feat(ci): 发布流程支持 NuGet 和 GitHub Release 双发布

- 合并发布工作流，支持同时推送到 NuGet 和创建 GitHub Release - 添加对多个 .nupkg 包的批量推送支持 - 自动从 .nuspec 提取版本号用于 Release 描述 - 使用 OIDC 身份验证增强安全性 - 安装 unzip 工具以支持解析 nupkg 内部结构 - 移除独立的 release.yml 文件，统一到 publish.yml 中管理
2026-03-22 10:34:30 +08:00 · 2025-12-10 09:13:58 +08:00 · 2025-12-10 09:13:58 +08:00 · 8058860a80
commit 8058860a80
parent e204f899ba
2 changed files with 81 additions and 113 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -1,21 +1,21 @@
-name: Publish to NuGet
+name: Publish (NuGet + GitHub Release)

-# 触发条件：当有标签被推送到仓库时触发该工作流（例如 v1.0.0 或 1.0.0）
+# 触发：推送 tag 时触发（例如 v1.0.0 或 1.0.0）
 on:
  push:
    tags:
      - '*'

-# 顶级权限：允许创建 Release（contents: write）和写 packages（如果需要）
+# 顶级权限：允许创建 release、写 packages，并允许 id-token（OIDC）
 permissions:
  contents: write
  packages: write
+  id-token: write

 jobs:
  build-and-publish:
    runs-on: ubuntu-latest

-    # 允许此 job 请求短时 OIDC token（NuGet/login 使用）
    permissions:
      id-token: write
      contents: write
@ -33,6 +33,9 @@ jobs:
        with:
          dotnet-version: 9.0.x

+      - name: Install unzip (for reading .nuspec from .nupkg)
+        run: sudo apt-get update && sudo apt-get install -y unzip
+
      - name: Restore dependencies
        run: dotnet restore

@ -46,10 +49,8 @@ jobs:
        id: tag_version
        run: |
          set -e
-          # GITHUB_REF example: refs/tags/v0.0.1 or refs/tags/0.0.1
          echo "GITHUB_REF = ${GITHUB_REF}"
          TAG=${GITHUB_REF#refs/tags/}
-          # remove leading 'v' or 'V' if present
          VERSION=${TAG#v}
          VERSION=${VERSION#V}
          echo "tag='$TAG' -> version='$VERSION'"
@ -64,26 +65,84 @@ jobs:
      - name: Show packages
        run: ls -la ./packages || true

-      - name: NuGet login (OIDC → temp API key)
-        id: login
+      - name: NuGet login (OIDC → temporary API key)
+        id: nuget_login
        uses: NuGet/login@v1
        with:
-          # 推荐把用户名放到仓库 Secret（不是邮箱），例如 ${{ secrets.NUGET_USER }}
-          # 也可以直接写用户名（不推荐），但通常使用 secret 更安全
-          user: ${{ secrets.NUGET_USER }}
+          user: ${{ secrets.NUGET_USER }} # 推荐将用户名放 secrets

-      - name: NuGet push (using short-lived API key)
+      - name: Push all packages to nuget.org
+        env:
+          NUGET_API_KEY: ${{ steps.nuget_login.outputs.NUGET_API_KEY }}
        run: |
          set -e
-          PKG=$(find ./packages -name "*.nupkg" | head -n1)
-          if [ -z "$PKG" ]; then
-            echo "No package found"
+          echo "Found API key: ${NUGET_API_KEY:+*** present ***}"
+          pushed_any=false
+          for PKG in ./packages/*.nupkg; do
+            [ -f "$PKG" ] || continue
+            pushed_any=true
+            echo "Pushing $PKG to nuget.org..."
+            dotnet nuget push "$PKG" \
+              --api-key "${NUGET_API_KEY}" \
+              --source https://api.nuget.org/v3/index.json \
+              --skip-duplicate
+          done
+          if [ "$pushed_any" = false ]; then
+            echo "No packages found to push."
+          fi
+
+      - name: Get Version and First Package Path
+        id: get_version
+        run: |
+          set -e
+          PACKAGE_FILE=$(find ./packages -name "*.nupkg" | head -n 1 || true)
+          if [ -z "$PACKAGE_FILE" ]; then
+            echo "No .nupkg file found in ./packages"
            exit 1
          fi
-          echo "Pushing $PKG to nuget.org..."
-          # 注意：不要使用 --verbosity（dotnet nuget push 不支持）
-          dotnet nuget push "$PKG" \
-            --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" \
-            --source https://api.nuget.org/v3/index.json \
-            --skip-duplicate
-      
+          # 从 .nupkg（zip）里读取 .nuspec 并提取 <version>
+          VERSION=$(unzip -p "$PACKAGE_FILE" '*.nuspec' 2>/dev/null | sed -n 's:.*<version>\(.*\)</version>.*:\1:p' | head -n1)
+          if [ -z "$VERSION" ]; then
+            echo "Failed to parse version from $PACKAGE_FILE"
+            exit 1
+          fi
+          BASENAME=$(basename "$PACKAGE_FILE")
+          echo "package_file=$PACKAGE_FILE" >> $GITHUB_OUTPUT
+          echo "package_basename=$BASENAME" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Create GitHub Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref_name }}
+          release_name: "Release ${{ github.ref_name }}"
+          body: "Release created by CI for tag ${{ github.ref_name }} (package version ${{ steps.get_version.outputs.version }})"
+          draft: false
+          prerelease: false
+
+      - name: Upload all .nupkg to Release (curl)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          UPLOAD_URL_TEMPLATE: ${{ steps.create_release.outputs.upload_url }}
+        run: |
+          set -e
+          # upload_url from create-release is like: https://uploads.github.com/repos/OWNER/REPO/releases/ID/assets{?name,label}
+          # strip template part "{?name,label}"
+          UPLOAD_URL="${UPLOAD_URL_TEMPLATE%\{*}"
+          echo "Upload base URL: $UPLOAD_URL"
+
+          for package_file in ./packages/*.nupkg; do
+            if [ -f "$package_file" ]; then
+              basename=$(basename "$package_file")
+              echo "Uploading $basename to release..."
+              curl --fail -sS -X POST \
+                -H "Authorization: Bearer $GITHUB_TOKEN" \
+                -H "Content-Type: application/octet-stream" \
+                --data-binary @"$package_file" \
+                "$UPLOAD_URL?name=$basename"
+              echo "Uploaded $basename"
+            fi
+          done
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,91 +0,0 @@
-name: Create Release (on tag)
-
-on:
-  push:
-    tags:
-      - '*'
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository (at tag)
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          persist-credentials: true
-
-      - name: Setup .NET
-        uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: 9.0.x
-
-      - name: Restore dependencies
-        run: dotnet restore
-
-      - name: Build
-        run: dotnet build --no-restore -c Release
-
-      - name: Determine tag version
-        id: tag_version
-        run: |
-          set -e
-          # GITHUB_REF example: refs/tags/v0.0.1 or refs/tags/0.0.1
-          echo "GITHUB_REF = ${GITHUB_REF}"
-          TAG=${GITHUB_REF#refs/tags/}
-          # remove leading 'v' or 'V' if present
-          VERSION=${TAG#v}
-          VERSION=${VERSION#V}
-          echo "tag='$TAG' -> version='$VERSION'"
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-
-      - name: Pack (use tag version)
-        run: |
-          set -e
-          echo "Packing with version=${{ steps.tag_version.outputs.version }}"
-          dotnet pack --no-build -c Release -o ./packages -p:PackageVersion=${{ steps.tag_version.outputs.version }}
-      
-      - name: Get Version and Package Path
-        id: get_version
-        run: |
-          set -e
-          PACKAGE_FILE=$(find ./packages -name "*.nupkg" | head -n 1)
-          if [ -z "$PACKAGE_FILE" ]; then
-            echo "No .nupkg file found in ./packages"
-            exit 1
-          fi
-          # 从 .nupkg（zip）里读取 .nuspec 并提取 <version> 标签（稳妥）
-          VERSION=$(unzip -p "$PACKAGE_FILE" *.nuspec 2>/dev/null | sed -n 's:.*<version>\(.*\)</version>.*:\1:p' | head -n1)
-          if [ -z "$VERSION" ]; then
-            echo "Failed to parse version from $PACKAGE_FILE"
-            exit 1
-          fi
-          BASENAME=$(basename "$PACKAGE_FILE")
-          echo "package_file=$PACKAGE_FILE" >> $GITHUB_OUTPUT
-          echo "package_basename=$BASENAME" >> $GITHUB_OUTPUT
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-
-      - name: Create GitHub Release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref_name }}
-          release_name: "Release ${{ github.ref_name }}"
-          body: "Release created by CI for tag ${{ github.ref_name }} (package version ${{ steps.get_version.outputs.version }})"
-          draft: false
-          prerelease: false
-
-      - name: Upload .nupkg to Release
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ${{ steps.get_version.outputs.package_file }}
-          asset_name: ${{ steps.get_version.outputs.package_basename }}
-          asset_content_type: application/octet-stream