From 8058860a802679b76f46f77541cd76816170c85c Mon Sep 17 00:00:00 2001 From: GwWuYou <95328647+GeWuYou@users.noreply.github.com> Date: Wed, 10 Dec 2025 09:13:58 +0800 Subject: [PATCH] =?UTF-8?q?feat(ci):=20=E5=8F=91=E5=B8=83=E6=B5=81?= =?UTF-8?q?=E7=A8=8B=E6=94=AF=E6=8C=81=20NuGet=20=E5=92=8C=20GitHub=20Rele?= =?UTF-8?q?ase=20=E5=8F=8C=E5=8F=91=E5=B8=83?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 合并发布工作流,支持同时推送到 NuGet 和创建 GitHub Release - 添加对多个 .nupkg 包的批量推送支持 - 自动从 .nuspec 提取版本号用于 Release 描述 - 使用 OIDC 身份验证增强安全性 - 安装 unzip 工具以支持解析 nupkg 内部结构 - 移除独立的 release.yml 文件,统一到 publish.yml 中管理 --- .github/workflows/publish.yml | 103 ++++++++++++++++++++++++++-------- .github/workflows/release.yml | 91 ------------------------------ 2 files changed, 81 insertions(+), 113 deletions(-) delete mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 501f83e..13a4703 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,21 +1,21 @@ -name: Publish to NuGet +name: Publish (NuGet + GitHub Release) -# 触发条件:当有标签被推送到仓库时触发该工作流(例如 v1.0.0 或 1.0.0) +# 触发:推送 tag 时触发(例如 v1.0.0 或 1.0.0) on: push: tags: - '*' -# 顶级权限:允许创建 Release(contents: write)和写 packages(如果需要) +# 顶级权限:允许创建 release、写 packages,并允许 id-token(OIDC) permissions: contents: write packages: write + id-token: write jobs: build-and-publish: runs-on: ubuntu-latest - # 允许此 job 请求短时 OIDC token(NuGet/login 使用) permissions: id-token: write contents: write @@ -33,6 +33,9 @@ jobs: with: dotnet-version: 9.0.x + - name: Install unzip (for reading .nuspec from .nupkg) + run: sudo apt-get update && sudo apt-get install -y unzip + - name: Restore dependencies run: dotnet restore @@ -46,10 +49,8 @@ jobs: id: tag_version run: | set -e - # GITHUB_REF example: refs/tags/v0.0.1 or refs/tags/0.0.1 echo "GITHUB_REF = ${GITHUB_REF}" TAG=${GITHUB_REF#refs/tags/} - # remove leading 'v' or 'V' if present VERSION=${TAG#v} VERSION=${VERSION#V} echo "tag='$TAG' -> version='$VERSION'" @@ -64,26 +65,84 @@ jobs: - name: Show packages run: ls -la ./packages || true - - name: NuGet login (OIDC → temp API key) - id: login + - name: NuGet login (OIDC → temporary API key) + id: nuget_login uses: NuGet/login@v1 with: - # 推荐把用户名放到仓库 Secret(不是邮箱),例如 ${{ secrets.NUGET_USER }} - # 也可以直接写用户名(不推荐),但通常使用 secret 更安全 - user: ${{ secrets.NUGET_USER }} + user: ${{ secrets.NUGET_USER }} # 推荐将用户名放 secrets - - name: NuGet push (using short-lived API key) + - name: Push all packages to nuget.org + env: + NUGET_API_KEY: ${{ steps.nuget_login.outputs.NUGET_API_KEY }} run: | set -e - PKG=$(find ./packages -name "*.nupkg" | head -n1) - if [ -z "$PKG" ]; then - echo "No package found" + echo "Found API key: ${NUGET_API_KEY:+*** present ***}" + pushed_any=false + for PKG in ./packages/*.nupkg; do + [ -f "$PKG" ] || continue + pushed_any=true + echo "Pushing $PKG to nuget.org..." + dotnet nuget push "$PKG" \ + --api-key "${NUGET_API_KEY}" \ + --source https://api.nuget.org/v3/index.json \ + --skip-duplicate + done + if [ "$pushed_any" = false ]; then + echo "No packages found to push." + fi + + - name: Get Version and First Package Path + id: get_version + run: | + set -e + PACKAGE_FILE=$(find ./packages -name "*.nupkg" | head -n 1 || true) + if [ -z "$PACKAGE_FILE" ]; then + echo "No .nupkg file found in ./packages" exit 1 fi - echo "Pushing $PKG to nuget.org..." - # 注意:不要使用 --verbosity(dotnet nuget push 不支持) - dotnet nuget push "$PKG" \ - --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" \ - --source https://api.nuget.org/v3/index.json \ - --skip-duplicate - + # 从 .nupkg(zip)里读取 .nuspec 并提取 + VERSION=$(unzip -p "$PACKAGE_FILE" '*.nuspec' 2>/dev/null | sed -n 's:.*\(.*\).*:\1:p' | head -n1) + if [ -z "$VERSION" ]; then + echo "Failed to parse version from $PACKAGE_FILE" + exit 1 + fi + BASENAME=$(basename "$PACKAGE_FILE") + echo "package_file=$PACKAGE_FILE" >> $GITHUB_OUTPUT + echo "package_basename=$BASENAME" >> $GITHUB_OUTPUT + echo "version=$VERSION" >> $GITHUB_OUTPUT + + - name: Create GitHub Release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ github.ref_name }} + release_name: "Release ${{ github.ref_name }}" + body: "Release created by CI for tag ${{ github.ref_name }} (package version ${{ steps.get_version.outputs.version }})" + draft: false + prerelease: false + + - name: Upload all .nupkg to Release (curl) + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + UPLOAD_URL_TEMPLATE: ${{ steps.create_release.outputs.upload_url }} + run: | + set -e + # upload_url from create-release is like: https://uploads.github.com/repos/OWNER/REPO/releases/ID/assets{?name,label} + # strip template part "{?name,label}" + UPLOAD_URL="${UPLOAD_URL_TEMPLATE%\{*}" + echo "Upload base URL: $UPLOAD_URL" + + for package_file in ./packages/*.nupkg; do + if [ -f "$package_file" ]; then + basename=$(basename "$package_file") + echo "Uploading $basename to release..." + curl --fail -sS -X POST \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + -H "Content-Type: application/octet-stream" \ + --data-binary @"$package_file" \ + "$UPLOAD_URL?name=$basename" + echo "Uploaded $basename" + fi + done diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index eb95bef..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,91 +0,0 @@ -name: Create Release (on tag) - -on: - push: - tags: - - '*' - -permissions: - contents: write - -jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Checkout repository (at tag) - uses: actions/checkout@v4 - with: - fetch-depth: 0 - persist-credentials: true - - - name: Setup .NET - uses: actions/setup-dotnet@v4 - with: - dotnet-version: 9.0.x - - - name: Restore dependencies - run: dotnet restore - - - name: Build - run: dotnet build --no-restore -c Release - - - name: Determine tag version - id: tag_version - run: | - set -e - # GITHUB_REF example: refs/tags/v0.0.1 or refs/tags/0.0.1 - echo "GITHUB_REF = ${GITHUB_REF}" - TAG=${GITHUB_REF#refs/tags/} - # remove leading 'v' or 'V' if present - VERSION=${TAG#v} - VERSION=${VERSION#V} - echo "tag='$TAG' -> version='$VERSION'" - echo "version=$VERSION" >> $GITHUB_OUTPUT - - - name: Pack (use tag version) - run: | - set -e - echo "Packing with version=${{ steps.tag_version.outputs.version }}" - dotnet pack --no-build -c Release -o ./packages -p:PackageVersion=${{ steps.tag_version.outputs.version }} - - - name: Get Version and Package Path - id: get_version - run: | - set -e - PACKAGE_FILE=$(find ./packages -name "*.nupkg" | head -n 1) - if [ -z "$PACKAGE_FILE" ]; then - echo "No .nupkg file found in ./packages" - exit 1 - fi - # 从 .nupkg(zip)里读取 .nuspec 并提取 标签(稳妥) - VERSION=$(unzip -p "$PACKAGE_FILE" *.nuspec 2>/dev/null | sed -n 's:.*\(.*\).*:\1:p' | head -n1) - if [ -z "$VERSION" ]; then - echo "Failed to parse version from $PACKAGE_FILE" - exit 1 - fi - BASENAME=$(basename "$PACKAGE_FILE") - echo "package_file=$PACKAGE_FILE" >> $GITHUB_OUTPUT - echo "package_basename=$BASENAME" >> $GITHUB_OUTPUT - echo "version=$VERSION" >> $GITHUB_OUTPUT - - - name: Create GitHub Release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref_name }} - release_name: "Release ${{ github.ref_name }}" - body: "Release created by CI for tag ${{ github.ref_name }} (package version ${{ steps.get_version.outputs.version }})" - draft: false - prerelease: false - - - name: Upload .nupkg to Release - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ${{ steps.get_version.outputs.package_file }} - asset_name: ${{ steps.get_version.outputs.package_basename }} - asset_content_type: application/octet-stream