Merge pull request #13 from lambchop4prez/update-actions #52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Hot Potato CI | |
| on: | |
| push: | |
| branches: | |
| - '*' | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| ### | |
| # Build Hot Potato | |
| # This will build test and package Hot Potato, if successful an artifact will be created to be used by downstream jobs. | |
| ### | |
| build: | |
| uses: ./.github/workflows/build.yml | |
| smoke-test: | |
| needs: [build] | |
| uses: ./.github/workflows/smoke-tests.yml | |
| if: ${{ (github.ref_name == 'main') || (github.event_name == 'pull_request') || contains(github.event.head_commit.message, '+test') }} | |
| with: | |
| version: ${{ needs.build.outputs.version }} | |
| vulnerability-scan: | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| if: ${{ (github.ref_name == 'main') || (github.event_name == 'pull_request') || contains(github.event.head_commit.message, '+vuln') }} | |
| steps: | |
| - uses: actions/download-artifact@v3.0.2 | |
| with: | |
| name: ${{ github.event.repository.name }}-sbom.spdx.json | |
| path: "${{ github.workspace }}" | |
| - uses: anchore/scan-action@v3 | |
| with: | |
| sbom: "${{github.workspace}}/${{ github.event.repository.name }}-sbom.spdx.json" | |
| ### | |
| # Publish nuget packages. | |
| # Only runs on main, or when `+push` is included in a commit message. | |
| # Note: We can't publish packages on PRs since the max package access for forked repos is read. | |
| # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| ### | |
| push-packages: | |
| runs-on: ubuntu-latest | |
| needs: [build, smoke-test] | |
| if: ${{ (github.ref_name == 'main') || contains(github.event.head_commit.message, '+push') }} | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| name: nuget-packages | |
| path: ./nuget | |
| - name: Setup Nuget Source | |
| run: | | |
| dotnet nuget add source \ | |
| --username ${{ github.repository_owner }} \ | |
| --password ${{ secrets.GITHUB_TOKEN }} \ | |
| --store-password-in-clear-text \ | |
| --name github \ | |
| "https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json" | |
| - name: NuGet push | |
| run: | | |
| dotnet nuget push ./nuget/**/*.nupkg \ | |
| -k ${{ secrets.GITHUB_TOKEN }} \ | |
| -s "github" \ | |
| --skip-duplicate | |
| create-tag: | |
| runs-on: ubuntu-latest | |
| needs: [build, smoke-test] | |
| if: ${{ github.ref_name == 'main' }} | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Create tag | |
| uses: actions/github-script@v6 | |
| env: | |
| VERSION: '${{ needs.build.outputs.version }}' | |
| with: | |
| script: | | |
| const { VERSION } = process.env | |
| github.rest.git.createRef({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| ref: `refs/tags/${VERSION}`, | |
| sha: context.sha | |
| }); | |
| ### | |
| # Creates a draft release that can be used to trigger further workflows if necessary. | |
| # Once the release is acceptable, an admin can publish a release and push packages to nuget. | |
| ### | |
| create-release: | |
| needs: [build, create-tag] | |
| runs-on: ubuntu-latest | |
| if: ${{ success() && github.ref_name == 'main' }} | |
| steps: | |
| - name: Download packages | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| path: ./artifacts | |
| - name: Create Release | |
| run: gh release create ${{ needs.build.outputs.version }} ./artifacts/* --draft --verify-tag -title "Hot Potato ${{ needs.build.outputs.version }}" |