fix: more merge missing

.github/workflows/build.yml

@@ -23,6 +23,11 @@ jobs:
     name: build-${{ matrix.os }}
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -36,16 +41,12 @@ jobs:
           os_name: windows
 
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
+    - name: Select Xcode version
+      if: ${{ runner.os == 'macOS' }}
+      run: sudo xcode-select -s "/Applications/Xcode_15.4.app"
 
-    - name: Setup .NET
-      uses: actions/setup-dotnet@v4
-      with:
-        dotnet-version: |
-          6.0.421
-          7.0.408
-          8.0.204
+    - name: Checkout code
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # Arcade only allows the revision to contain up to two characters, and GitHub Actions does not roll-over
     # build numbers every day like Azure DevOps does. To balance these two requirements, set the official
@@ -66,29 +67,40 @@ jobs:
 
     - name: Build, test and pack
       if: ${{ runner.os == 'Windows' }}
-      run: eng\common\CIBuild.cmd -configuration Release -prepareMachine -integrationTest /p:SuppressSymbolPackageFormatValidation=true
+      run: eng\common\CIBuild.cmd -configuration Release -prepareMachine -integrationTest /p:RestoreDotNetWorkloads=true
 
     - name: Build, test and pack
       if: ${{ runner.os != 'Windows' }}
       shell: pwsh
-      run: ./eng/common/cibuild.sh -configuration Release -prepareMachine -integrationTest /p:SuppressSymbolPackageFormatValidation=true
+      run: ./eng/common/cibuild.sh -configuration Release -prepareMachine -integrationTest /p:RestoreDotNetWorkloads=true
+
+    - name: Attest artifacts
+      uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+      if: |
+        runner.os == 'Windows' &&
+        github.event.repository.fork == false &&
+        startsWith(github.ref, 'refs/tags/')
+      with:
+        subject-path: |
+          ./artifacts/bin/**/Release/**/OpenIddict.*.dll
+          ./artifacts/packages/Release/Shipping/*
 
     - name: Publish logs
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: logs-${{ matrix.os_name }}
         path: ./artifacts/log/Release
 
     - name: Publish NuGet packages
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: packages-${{ matrix.os_name }}
         path: ./artifacts/packages/Release/Shipping
 
     - name: Publish test results
       if: ${{ always() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: testresults-${{ matrix.os_name }}
         path: ./artifacts/TestResults/Release
@@ -98,14 +110,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Download packages
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         name: packages-windows
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
+
+    # Note: the dotnet-validate tool requires .NET 6.0, which is no longer installed by default.
+    - name: Setup .NET
+      uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
       with:
-        dotnet-version: '8.0.204'
+        dotnet-version: '6.0.x'
 
     - name: Validate NuGet packages
       shell: pwsh
@@ -121,22 +137,47 @@ jobs:
         }
         if ($invalidPackages -gt 0) {
           Write-Output "::error::$invalidPackages NuGet package(s) failed validation."
+          exit 1
         }
 
-  push-packages-nuget:
-    needs: validate-packages
+  push-packages-myget:
+    needs: [ build, validate-packages ]
     runs-on: ubuntu-latest
-    if: github.event.repository.fork == false && startsWith(github.ref, 'refs/tags/')
+    if: |
+      (github.ref_name == github.event.repository.default_branch ||
+       startsWith(github.ref, 'refs/heads/dev') ||
+       startsWith(github.ref, 'refs/heads/rel/') ||
+       startsWith(github.ref, 'refs/tags/'))
     steps:
     - name: Download packages
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         name: packages-windows
 
-    - name: Setup NuGet
-      uses: nuget/setup-nuget@v2
+    - name: Setup .NET
+      uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
+
+    - name: Push packages to MyGet.org
+      env:
+        MYGET_API_KEY: ${{ secrets.MYGET_API_KEY }}
+      run: dotnet nuget push "*.nupkg" --api-key "${MYGET_API_KEY}" --skip-duplicate --source https://www.myget.org/F/openiddict/api/v3/index.json
+
+  push-packages-nuget:
+    needs: [ build, validate-packages ]
+    runs-on: ubuntu-latest
+    if: |
+      github.event.repository.fork == false &&
+      startsWith(github.ref, 'refs/tags/')
+    steps:
+    - name: Download packages
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
-        nuget-version: '5.11.0'
+        name: packages-windows
+
+    - name: Setup .NET
+      uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
 
     - name: Push packages to NuGet.org
-      run: nuget push "*.nupkg" -ApiKey ${{ secrets.NUGET_API_KEY }} -SkipDuplicate -Source https://api.nuget.org/v3/index.json
+      env:
+        NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
+      run: dotnet nuget push "*.nupkg" --api-key "${NUGET_API_KEY}" --skip-duplicate --source https://api.nuget.org/v3/index.json