Update actions workflows #42
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Hot Potato CI | |
| on: | |
| push: | |
| branches: | |
| - '*' | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| ### | |
| # Build Hot Potato | |
| # This will build test and package Hot Potato, if successful an artifact will be created to be used by downstream jobs. | |
| ### | |
| build: | |
| uses: ./.github/workflows/build.yml | |
| ### | |
| # Generate Software Bill of Materials | |
| # Creates a machine-readable list of all project dependencies (and their dependencies) that can be used for further vulnerability scanning. | |
| ### | |
| generate-sbom: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: ${{ (github.ref_name == 'main') || (github.event_name == 'pull_request') || contains(github.event.head_commit.message, '+sbom') }} | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| name: nuget-packages | |
| path: ./nuget | |
| - name: Generate sbom | |
| uses: anchore/sbom-action@v0.14.3 | |
| with: | |
| path: ./nuget | |
| ### | |
| # Publish nuget packages. | |
| # Only runs on main, or when `+push` is included in a commit message. | |
| # Note: We can't publish packages on PRs since the max package access for forked repos is read. | |
| # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| ### | |
| push-packages: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: ${{ (github.ref_name == 'main') || contains(github.event.commits.message, '+push') }} | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| name: nuget-packages | |
| path: ./nuget | |
| - name: Setup Nuget Source | |
| run: | | |
| dotnet nuget add source \ | |
| --username ${{ github.repository_owner }} \ | |
| --password ${{ secrets.GITHUB_TOKEN }} \ | |
| --store-password-in-clear-text \ | |
| --name github \ | |
| "https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json" | |
| - name: NuGet push | |
| run: | | |
| dotnet nuget push ./nuget/**/*.nupkg \ | |
| -k ${{ secrets.GITHUB_TOKEN }} \ | |
| -s "github" \ | |
| --skip-duplicate | |
| # TODO: This mostly works, but is still failing. | |
| # test-packages: | |
| # needs: [build, push-packages] | |
| # uses: ./.github/workflows/smoke-tests.yml | |
| # with: | |
| # version: ${{ needs.build.outputs.version }} | |
| create-tag: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: ${{ github.ref_name == 'main' }} | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Create tag | |
| uses: actions/github-script@v6 | |
| env: | |
| VERSION: '${{ needs.build.outputs.version }}' | |
| with: | |
| script: | | |
| const { VERSION } = process.env | |
| github.rest.git.createRef({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| ref: `refs/tags/${VERSION}`, | |
| sha: context.sha | |
| }); | |
| ### | |
| # Creates a draft release that can be used to trigger further workflows if necessary. | |
| # Once the release is acceptable, an admin can publish a release and push packages to nuget. | |
| ### | |
| create-release: | |
| needs: [build, create-tag] | |
| runs-on: ubuntu-latest | |
| if: ${{ success() && github.ref_name == 'main' }} | |
| steps: | |
| - name: Download packages | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| path: ./artifacts | |
| - name: Create Release | |
| run: gh release create ${{ needs.build.outputs.version }} ./artifacts/* --draft --verify-tag -title "Hot Potato ${{ needs.build.outputs.version }}" |