From 1f34928785cf8aa4b8c723e1fc0ba2ece9bbe756 Mon Sep 17 00:00:00 2001 From: GeWuYou <95328647+GeWuYou@users.noreply.github.com> Date: Sun, 5 Apr 2026 18:49:08 +0800 Subject: [PATCH 1/3] =?UTF-8?q?feat(ci):=20=E6=B7=BB=E5=8A=A0=E5=8F=91?= =?UTF-8?q?=E5=B8=83=E5=B7=A5=E4=BD=9C=E6=B5=81=E6=94=AF=E6=8C=81NuGet?= =?UTF-8?q?=E5=92=8CGitHub=20Packages?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 实现自动构建和打包功能,支持标签触发 - 集成NuGet.org和GitHub Packages双重发布机制 - 添加许可证合规性检查和SBOM文件生成 - 实现GitHub Release自动创建和资产上传 - 配置OIDC身份验证和临时API密钥管理 - 添加包重复上传检测和跳过功能 --- .github/workflows/publish.yml | 181 ++++++++++++++++++++++++---------- 1 file changed, 131 insertions(+), 50 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 074a5328..ada3af93 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,30 +1,33 @@ -# 发布工作流(NuGet + GitHub Release) -# -# 功能:当推送标签时自动构建、打包并发布到 NuGet.org 和 GitHub Release +# 发布工作流(NuGet + GitHub Packages + GitHub Release) +# +# 功能:当推送标签时自动构建、打包,并将相同产物并发发布到 NuGet.org 与 GitHub Packages, +# 最后创建 GitHub Release。 # 触发条件:推送任何标签(如 v1.0.0 或 1.0.0) # 权限:允许写入内容、包和使用 OIDC 身份验证 -name: Publish (NuGet + GitHub Release) +name: Publish (NuGet + GitHub Packages + GitHub Release) -# 触发:推送 tag 时触发(例如 v1.0.0 或 1.0.0) on: push: tags: - '*' -# 顶级权限:允许创建 release、写 packages,并允许 id-token(OIDC) permissions: contents: write packages: write id-token: write jobs: - build-and-publish: + build-pack: + name: Build And Pack runs-on: ubuntu-latest permissions: + contents: read + packages: read id-token: write - contents: write - packages: write + + outputs: + package_version: ${{ steps.tag_version.outputs.version }} steps: - name: Checkout repository (at tag) @@ -38,19 +41,17 @@ jobs: with: dotnet-version: 10.0.x - - name: Install unzip (for reading .nuspec from .nupkg) - run: sudo apt-get update && sudo apt-get install -y unzip - name: Cache NuGet packages uses: actions/cache@v5 with: path: ~/.nuget/packages key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }} + - name: Restore dependencies run: dotnet restore - - # 从 GitHub 引用中提取标签版本 - # 提取逻辑:去除 refs/tags/ 前缀,然后去除 v/V 前缀 - # 输出:version - 处理后的版本号 + + # 从 GitHub 引用中提取标签版本。 + # 提取逻辑:去除 refs/tags/ 前缀,然后去除 v/V 前缀。 - name: Determine tag version id: tag_version run: | @@ -60,14 +61,25 @@ jobs: VERSION=${TAG#v} VERSION=${VERSION#V} echo "tag='$TAG' -> version='$VERSION'" - echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Pack (use tag version) run: | set -e echo "Packing with version=${{ steps.tag_version.outputs.version }}" dotnet pack -c Release -o ./packages -p:PackageVersion=${{ steps.tag_version.outputs.version }} -p:IncludeSymbols=false - # 上传许可证合规相关的工件文件,包括通知文件、第三方许可证、SBOM文件及验证结果 + + - name: Show packages + run: ls -la ./packages || true + + # 上传 nupkg 工件,供多个发布 job 复用,避免重复打包。 + - name: Upload package artifacts + uses: actions/upload-artifact@v7 + with: + name: packages + path: ./packages/*.nupkg + + # 上传许可证合规相关的工件文件,包括通知文件、第三方许可证、SBOM 文件及验证结果。 - name: Upload compliance artifacts uses: actions/upload-artifact@v7 with: @@ -79,7 +91,25 @@ jobs: sbom.cyclonedx.json sbom-spdx-validation.txt sbom-cyclonedx-validation.txt - - name: Show packages + + publish-nuget: + name: Publish To NuGet.org + runs-on: ubuntu-latest + needs: build-pack + + permissions: + contents: read + packages: read + id-token: write + + steps: + - name: Download package artifacts + uses: actions/download-artifact@v5 + with: + name: packages + path: ./packages + + - name: Show downloaded packages run: ls -la ./packages || true - name: NuGet login (OIDC → temporary API key) @@ -88,9 +118,8 @@ jobs: with: user: ${{ secrets.NUGET_USER }} - # 将所有生成的包推送到 nuget.org - # 使用临时 API 密钥进行身份验证 - # 跳过重复包的上传 + # 将所有生成的包推送到 nuget.org。 + # 使用临时 API 密钥进行身份验证,并跳过重复包上传。 - name: Push all packages to nuget.org env: NUGET_API_KEY: ${{ steps.nuget_login.outputs.NUGET_API_KEY }} @@ -110,36 +139,84 @@ jobs: if [ "$pushed_any" = false ]; then echo "No packages found to push." fi - - # 从 .nupkg 文件中提取版本信息 - # 通过解压 .nupkg(zip 格式)并读取 .nuspec 文件来获取版本 - # 输出: - # package_file - 第一个找到的包文件路径 - # package_basename - 包文件的基本名称 - # version - 从 nuspec 中解析出的版本号 - - name: Get Version and First Package Path - id: get_version + + publish-github-packages: + name: Publish To GitHub Packages + runs-on: ubuntu-latest + needs: build-pack + + permissions: + contents: read + packages: write + + steps: + - name: Setup .NET + uses: actions/setup-dotnet@v5 + with: + dotnet-version: 10.0.x + + - name: Download package artifacts + uses: actions/download-artifact@v5 + with: + name: packages + path: ./packages + + - name: Show downloaded packages + run: ls -la ./packages || true + + # 使用仓库内建的 GITHUB_TOKEN 配置 GitHub Packages NuGet 源。 + - name: Configure GitHub Packages source run: | set -e - PACKAGE_FILE=$(find ./packages -name "*.nupkg" | head -n 1 || true) - if [ -z "$PACKAGE_FILE" ]; then - echo "No .nupkg file found in ./packages" - exit 1 - fi - # 从 .nupkg(zip)里读取 .nuspec 并提取 - VERSION=$(unzip -p "$PACKAGE_FILE" '*.nuspec' 2>/dev/null | sed -n 's:.*\(.*\).*:\1:p' | head -n1) - if [ -z "$VERSION" ]; then - echo "Failed to parse version from $PACKAGE_FILE" - exit 1 - fi - BASENAME=$(basename "$PACKAGE_FILE") - echo "package_file=$PACKAGE_FILE" >> $GITHUB_OUTPUT - echo "package_basename=$BASENAME" >> $GITHUB_OUTPUT - echo "version=$VERSION" >> $GITHUB_OUTPUT + dotnet nuget add source "https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json" \ + --name github \ + --username "${{ github.repository_owner }}" \ + --password "${{ secrets.GITHUB_TOKEN }}" \ + --store-password-in-clear-text - # 创建 GitHub Release - # 使用从包中提取的版本信息和当前标签创建发布 - # 发布包含描述信息和版本详情 + - name: Push all packages to GitHub Packages + run: | + set -e + pushed_any=false + for PKG in ./packages/*.nupkg; do + [ -f "$PKG" ] || continue + pushed_any=true + echo "Pushing $PKG to GitHub Packages..." + dotnet nuget push "$PKG" \ + --source github \ + --skip-duplicate + done + if [ "$pushed_any" = false ]; then + echo "No packages found to push." + fi + + create-release: + name: Create GitHub Release + runs-on: ubuntu-latest + needs: + - build-pack + - publish-nuget + - publish-github-packages + if: ${{ always() && needs.build-pack.result == 'success' }} + + permissions: + contents: write + packages: read + + steps: + - name: Download package artifacts + uses: actions/download-artifact@v5 + with: + name: packages + path: ./packages + + - name: Download compliance artifacts + uses: actions/download-artifact@v5 + with: + name: license-compliance + path: . + + # 无论某一侧包源发布是否失败,都继续创建 Release,并在正文中标注结果。 - name: Create GitHub Release and Upload Assets uses: softprops/action-gh-release@v2 with: @@ -147,7 +224,11 @@ jobs: name: "Release ${{ github.ref_name }}" body: | Release created by CI for tag ${{ github.ref_name }} - Package version: ${{ steps.get_version.outputs.version }} + Package version: ${{ needs.build-pack.outputs.package_version }} + + ## Publish Status + - NuGet.org publish: ${{ needs.publish-nuget.result }} + - GitHub Packages publish: ${{ needs.publish-github-packages.result }} ## Compliance - NOTICE @@ -164,4 +245,4 @@ jobs: sbom-spdx-validation.txt sbom-cyclonedx-validation.txt env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 46d8a7d4e21e6ebcdc3edcefd380f59bbbfd7cc4 Mon Sep 17 00:00:00 2001 From: GeWuYou <95328647+GeWuYou@users.noreply.github.com> Date: Sun, 5 Apr 2026 18:51:47 +0800 Subject: [PATCH 2/3] =?UTF-8?q?chore(workflow):=20=E7=A7=BB=E9=99=A4?= =?UTF-8?q?=E5=8F=91=E5=B8=83=E7=8A=B6=E6=80=81=E6=A3=80=E6=9F=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 移除了 NuGet.org 和 GitHub Packages 发布状态检查 - 简化了发布工作流的输出信息 - 更新了合规性检查部分的格式 --- .github/workflows/publish.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ada3af93..b2610615 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -226,10 +226,6 @@ jobs: Release created by CI for tag ${{ github.ref_name }} Package version: ${{ needs.build-pack.outputs.package_version }} - ## Publish Status - - NuGet.org publish: ${{ needs.publish-nuget.result }} - - GitHub Packages publish: ${{ needs.publish-github-packages.result }} - ## Compliance - NOTICE - THIRD_PARTY_LICENSES From 1e092c07d3135be79b35d256a2c2bec33f50997a Mon Sep 17 00:00:00 2001 From: GeWuYou <95328647+GeWuYou@users.noreply.github.com> Date: Sun, 5 Apr 2026 20:23:16 +0800 Subject: [PATCH 3/3] =?UTF-8?q?chore(ci):=20=E6=9B=B4=E6=96=B0=E5=8F=91?= =?UTF-8?q?=E5=B8=83=E5=B7=A5=E4=BD=9C=E6=B5=81=E9=85=8D=E7=BD=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 添加 .NET 10.0 环境设置步骤 - 将密码参数从 secrets.GITHUB_TOKEN 替换为 github.token - 将环境变量中的 secrets.GITHUB_TOKEN 替换为 github.token --- .github/workflows/publish.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b2610615..a92a62c1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -103,6 +103,11 @@ jobs: id-token: write steps: + - name: Setup .NET + uses: actions/setup-dotnet@v5 + with: + dotnet-version: 10.0.x + - name: Download package artifacts uses: actions/download-artifact@v5 with: @@ -171,7 +176,7 @@ jobs: dotnet nuget add source "https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json" \ --name github \ --username "${{ github.repository_owner }}" \ - --password "${{ secrets.GITHUB_TOKEN }}" \ + --password "${{ github.token }}" \ --store-password-in-clear-text - name: Push all packages to GitHub Packages @@ -241,4 +246,4 @@ jobs: sbom-spdx-validation.txt sbom-cyclonedx-validation.txt env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }}