Pin versions and improve error message.

Author: dlemstra

.github/dependabot.yml

@@ -4,3 +4,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+  - package-ecosystem: "nuget"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/main.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Sign files
         uses: ./actions/code-signing
         with:
-          client-id: ${{secrets.AZURE_CLIENT_ID}}
-          tenant-id: ${{secrets.AZURE_TENANT_ID}}
-          subscription-id: ${{secrets.AZURE_SUBSCRIPTION_ID}}
-          directory: files-to-sign
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          directory: ${{ github.workspace }}\files-to-sign

actions/code-signing/.config/dotnet-tools.json

@@ -0,0 +1,12 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "sign": {
+      "version": "0.9.1-beta.26102.1",
+      "commands": [
+        "sign"
+      ]
+    }
+  }
+}

actions/code-signing/action.yml

@@ -18,35 +18,50 @@ runs:
       id: should_sign
       shell: pwsh
       run: |
-        $shouldSign = $false
-        if ("${{inputs.client-id}}" -ne "" -and "${{inputs.tenant-id}}" -ne "" -and "${{inputs.subscription-id}}" -ne "") {
-          $shouldSign = $true
+        $shouldSign = $true
+
+        if ("${{inputs.client-id}}" -eq "") {
+          echo "Missing required value: client-id"
+          $shouldSign = $false
+        }
+
+        if ("${{inputs.tenant-id}}" -eq "") {
+          echo "Missing required value: tenant-id"
+          $shouldSign = $false
         }
+
+        if ("${{inputs.subscription-id}}" -eq "") {
+          echo "Missing required value: subscription-id"
+          $shouldSign = $false
+        }
+
         echo "should_sign=$shouldSign" >> $env:GITHUB_OUTPUT
         echo "Should sign: $shouldSign"
 
     - name: Azure CLI login with federated credential
       if: steps.should_sign.outputs.should_sign == 'true'
-      uses: azure/login@v2
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
       with:
-        client-id: ${{inputs.client-id}}
-        tenant-id: ${{inputs.tenant-id}}
-        subscription-id: ${{inputs.subscription-id}}
+        client-id: ${{ inputs.client-id }}
+        tenant-id: ${{ inputs.tenant-id }}
+        subscription-id: ${{ inputs.subscription-id }}
 
     - name: Install sign cli
       if: steps.should_sign.outputs.should_sign == 'true'
       shell: cmd
-      run: dotnet tool install --global sign --prerelease
+      run: dotnet tool restore
+      working-directory: ${{ github.action_path }}
 
     - name: Sign executables and libraries
       if: steps.should_sign.outputs.should_sign == 'true'
       shell: pwsh
       run: |
-        sign code trusted-signing `
+        dotnet tool run sign code trusted-signing `
+          --base-directory ${{ inputs.directory }} `
           --trusted-signing-account ImageMagick `
           --trusted-signing-certificate-profile ImageMagick `
           --trusted-signing-endpoint https://eus.codesigning.azure.net `
           --azure-credential-type azure-cli `
           --verbosity information `
           *.exe *.dll
-      working-directory: ${{inputs.directory}}
+      working-directory: ${{ github.action_path }}