Skip to content

ci: add NuGet package signing and verification#69

Merged
rian-be merged 1 commit into
mainfrom
develop
Jul 2, 2026
Merged

ci: add NuGet package signing and verification#69
rian-be merged 1 commit into
mainfrom
develop

Conversation

@rian-be

@rian-be rian-be commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR adds NuGet package signing and authenticity verification to the standard ModularityKit.Mutator release path and wires the attested publish flow into Release Drafter.

Highlights

Signed release artifacts

  • Sign every generated .nupkg in the shared publish workflow with dotnet nuget sign.
  • Timestamp package signatures with a configurable RFC3161 endpoint.
  • Fail the release when signing secrets are missing.

Verification in release and publish flows

  • Verify signed packages with dotnet nuget verify --all --certificate-fingerprint ... immediately after packing.
  • Verify downloaded packages again before publishing to NuGet.org.
  • Verify downloaded packages again before publishing to GitHub Packages.

Release workflow integration

  • Pass signing secrets through the reusable package workflows.
  • Make publish-attested.yml callable via workflow_call.
  • Update release-drafter.yml to invoke the attested publish workflow instead of duplicating draft release asset upload steps.

Documentation and local validation

  • Add Docs/Package-Signing.md with the signing approach, required secrets, and local verification guidance.
  • Surface the package signing docs in README.md, Docs/Home.md, and toc.yml.
  • Add task verify:package-signing for local signature verification.

Why

Issue #50 asks for signed NuGet packages, authenticity checks, CI validation, and discoverable documentation without changing the package surface area. The repository already had a shared pack/publish path, so the right move was to harden that path directly instead of introducing a second release flow.

This keeps release behavior explicit and auditable while preserving normal local development without exposing signing material.

Checks

  • dotnet build ModularityKit.Mutator.slnx -c Release
  • docfx docfx.json
    Builds successfully in this environment with existing DocFX link warnings unrelated to this change.
  • task --dry verify:package-signing PACKAGE=dist/example.nupkg FINGERPRINT=ABC123
  • workflow YAML parse validation

Closes

@github-actions github-actions Bot added documentation Documentation updates and additions ci CI/CD and repository automation changes labels Jul 2, 2026
@rian-be rian-be merged commit a5d6618 into main Jul 2, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci CI/CD and repository automation changes documentation Documentation updates and additions

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Task]: Add NuGet package signing and authenticity checks

1 participant