forked from HylandSoftware/Hot-Potato
-
Notifications
You must be signed in to change notification settings - Fork 1
109 lines (101 loc) · 3.52 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
---
name: Hot Potato CI
on:
push:
branches:
- '*'
pull_request:
branches:
- main
jobs:
###
# Build Hot Potato
# This will build test and package Hot Potato, if successful an artifact will be created to be used by downstream jobs.
###
build:
uses: ./.github/workflows/build.yml
smoke-test:
needs: [build]
uses: ./.github/workflows/smoke-tests.yml
if: ${{ (github.ref_name == 'main') || (github.event_name == 'pull_request') || contains(github.event.head_commit.message, '+test') }}
with:
version: ${{ needs.build.outputs.version }}
vulnerability-scan:
runs-on: ubuntu-latest
needs: [build]
if: ${{ (github.ref_name == 'main') || (github.event_name == 'pull_request') || contains(github.event.head_commit.message, '+vuln') }}
steps:
- uses: actions/download-artifact@v3.0.2
with:
name: ${{ github.event.repository.name }}-sbom.spdx.json
path: "${{ github.workspace }}"
- uses: anchore/scan-action@v3
with:
sbom: "${{github.workspace}}/${{ github.event.repository.name }}-sbom.spdx.json"
###
# Publish nuget packages.
# Only runs on main, or when `+push` is included in a commit message.
# Note: We can't publish packages on PRs since the max package access for forked repos is read.
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
###
push-packages:
runs-on: ubuntu-latest
needs: [build, smoke-test]
if: ${{ (github.ref_name == 'main') || contains(github.event.head_commit.message, '+push') }}
permissions:
packages: write
steps:
- name: Download artifacts
uses: actions/download-artifact@v3.0.2
with:
name: nuget-packages
path: ./nuget
- name: Setup Nuget Source
run: |
dotnet nuget add source \
--username ${{ github.repository_owner }} \
--password ${{ secrets.GITHUB_TOKEN }} \
--store-password-in-clear-text \
--name github \
"https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json"
- name: NuGet push
run: |
dotnet nuget push ./nuget/**/*.nupkg \
-k ${{ secrets.GITHUB_TOKEN }} \
-s "github" \
--skip-duplicate
create-tag:
runs-on: ubuntu-latest
needs: [build, smoke-test]
if: ${{ github.ref_name == 'main' }}
permissions:
contents: write
steps:
- name: Create tag
uses: actions/github-script@v6
env:
VERSION: '${{ needs.build.outputs.version }}'
with:
script: |
const { VERSION } = process.env
github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: `refs/tags/${VERSION}`,
sha: context.sha
});
###
# Creates a draft release that can be used to trigger further workflows if necessary.
# Once the release is acceptable, an admin can publish a release and push packages to nuget.
###
create-release:
needs: [build, create-tag]
runs-on: ubuntu-latest
if: ${{ success() && github.ref_name == 'main' }}
steps:
- name: Download packages
uses: actions/download-artifact@v3.0.2
with:
path: ./artifacts
- name: Create Release
run: gh release create ${{ needs.build.outputs.version }} ./artifacts/* --draft --verify-tag -title "Hot Potato ${{ needs.build.outputs.version }}"