx-x64','osx-arm64') {
$outDir = "PowerShell.MCP.Proxy/bin/Release/net9.0/$rid/publish"
Write-Host "=== Publishing Proxy for $rid ==="
dotnet publish PowerShell.MCP.Proxy/PowerShell.MCP.Proxy.csproj `
-c Release -r $rid -o $outDir `
--self-contained
if ($LASTEXITCODE -ne 0) { throw "Proxy publish failed for $rid" }
}
- name: Build help XML (PlatyPS v2)
shell: pwsh
run: |
Install-Module Microsoft.PowerShell.PlatyPS -Scope CurrentUser -Force -AllowClobber
Import-Module Microsoft.PowerShell.PlatyPS
$mdFiles = Get-ChildItem 'PowerShell.MCP/PlatyPS/en-US/*.md' -Exclude 'PowerShell.MCP.md','*.md.bak'
if ($mdFiles.Count -eq 0) { throw 'No PlatyPS markdown files found' }
$helpObjects = $mdFiles | ForEach-Object { Import-MarkdownCommandHelp -Path $_.FullName }
$helpOut = Join-Path $env:RUNNER_TEMP 'help-out'
$null = Export-MamlCommandHelp -CommandHelp $helpObjects -OutputFolder $helpOut -Force
$xml = Get-ChildItem $helpOut -Filter '*.xml' -Recurse
if (-not $xml) { throw 'PlatyPS produced no XML output' }
"helpOut=$helpOut" | Out-File -FilePath $env:GITHUB_ENV -Append
Write-Host "Built $($xml.Count) help XML file(s)"
- name: Assemble module directory
id: stage
shell: pwsh
run: |
$stage = Join-Path $env:RUNNER_TEMP 'PowerShell.MCP'
New-Item -ItemType Directory -Path $stage -Force | Out-Null
New-Item -ItemType Directory -Path (Join-Path $stage 'en-US') -Force | Out-Null
New-Item -ItemType Directory -Path (Join-Path $stage 'licenses') -Force | Out-Null
# DLL + Ude.NetStandard.dll (net8.0). The csproj's CopyUdeNetStandard target
# places Ude.NetStandard.dll into the build output.
$dllOut = 'PowerShell.MCP/bin/Release/net8.0'
Copy-Item (Join-Path $dllOut 'PowerShell.MCP.dll') $stage
Copy-Item (Join-Path $dllOut 'Ude.NetStandard.dll') $stage
# Manifest + psm1
Copy-Item 'Staging/PowerShell.MCP.psd1' $stage
Copy-Item 'Staging/PowerShell.MCP.psm1' $stage
# Licenses / notices
Copy-Item 'THIRD_PARTY_NOTICES.md' $stage
Copy-Item 'licenses/*' (Join-Path $stage 'licenses') -Recurse
# Proxy binaries (multi-RID)
foreach ($rid in 'win-x64','linux-x64','osx-x64','osx-arm64') {
$ridDir = Join-Path $stage "bin/$rid"
New-Item -ItemType Directory -Path $ridDir -Force | Out-Null
$exeName = if ($rid -like 'win-*') { 'PowerShell.MCP.Proxy.exe' } else { 'PowerShell.MCP.Proxy' }
Copy-Item "PowerShell.MCP.Proxy/bin/Release/net9.0/$rid/publish/$exeName" $ridDir
}
# Help XML
Get-ChildItem $env:helpOut -Filter '*.xml' -Recurse | Copy-Item -Destination (Join-Path $stage 'en-US')
"stage=$stage" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Write-Host "=== Staged module contents ==="
Get-ChildItem $stage -Recurse | Select-Object FullName
- name: Probe signing secret
id: sign_probe
shell: pwsh
env:
PFX_B64: ${{ secrets.CODE_SIGNING_PFX_BASE64 }}
run: |
$present = -not [string]::IsNullOrEmpty($env:PFX_B64)
"present=$($present.ToString().ToLower())" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- name: Sign Windows binaries (DLL + Proxy.exe only)
if: steps.sign_probe.outputs.present == 'true'
shell: pwsh
env:
PFX_B64: ${{ secrets.CODE_SIGNING_PFX_BASE64 }}
PFX_PW: ${{ secrets.CODE_SIGNING_PFX_PASSWORD }}
run: |
$pfx = Join-Path $env:RUNNER_TEMP 'codesign.pfx'
[IO.File]::WriteAllBytes($pfx, [Convert]::FromBase64String($env:PFX_B64))
$pw = ConvertTo-SecureString $env:PFX_PW -AsPlainText -Force
$cert = Get-PfxCertificate -FilePath $pfx -Password $pw
$stage = '${{ steps.stage.outputs.stage }}'
# Sign ONLY the native Windows binaries. Script files (psd1 / psm1) are
# left unsigned: Install-Module verifies Authenticode on script files and
# would reject a self-signed signature on any machine where the cert is
# not pre-trusted. Ude.NetStandard.dll is a third-party binary we do not
# re-sign. Non-Windows Proxy binaries cannot carry Authenticode signatures.
$files = @(
"$stage/PowerShell.MCP.dll",
"$stage/bin/win-x64/PowerShell.MCP.Proxy.exe"
)
Set-AuthenticodeSignature -FilePath $files -Certificate $cert `
-HashAlgorithm SHA256 `
-TimestampServer http://timestamp.digicert.com `
-IncludeChain NotRoot
# Self-signed certs yield Status=UnknownError on machines where the cert
# is not in the trust store (GitHub runners don't trust it). That's
# expected — the signature itself is correct, only chain validation needs
# the cert installed on the end-user machine. Verify thumbprint matches +
# reject tamper / missing.
$expected = $cert.Thumbprint
$bad = Get-AuthenticodeSignature $files | Where-Object {
$_.SignerCertificate.Thumbprint -ne $expected -or
$_.Status -notin @('Valid','UnknownError')
}
if ($bad) {
$bad | Format-Table Status, StatusMessage, Path
throw 'One or more Windows binary signatures are missing, tampered, or signed by the wrong cert.'
}
- name: Guard — Windows binaries must be signed for a tagged release
if: steps.sign_probe.outputs.present != 'true'
shell: pwsh
run: |
throw 'CODE_SIGNING_PFX_BASE64 is not configured. Tagged releases must be signed. Add the secret and re-run, or delete the tag.'
- name: Assert signing distribution (only DLL + win-x64 Proxy.exe)
shell: pwsh
run: |
$stage = '${{ steps.stage.outputs.stage }}'
$shouldBeSigned = @(
"$stage/PowerShell.MCP.dll",
"$stage/bin/win-x64/PowerShell.MCP.Proxy.exe"
)
$shouldBeUnsigned = @(
"$stage/PowerShell.MCP.psd1",
"$stage/PowerShell.MCP.psm1",
"$stage/Ude.NetStandard.dll"
)
foreach ($f in $shouldBeSigned) {
$s = Get-AuthenticodeSignature $f
if ($s.Status -eq 'NotSigned') { throw "Expected signed but NotSigned: $f" }
}
foreach ($f in $shouldBeUnsigned) {
$s = Get-AuthenticodeSignature $f
if ($s.Status -ne 'NotSigned') { throw "Expected unsigned but $($s.Status): $f" }
}
Write-Host 'Signing distribution OK: DLL + win-x64 Proxy.exe signed; script files + Ude unsigned.'
- name: Publish to PSGallery
shell: pwsh
env:
PSGALLERY_API_KEY: ${{ secrets.PSGALLERY_API_KEY }}
run: |
Publish-Module -Path '${{ steps.stage.outputs.stage }}' -NuGetApiKey $env:PSGALLERY_API_KEY -Verbose
- name: Extract release notes for this version
id: notes
shell: pwsh
run: |
$version = '${{ steps.ver.outputs.version }}'
$lines = Get-Content CHANGELOG.md
$inSection = $false
$section = New-Object System.Collections.Generic.List[string]
foreach ($line in $lines) {
if ($line -match '^# Version:\s*(\S+)') {
if ($matches[1] -eq $version) { $inSection = $true; continue }
elseif ($inSection) { break }
}
if ($inSection) { $section.Add($line) }
}
$body = ($section -join "`n").Trim()
if ([string]::IsNullOrWhiteSpace($body)) {
throw "No release notes section found for version $version in CHANGELOG.md"
}
$notesPath = Join-Path $env:RUNNER_TEMP 'release-notes.md'
Set-Content -Path $notesPath -Value $body -Encoding UTF8
"notes_path=$notesPath" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- name: Create GitHub Release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release create "${{ steps.ver.outputs.tag }}" --title "${{ steps.ver.outputs.tag }}" --notes-file "${{ steps.notes.outputs.notes_path }}"