Skip to content
Azure CAC Release

Update Modules (#320) #27

Sign in to view logs

Update Modules (#320)

Update Modules (#320) #27

Workflow file for this run

.github/workflows/release-pipeline.yml at 9c91642
on:
push:
# Sequence of patterns matched against refs/tags
tags:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
name: Azure CAC Release
env:
ARTIFACT_NAME: PowerShell.Workflows.Release.ScriptSigning
jobs:
release:
name: Sign, Test, and Release
runs-on: windows-2019
environment: test
permissions:
id-token: write
contents: write
steps:
- name: Check out repository
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Install AzureSignTool
run: dotnet tool install --no-cache --global AzureSignTool --version 4.0.1
- name: AZ Login
uses: azure/login@v2
with:
client-id: ${{ secrets.ENT_AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.ENT_AZURE_TENANT_ID }}
subscription-id: ${{ secrets.ENT_AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
- name: Azure token
run: |
$az_token=$(az account get-access-token --scope https://vault.azure.net/.default --query accessToken --output tsv)
echo "::add-mask::$az_token"
echo "AZ_TOKEN=$az_token" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
- name: Sign pwsh scripts and modules
shell: powershell
run: |
$scripts = Get-ChildItem -Path . -Include *.ps1,*.psm1,*.psd1 -Recurse -ErrorAction Stop
$vaultName = $env:VAULTNAME
foreach ($script in $scripts) {
try {
azuresigntool.exe sign --verbose -kvu https://$vaultName.vault.azure.net/ -kvc $env:CERTNAME -kva ${{ env.AZ_TOKEN }} -fd sha256 -tr "http://timestamp.comodoca.com/rfc3161" $script.FullName
}
catch {
Write-Error $_
}
}
env:
CERTNAME: ${{ secrets.ENT_VAULTSECRETNAME }}
VAULTNAME: ${{ secrets.ENT_VAULTNAME }}
- name: Validate Signature
shell: powershell
run: |
$signatureStatuses = Get-ChildItem -r -i *.ps* | Get-AuthenticodeSignature
Foreach ($signatureStatus in $signatureStatuses) {
If ($signatureStatus.Status -eq 'HashMismatch') {
throw "File '$($signatureStatus.Path)' has a hash status of '$($signatureStatus.status)'"
}
ElseIf ($signatureStatus.Status -eq 'NotSigned') {
Write-Warning "File '$($signatureStatus.Path)' has a hash status of '$($signatureStatus.status)'"
}
ElseIf ($signatureStatus.Status -eq 'Valid') {
Write-Host "File '$($signatureStatus.Path)' has a hash status of '$($signatureStatus.status)'"
}
Else {
throw "File '$($signatureStatus.Path)' has an unhandled hash status of '$($signatureStatus.status)'"
}
}
- name: Test Module Imports
shell: powershell
run: |
$ErrorActionPreference = 'Stop'
$moduleFiles = Get-ChildItem -path ./* -recurse -include *.psm1
Write-Host "Count of module files: $($moduleFiles.count)"
try {
ForEach ($moduleFile in $moduleFiles) {
Import-Module $moduleFile.Fullname -ErrorAction Stop
}
}
catch {
throw "Failed test import module '$moduleFile' with error: $_"
}
$importedModules = Get-Module
Write-Host "Imported modules: `n $($importedModules.Path | Out-String)"
$missingModules = $moduleFiles | Where-object {$_ -inotin ($importedModules).Path}
If ($missingModules) {
throw "The following modules failed import test: $missingModules"
}
- name: Archive code
run: |
$releaseName = $env:GITHUB_REF -replace 'refs/tags/', ''
mkdir release_assets
tar -czvf release_assets/azure-cac-solution-$releaseName.tar.gz --exclude='release_assets' --exclude='.git' --exclude='.github' .
$excludedItems = @('release_assets', '.git', '.github')
Get-ChildItem -Path . -Exclude $excludedItems | Compress-Archive -DestinationPath release_assets/azure-cac-solution-$releaseName.zip
echo "RELEASE_NAME=$releaseName" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
- name: Create Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release create $env:RELEASE_NAME --generate-notes --latest "./release_assets/azure-cac-solution-$env:RELEASE_NAME.tar.gz#Azure CAC Solution (tar.gz)" "./release_assets/azure-cac-solution-$env:RELEASE_NAME.zip#Azure CAC Solution (zip)"