[chore] Add GitHub Action to build, sign, release NuGet package (#495)

- New GitHub Action config to automate release process on pushing to a tag
- Migrate release worker to Windows instead of Ubuntu
- Remove unused Unix scripts
- Add strong-name certificate to repo (NO SECURITY RISK)

Author: nwithan8

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ jobs:
   lint:
     runs-on: windows-2022
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install .NET SDK
         uses: actions/setup-dotnet@v3
@@ -26,7 +26,7 @@ jobs:
   Roslyn_Static_Analysis:
     runs-on: windows-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install .NET SDK
         uses: actions/setup-dotnet@v3
@@ -46,7 +46,7 @@ jobs:
   Security_Code_Scan:
     runs-on: windows-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install .NET SDK
         uses: actions/setup-dotnet@v3
@@ -62,7 +62,7 @@ jobs:
   Coverage_Requirements:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install .NET SDK
         uses: actions/setup-dotnet@v3
@@ -79,7 +79,7 @@ jobs:
     if: github.ref == 'refs/heads/master'
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up dotnet tools and dependencies
         run: make install
@@ -97,7 +97,7 @@ jobs:
     if: github.ref == 'refs/heads/master'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install .NET SDK
         uses: actions/setup-dotnet@v3
@@ -140,7 +140,7 @@ jobs:
           - name: Net80
             framework: net8.0
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -180,7 +180,7 @@ jobs:
   Integration_Tests:
     runs-on: windows-2022
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -212,7 +212,7 @@ jobs:
   FSharp_Compatibility_Tests:
     runs-on: windows-2022
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -245,7 +245,7 @@ jobs:
     runs-on: windows-2022
     steps:
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 

.github/workflows/release.yml

@@ -0,0 +1,72 @@
+name: Release
+
+on:
+  push:
+    tags:
+      # ex. "v1.2.3", "v1.2.3-rc1"
+      - "v[0-9]+.[0-9]+.*"
+
+jobs:
+  publish:
+    name: Publish to NuGet
+    runs-on: windows-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install .NET SDK
+        uses: actions/setup-dotnet@v3
+        with:
+          # .NET 5 is deprecated and removed from GitHub Actions, we need to manually install it
+          dotnet-version: |
+            5.x.x
+            8.x.x
+
+      - name: Setup Nuget
+        uses: NuGet/[email protected]
+
+      - name: Restore NuGet Packages
+        run: make restore
+
+      - name: Set up dotnet tools and dependencies
+        run: make install
+
+      - name: Set up authenticity certificate
+        run: |
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
+        shell: bash
+
+      - name: Set variables
+        id: variables
+        run: |
+          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
+          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
+          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
+          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
+          echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH
+        shell: bash
+
+      - name: Setup Keylocker KSP on Windows
+        run: |
+          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi
+          msiexec /i Keylockertools-windows-x64.msi /quiet /qn
+          smksp_registrar.exe list
+          smctl.exe keypair ls
+          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
+        shell: cmd
+
+      - name: Sync Certificates
+        run: |
+          smctl windows certsync
+        shell: cmd
+
+      - name: Build and Sign NuGet package
+        # TODO: Need to keep signing_cert.snk in the repo
+        run: |
+          call scripts\win\build_release_nuget.bat EasyPost EasyPostNETStrongNameSigning.snk "${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" Release
+        shell: cmd
+
+      - name: Publish to NuGet
+        run: make publish key=${{ secrets.NUGET_API_KEY }}

EasyPostNETStrongNameSigning.snk

@@ -23,7 +23,6 @@ build-prod:
 ## clean - Clean the project
 clean:
 	dotnet clean
-	rm -rf *.nupkg
 
 ## coverage - Generate coverage reports (unit tests, not integration) for the project
 coverage:
@@ -44,10 +43,6 @@ install-tools:
 	dotnet tool install --local dotnet-format || exit 0
 	dotnet tool install --local docfx --version 2.60.2 || exit 0
 
-## install-release-tools - Install required tools for release
-install-release-tools:
-	bash scripts/unix/install_osslsigncode.sh
-
 ## install-styleguide - Import style guide (Unix only)
 install-styleguide: | update-examples-submodule
 	sh examples/symlink_directory_files.sh examples/style_guides/csharp .
@@ -70,13 +65,13 @@ lint-fix:
 lint-scripts:
 	scripts\win\lint_scripts.bat
 
-## prep-release - Build, sign and package the project for distribution, signing with the provided certificate
+## publish - Publish the project to NuGet
 # @parameters:
-# sncert= - The strong-name certificate to use for signing the built assets.
-# cert= - The authenticity certificate to use for signing the built assets.
-# pass= - The password for the authenticity certificate.
-prep-release:
-	bash scripts/unix/build_release_nuget.sh EasyPost ${sncert} ${cert} ${pass} Release
+# key= - The NuGet API key to use for publishing.
+# ref: https://learn.microsoft.com/en-us/nuget/reference/cli-reference/cli-ref-push
+publish:
+	# Verify that no extraneous .nupkg files exist
+	dotnet nuget push *.nupkg -Source https://api.nuget.org/v3/index.json -k ${key} -SkipDuplicate
 
 ## release - Cuts a release for the project on GitHub (requires GitHub CLI)
 # tag = The associated tag title of the release
@@ -135,4 +130,4 @@ fs-compat-test:
 vb-compat-test:
 	dotnet test EasyPost.Compatibility.VB/EasyPost.Compatibility.VB.vbproj -f ${fw} -restore
 
-.PHONY: help analyze build build-fw build-prod clean coverage coverage-check docs format install-styleguide install-tools install-release-tools install lint lint-scripts prep-release release restore scan setup-win setup-unix test update-examples-submodule unit-test integration-test fs-compat-test vb-compat-test
+.PHONY: help analyze build build-fw build-prod clean coverage coverage-check docs format install-styleguide install-tools install lint lint-scripts release restore scan setup-win setup-unix test update-examples-submodule unit-test integration-test fs-compat-test vb-compat-test