Update to Trusted Signing module 0.4.1 (#38)

japarson · web-flow · commit 9b24fb52e0f6 · 2024-07-17T15:48:14.000-07:00
* Add files input and improve file input docs

* Update to ps module 0.4.1

* Add documentation for files input

* Update docs

* Update action.yml

* Update README.md
diff --git a/README.md b/README.md
@@ -38,15 +38,15 @@ jobs:
         run: dotnet build --configuration Release --no-restore WpfApp
 
       - name: Sign files with Trusted Signing
-        uses: azure/trusted-signing-action@v0.3.20
+        uses: azure/trusted-signing-action@v0.4.1
         with:
           azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
           azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
           endpoint: https://eus.codesigning.azure.net/
           trusted-signing-account-name: vscx-codesigning
           certificate-profile-name: vscx-certificate-profile
-          files-folder: ${{ github.workspace }}\App\App\bin\Release\net6.0-windows
+          files-folder: ${{ github.workspace }}\App\App\bin\Release\net8.0-windows
           files-folder-filter: exe,dll
           file-digest: SHA256
           timestamp-rfc3161: http://timestamp.acs.microsoft.com
@@ -131,14 +131,22 @@ certificate-profile-name: my-profile-name
 ```
 
 ### File Specification
+#### Files List
+This strategy allows you to specify a comma separated list of files to be signed.
+
+```yaml
+# A comma separated list of absolute paths to the files being signed. Can be combined with the files-folder and file-catalog inputs.
+files: ${{ github.workspace }}\files\app.dll,${{ github.workspace }}\files\app.exe
+```
+
 #### Files Folder
-This strategy allows you to specify a folder that contains all the files you want signed. There are options available for narrowing the focus as well. For example, you can use the `files-folder-filter` input to specify that you only want `exe` files to be signed.
+This strategy allows you to specify a folder that contains all the files you want signed. There are options available for narrowing the focus as well. For example, you can use the `files-folder-filter` input to specify that you only want `exe` files to be signed. See [about_Wildcards](https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_wildcards) for more information on using wildcards with the `files-folder-filter` input.
 
 ```yaml
 # The folder containing files to be signed. Can be combined with the file-catalog input.
 files-folder: ${{ github.workspace }}\App\App\bin\Release\net6.0-windows
 
-# A comma separated list of file extensions that determines which types of files will be signed in the folder specified by the files-folder input. Any file type not included in this list will not be signed. If this input is not used, all files in the folder will be signed.
+# A comma separated list of file extensions that determines which types of files will be signed in the folder specified by the files-folder input. Any file type not included in this list will not be signed. If this input is not used, all files in the folder will be signed. Supports wildcards for matching multiple file names with a pattern.
 files-folder-filter: dll,exe,msix
 
 # A boolean value (true/false) that indicates if the folder specified by the files-folder input should be searched recursively. The default value is false.
@@ -148,6 +156,25 @@ files-folder-recurse: true
 files-folder-depth: 2
 ```
 
+Given the following directory structure:
+```txt
+C:.
+└───files
+        System.dll
+        Foo.Bar.Core.dll
+        Foo.Bar.Utilities.dll
+        Foo.Bar.exe
+        LICENSE.md
+```
+
+Here is an example of inputs that can be used to specify that only the `Foo.Bar.*` files are signed:
+```yaml
+files-folder: ${{ github.workspace }}\files
+files-folder-filter: Foo.Bar.*.dll,*.exe
+files-folder-recurse: false
+files-folder-depth: 1
+```
+
 #### Files Catalog
 This strategy allows you to specify a precise list of files to be signed.
 
@@ -156,6 +183,26 @@ This strategy allows you to specify a precise list of files to be signed.
 files-catalog: ${{ github.workspace }}\catalog.txt
 ```
 
+Given the following directory structure:
+```txt
+C:.
+│   catalog.txt
+│
+└───files
+        System.dll
+        Foo.Bar.Core.dll
+        Foo.Bar.Utilities.dll
+        Foo.Bar.exe
+        LICENSE.md
+```
+
+Here is an example of a `catalog.txt` file that can be used to specify that only the `Foo.Bar.*` files are signed:
+```txt
+./files/Foo.Bar.Core.dll
+./files/Foo.Bar.Utilities.dll
+./files/Foo.Bar.exe
+```
+
 ### Digest Algorithm
 ```yaml
 # The name of the digest algorithm used for hashing the file being signed. The supported values are SHA256, SHA384, and SHA512. The default value is SHA256.
diff --git a/action.yml b/action.yml
@@ -40,14 +40,19 @@ inputs:
   certificate-profile-name:
     description: The Certificate Profile name.
     required: true
+  files:
+    description: A comma separated list of absolute paths to the files being signed. Can be combined with
+                 the files-folder and file-catalog inputs.
+    required: false
   files-folder:
-    description: The folder containing files to be signed. Can be combined with the file-catalog input.
+    description: The folder containing files to be signed. Can be combined with the files and file-catalog inputs.
     required: false
   files-folder-filter:
     description: A comma separated list of file extensions that determines which types of files will
                  be signed in the folder specified by the files-folder input. E.g., 'dll,exe,msix'.
                  Any file type not included in this list will not be signed. If this input is not used,
-                 all files in the folder will be signed.
+                 all files in the folder will be signed. Supports wildcards for matching multiple file
+                 names with a pattern.
     required: false
   files-folder-recurse:
     description: A boolean value (true/false) that indicates if the folder specified by the files-folder
@@ -60,7 +65,7 @@ inputs:
   files-catalog:
     description: A file containing a list of relative paths to the files being signed. The paths
                  should be relative to the location of the catalog file. Each file path should be on
-                 a separate line. Can be combined with the files-folder input.
+                 a separate line. Can be combined with the files and files-folder inputs.
     required: false
   file-digest:
     description: The name of the digest algorithm used for hashing the files being signed. The supported
@@ -197,7 +202,7 @@ runs:
         $defaultPath = $env:PSModulePath -split ';' | Select-Object -First 1
         "PSMODULEPATH=$defaultPath" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
         
-        "TRUSTED_SIGNING_MODULE_VERSION=0.3.18" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+        "TRUSTED_SIGNING_MODULE_VERSION=0.4.1" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
         "BUILD_TOOLS_NUGET_VERSION=10.0.22621.3233" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
         "TRUSTED_SIGNING_NUGET_VERSION=1.0.53" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
 
@@ -270,6 +275,11 @@ runs:
           $params["CertificateProfileName"] = $certificateProfileName
         }
 
+        $files = "${{ inputs.files }}"
+        if (-Not [string]::IsNullOrWhiteSpace($files)) {
+          $params["Files"] = $files.replace("`n", ",")
+        }
+
         $filesFolder = "${{ inputs.files-folder }}"
         if (-Not [string]::IsNullOrWhiteSpace($filesFolder)) {
           $params["FilesFolder"] = $filesFolder
