test(workflows): testing adding trixie to examples

.github/workflows/deploy-artifacts/create-test-fixtures.sh

@@ -26,9 +26,11 @@ if [[ -f "tests/test-1.0-2.noarch.rpm" ]]; then
     cp "tests/test-1.0-2.noarch.rpm" "$BUILD_ARTIFACTS_DIR/"
     echo "   Copied test-1.0-2.noarch.rpm"
 else
-    echo "  ❌ test-1.0-2.noarch.rpm not found, creating mock"
+    echo "   test-1.0-2.noarch.rpm not found, creating mock"
     echo "test-rpm-content" > "$BUILD_ARTIFACTS_DIR/test-1.0-2.noarch.rpm"
 fi
+cp -v tests/some/structure/Aerospike.Client.8.0.2.nupkg  "$BUILD_ARTIFACTS_DIR/Aerospike.Client.8.0.2.nupkg"
+
 
 # Create some additional test files
 echo "test jar content" > "$BUILD_ARTIFACTS_DIR/test.jar"

.github/workflows/deploy-artifacts/test-entrypoint.sh

@@ -217,7 +217,7 @@ jf rt build-publish.*test-build.*12345
     cat "$TEST_DIR/test1_output.txt.build_commands"
 fi
 
-if ! verify_command_count "Upload commands" "$TEST_DIR/test1_output.txt.upload_commands" 8; then
+if ! verify_command_count "Upload commands" "$TEST_DIR/test1_output.txt.upload_commands" 9; then
     test1_success=false
     echo "Wrong number of commands"
     cat "$TEST_DIR/test1_output.txt.upload_commands"
@@ -251,7 +251,7 @@ jf rt build-publish.*test-build.*12345
     test3_success=false
 fi
 
-if ! verify_command_count "All upload commands" "$TEST_DIR/test3_output.txt.upload_commands" 8; then
+if ! verify_command_count "All upload commands" "$TEST_DIR/test3_output.txt.upload_commands" 9; then
     test3_success=false
 fi
 

.github/workflows/example_reusable-integration.yaml

@@ -66,6 +66,10 @@ jobs:
             arch: x86_64
             runs-on: ubuntu-22.04
             emulated: false
+          - distro: trixie
+            arch: x86_64
+            runs-on: ubuntu-22.04
+            emulated: false
           #   - distro: focal
           #     arch: x86_64
           #     runs-on: ubuntu-22.04
@@ -136,8 +140,11 @@ jobs:
       gh-source-path: repo-source
       working-directory: repo-source/.github/workflows/execute-build/test_apps/hi
       build-script: |
-        uname -m
-        uname -a
+        echo "DISTRO: ${{ matrix.distro }}"
+        echo "ARCH: ${{ matrix.arch }}"
+        echo "EMULATED: ${{ matrix.emulated }}"
+        echo "MAKEFILE: "
+        cat Makefile
         which gcc
         pwd
         find .

.github/workflows/execute-build/test_apps/hi/Makefile

@@ -35,12 +35,15 @@ ifeq ($(ARCH),arm64)
         ifeq ($(filter jammy noble focal,$(DISTRO)),$(DISTRO))
             # Ubuntu family
             CROSS_COMPILE_CMD = apt-get update && apt-get install -y gcc-aarch64-linux-gnu
-        else ifeq ($(filter bullseye bookworm,$(DISTRO)),$(DISTRO))
+        else ifeq ($(filter bullseye bookworm trixie,$(DISTRO)),$(DISTRO))
             # Debian family
             CROSS_COMPILE_CMD = apt-get update && apt-get install -y gcc-aarch64-linux-gnu
-        else
+        else ifeq ($(filter el8 el9 amzn2023,$(DISTRO)),$(DISTRO))
             # RPM family (el8, el9, amzn2023)
             CROSS_COMPILE_CMD = echo "Cross-compilation is not supported for RPM family distributions (el8, el9, amzn2023)"
+        else
+            echo "ERROR: Unsupported distribution: $(DISTRO)"
+            exit 1
         endif
     else
         # Real ARM runner - use native compiler
@@ -66,7 +69,7 @@ docker-build:
 	@echo "Using Docker image: $(DOCKER_IMAGE)"
 	@echo "Emulated: $(EMULATED)"
 	@mkdir -p $(BUILD_DIR)/$(DISTRO)/$(ARCH)
-ifeq ($(filter jammy noble focal bullseye bookworm,$(DISTRO)),$(DISTRO))
+ifeq ($(filter jammy noble focal bullseye bookworm trixie,$(DISTRO)),$(DISTRO))
 	docker run --rm -v $(PWD):/workspace -w /workspace \
 		-e ARCH=$(ARCH) -e EMULATED=$(EMULATED) \
 		$(DOCKER_IMAGE) \

.github/workflows/reusable_sign-artifacts.yaml

@@ -82,7 +82,7 @@ jobs:
         run: |
           mkdir -p unsigned-nuget-packages
           find unsigned-artifacts -name "*.nupkg" -exec mv {} unsigned-nuget-packages/ \;
-          echo "unsigned-nuget-packages=$(ls unsigned-nuget-packages/)" >> $GITHUB_OUTPUT
+          echo "Found nuget packages: $(ls unsigned-nuget-packages/)"
           echo "count=$(ls unsigned-nuget-packages/ | wc -l)" >> $GITHUB_OUTPUT
       - name: Checkout shared-workflows repository
         uses: actions/checkout@v5
@@ -98,13 +98,14 @@ jobs:
           gpg-private-key: ${{ secrets.gpg-private-key }}
           gpg-public-key: ${{ secrets.gpg-public-key }}
           gpg-key-pass: ${{ secrets.gpg-key-pass }}
-      - name: Validate nuget secrets present
+      - name: Prepare NuGet signing
         if: steps.nuget-packages.outputs.count > 0
         run: |
           if [ -z "${{ secrets.es-username }}" ] || [ -z "${{ secrets.es-password }}" ] || [ -z "${{ secrets.credential_id }}" ] || [ -z "${{ secrets.es-totp_secret }}" ]; then
-            echo "missing required secrets for NuGet signing"
+            echo 'Error: NuGet packages found but required SSL.com secrets are missing. Please provide: es-username, es-password, credential_id, es-totp_secret' >&2
             exit 1
           fi
+          mkdir -p ${{ inputs.gh-artifact-name }}/nuget
       - name: Sign NuGet Packages with SSL.com
         uses: sslcom/esigner-codesign@a272724cb13abe0abc579c6c40f7899969b6942b # v1.3.1
         if: steps.nuget-packages.outputs.count > 0
@@ -116,7 +117,7 @@ jobs:
           totp_secret: ${{ secrets.es-totp_secret }}
           dir_path: unsigned-nuget-packages
           output_path: ${{ inputs.gh-artifact-name }}/nuget
-          # malware_block: true
+          malware_block: true
           environment_name: ${{ inputs.nuget-environment }}
           clean_logs: true
           signing_method: v1

.github/workflows/sign-artifacts/README.md

@@ -1,6 +1,6 @@
 # Sign Artifacts Workflow
 
-This is a reusable GitHub Actions workflow that signs binary artifacts using GPG. It supports `.deb`, `.rpm`, and any other file type passed via a glob pattern. It produces:
+This is a reusable GitHub Actions workflow that signs binary artifacts using GPG. It supports `.deb`, `.rpm`, `.nupkg` (NuGet via SSL.com), and any other file type passed via a glob pattern. It produces:
 
 - GPG detached signature (`.asc`) for any file
 - Native signing for `.deb` and `.rpm` using `dpkg-sig` and `rpm --addsign`
@@ -11,23 +11,30 @@ This is a reusable GitHub Actions workflow that signs binary artifacts using GPG
 
 | Name                    | Type     | Required | Description                                                                                    |
 | ----------------------- | -------- | -------- | ---------------------------------------------------------------------------------------------- |
-| `gh-unsigned-artifacts` | `string` | No       | Previously uploaded artifacts to sign. Default: `unsigned-artifacts*`                          |
-| `gh-artifact-name`      | `string` | No       | Name for the uploaded artifacts. Default: `signed-artifacts`                                   |
+| `gh-unsigned-artifacts` | `string` | No       | Previously uploaded artifacts to sign. Default: `build-artifacts`                              |
+| `gh-artifact-name`      | `string` | No       | Name for the uploaded signed artifacts. Default: `signed-artifacts`                            |
 | `gh-retention-days`     | `number` | No       | Number of days to retain the signed artifacts. Default: `1`                                    |
-| `jf-url`                | `string` | No       | JFrog Artifactory URL. Default: `https://artifact.aerospike.io`                                |
-| `oidc-provider-name`    | `string` | No       | OIDC provider name. Default: `gh-aerospike`                                                    |
-| `oidc-audience`         | `string` | No       | OIDC audience. Default: `aerospike`                                                            |
 | `gh-checkout-path`      | `string` | No       | Directory to checkout the shared-workflows repository into. Default: `shared-workflows`        |
 | `gh-workflows-ref`      | `string` | No       | Git reference to checkout shared-workflows repository (tag, branch, or SHA). Default: `v2.0.2` |
-| `runs-on`               | `string` | No       | The runner to use for the build. Default: `ubuntu-22.04`                                       |
+| `runs-on`               | `string` | No       | The runner to use. Default: `ubuntu-22.04`                                                     |
+| `nuget-environment`     | `string` | No       | SSL.com environment name for NuGet signing. Default: `PROD`                                    |
 
 ## Secrets
 
-| Name              | Description                     |
-| ----------------- | ------------------------------- |
-| `gpg-private-key` | GPG private key for signing     |
-| `gpg-public-key`  | GPG public key for verification |
-| `gpg-key-pass`    | Passphrase for the GPG key      |
+| Name              | Required | Description                              |
+| ----------------- | -------- | ---------------------------------------- |
+| `gpg-private-key` | Yes      | GPG private key for signing              |
+| `gpg-public-key`  | Yes      | GPG public key for verification          |
+| `gpg-key-pass`    | Yes      | Passphrase for the GPG key               |
+| `es-username`     | Cond.    | SSL.com account username (NuGet signing) |
+| `es-password`     | Cond.    | SSL.com account password (NuGet signing) |
+| `credential_id`   | Cond.    | SSL.com credential ID (NuGet signing)    |
+| `es-totp_secret`  | Cond.    | SSL.com TOTP secret (NuGet signing)      |
+
+Notes:
+
+- NuGet signing runs only if `.nupkg` files are present in the unsigned artifacts.
+- If `.nupkg` files are found, all four SSL.com secrets above must be provided or the workflow fails.
 
 ---
 
@@ -48,8 +55,19 @@ jobs:
       gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
       gpg-public-key: ${{ secrets.GPG_PUBLIC_KEY }}
       gpg-key-pass: ${{ secrets.GPG_PASS }}
+      # Optional - required only if NuGet packages are present
+      es-username: ${{ secrets.ES_USERNAME }}
+      es-password: ${{ secrets.ES_PASSWORD }}
+      credential_id: ${{ secrets.CREDENTIAL_ID }}
+      es-totp_secret: ${{ secrets.ES_TOTP_SECRET }}
 ```
 
-## Output
+## Outputs
+
+| Name               | Description                                          |
+| ------------------ | ---------------------------------------------------- |
+| `gh-artifact-name` | The name of the uploaded signed artifacts (artifact) |
+
+Artifacts layout:
 
-The workflow uploads the signed artifacts as a GitHub Actions artifact with the specified retention period.
+- Signed outputs are uploaded under the artifact name provided by `gh-artifact-name`.

.github/workflows/test_create-release-bundle-workflow.yaml

@@ -20,7 +20,7 @@ jobs:
       oidc-provider-name: gh-aerospike
       oidc-audience: aerospike
       dry-run: true
-      gh-workflows-ref: v2.0.1 # replace with v2.0.2 when it is released
+      gh-workflows-ref: v2.0.2
 
   run-tests:
     runs-on: ubuntu-22.04

.github/workflows/test_deploy-artifacts-workflow.yaml

@@ -36,7 +36,7 @@ jobs:
       oidc-audience: aerospike
       gh-artifact-name: test-fixtures
       dry-run: true
-      gh-workflows-ref: v2.0.1 # replace with v2.0.2 when it is released
+      gh-workflows-ref: v2.0.2
 
   run-tests:
     runs-on: ubuntu-22.04

.github/workflows/test_execute-build-workflow.yaml

@@ -28,7 +28,7 @@ jobs:
       oidc-provider-name: gh-dev-test
       oidc-audience: aerospike/testing
       dry-run: false # default
-      gh-workflows-ref: v2.0.1 # replace with v2.0.2 when it is released
+      gh-workflows-ref: v2.0.2
 
   # Test the entrypoint script directly
   run-tests:

.github/workflows/test_sign-artifacts-workflow.yaml

@@ -29,9 +29,45 @@ jobs:
       gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
       gpg-public-key: ${{ secrets.GPG_PUBLIC_KEY }}
       gpg-key-pass: ${{ secrets.GPG_PASS }}
+      es-username: ${{ secrets.ES_USERNAME }}
+      es-password: ${{ secrets.ES_PASSWORD }}
+      credential_id: ${{ secrets.CREDENTIAL_ID }}
+      es-totp_secret: ${{ secrets.ES_TOTP_SECRET }}
     with:
       gh-unsigned-artifacts: test-fixtures
-      gh-workflows-ref: v2.0.1 # replace with v2.0.2 when it is released
+      gh-workflows-ref: v2.0.2
+
+  verify-nuget-signatures:
+    needs: test-sign-workflow
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Setup .NET SDK
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.x
+      - name: Download Signed Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.test-sign-workflow.outputs.gh-artifact-name }}
+          path: signed
+      - name: Verify NuGet Signatures
+        shell: bash
+        run: |
+          set -euo pipefail
+          export PATH="$HOME/.dotnet/tools:$PATH"
+          shopt -s nullglob globstar
+          mapfile -t pkgs < <(printf '%s\n' signed/**/*.nupkg)
+          echo "Found ${#pkgs[@]} .nupkg files"
+          if [ "${#pkgs[@]}" -lt 1 ]; then
+            echo "No .nupkg files found under signed/" >&2
+            exit 1
+          fi
+          for p in "${pkgs[@]}"; do
+            echo "Verifying $p"
+            dotnet nuget verify "$p" --all
+          done
 
   run-tests:
     needs: test-sign-workflow