Reusable GitHub Actions workflows for building, signing, and publishing .NET desktop applications.
Runs unit tests on pull requests.
name: PR Tests
on:
pull_request:
branches: [ "main" ]
jobs:
test:
uses: mythetech/workflows/.github/workflows/pr-test.yml@main
with:
test_project: "MyApp.Test/MyApp.Test.csproj"| Input | Required | Default | Description |
|---|---|---|---|
dotnet_version |
No | 10.0.x |
.NET SDK version |
test_project |
No | - | Path to test project. If omitted, runs dotnet test in root |
test_command |
No | - | Override the entire test command |
enable_coverage |
No | true |
Enable code coverage collection |
coverage_threshold |
No | 0 |
Minimum coverage % (0 disables threshold check) |
upload_coverage_artifact |
No | true |
Upload coverage results as artifact |
Coverage is enabled by default. Results appear in:
- GitHub Job Summary - Markdown table with coverage breakdown
- Artifact - Downloadable HTML report (
coverage-report)
To enforce a minimum coverage threshold:
uses: mythetech/workflows/.github/workflows/pr-test.yml@main
with:
test_project: "MyApp.Test/MyApp.Test.csproj"
coverage_threshold: 80 # Fail if coverage < 80%To disable coverage:
uses: mythetech/workflows/.github/workflows/pr-test.yml@main
with:
test_project: "MyApp.Test/MyApp.Test.csproj"
enable_coverage: falsePrerequisite: Test projects should include the Coverlet collector package:
<PackageReference Include="coverlet.collector" Version="6.0.4">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>Full build, sign, and publish pipeline for .NET desktop applications. Supports:
- Windows: Azure Trusted Signing
- macOS: Developer ID + Notarization
- Linux: Unsigned AppImage
name: Publish Desktop
on:
workflow_dispatch:
jobs:
publish:
uses: mythetech/workflows/.github/workflows/desktop-publish.yml@main
with:
app_name: "Horizon"
project_path: "Horizon/Horizon.csproj"
test_project: "Horizon.Test/Horizon.Test.csproj"
entitlements_path: "Horizon/Horizon.entitlements"
icon_windows: "Horizon/wwwroot/logo.ico"
icon_linux: "Horizon/wwwroot/logo.png"
icon_macos: "Horizon/wwwroot/logo.icns"
storage_account: "stmythetechglobal"
storage_container: "preview"
secrets: inherit| Input | Required | Default | Description |
|---|---|---|---|
app_name |
Yes | - | Application name (e.g., "Horizon") |
project_path |
Yes | - | Path to main .csproj |
test_project |
No | - | Path to test project |
entitlements_path |
Yes | - | Path to macOS entitlements file |
icon_windows |
Yes | - | Windows icon (.ico) |
icon_linux |
Yes | - | Linux icon (.png) |
icon_macos |
Yes | - | macOS icon (.icns) |
dotnet_version |
No | 10.0.x |
.NET SDK version |
versioning |
No | nbgv |
nbgv or run_number |
storage_account |
Yes | - | Azure Storage account |
storage_container |
Yes | - | Container for releases |
releases_container |
No | releases |
Container for Velopack auto-update |
enable_signing |
No | true |
Enable code signing |
enable_smoke_tests |
No | true |
Enable smoke tests |
enable_blob_upload |
No | true |
Enable Azure uploads |
Configure these at the organization level for sharing across repos:
Windows Signing (Azure Trusted Signing)
AZURE_TRUSTED_SIGNING_ENDPOINTAZURE_TRUSTED_SIGNING_ACCOUNT_NAMEAZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAMEAZURE_CREDENTIALS
macOS Signing & Notarization
BUILD_CERTIFICATE_BASE64INSTALLER_CERTIFICATE_BASE64P12_PASSWORDAPPLE_USERNAME_IDAPPLE_TEAM_IDKEYCHAIN_PASSWORDMACOS_SIGN_APP_IDENTITYMACOS_SIGN_INSTALL_IDENTITY
App-Specific (configure per repository)
APPLE_APP_ID_PASSWORD- App-specific password for notarizationBLOB_SAS_TOKEN- Azure Storage SAS token (if different per app)
Signs and notarizes a macOS application bundle.
- uses: mythetech/workflows/actions/macos-sign@main
with:
app_name: "MyApp"
platform_release_dir: "releases/macOS"
entitlements_path: "MyApp/MyApp.entitlements"
sign_app_identity: ${{ secrets.MACOS_SIGN_APP_IDENTITY }}
sign_install_identity: ${{ secrets.MACOS_SIGN_INSTALL_IDENTITY }}
keychain_path: ${{ runner.temp }}/app-signing.keychain-dbVerifies that a desktop application can launch and display a window.
- uses: mythetech/workflows/actions/smoke-test@main
with:
app_name: "MyApp"
platform: "Windows" # or "macOS" or "Linux"
releases_dir: "releases"Uploads release artifacts to Azure Blob Storage.
- uses: mythetech/workflows/actions/blob-upload@main
with:
app_name: "MyApp"
version: "1.0.0"
platform: "Windows"
release_dir: "releases/Windows"
storage_account: "mystorageaccount"
storage_container: "releases"
sas_token: ${{ secrets.BLOB_SAS_TOKEN }}- Create/update
.github/workflows/pr.yml:
name: PR Tests
on:
pull_request:
branches: [ "main" ]
jobs:
test:
uses: mythetech/workflows/.github/workflows/pr-test.yml@main
with:
test_project: "MyApp.Test/MyApp.Test.csproj"- Create/update
.github/workflows/dotnet-desktop.yml:
name: Publish Desktop
on:
workflow_dispatch:
jobs:
publish:
uses: mythetech/workflows/.github/workflows/desktop-publish.yml@main
with:
app_name: "MyApp"
project_path: "MyApp/MyApp.csproj"
test_project: "MyApp.Test/MyApp.Test.csproj"
entitlements_path: "MyApp/MyApp.entitlements"
icon_windows: "MyApp/wwwroot/logo.ico"
icon_linux: "MyApp/wwwroot/logo.png"
icon_macos: "MyApp/wwwroot/logo.icns"
storage_account: "mystorageaccount"
storage_container: "releases"
secrets: inherit-
Ensure secrets are configured:
- Org-level: All signing and common secrets
- Repo-level:
APPLE_APP_ID_PASSWORD(app-specific notarization password)
-
Standardize the app-specific secret name:
- Rename
APPLE_MYAPP_ID_PASSWORDtoAPPLE_APP_ID_PASSWORDin each repo
- Rename
This repository uses @main for all consuming workflows. Changes pushed to main are immediately available to all projects.
For breaking changes, create a new major version branch (e.g., v2) and update consuming workflows to use @v2.