Bump github/codeql-action from 3.27.7 to 3.27.9 (#1527) #3179
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: [ main ] | |
paths-ignore: | |
- '**/*.md' | |
- '**/*.gitignore' | |
- '**/*.gitattributes' | |
pull_request: | |
branches: | |
- main | |
- dotnet-vnext | |
- dotnet-nightly | |
workflow_dispatch: | |
env: | |
ARTIFACT_NAME: 'lambda' | |
AWS_ACCOUNT_ID: ${{ vars.AWS_ACCOUNT_ID }} | |
AWS_REGION: ${{ vars.AWS_REGION }} | |
DOTNET_CLI_TELEMETRY_OPTOUT: true | |
DOTNET_GENERATE_ASPNET_CERTIFICATE: false | |
DOTNET_NOLOGO: true | |
DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: 1 | |
LAMBDA_DESCRIPTION: 'Deploy build ${{ github.run_number }} to AWS Lambda via GitHub Actions' | |
LAMBDA_FUNCTION: 'alexa-london-travel' | |
LAMBDA_ROLE: ${{ vars.AWS_LAMBDA_ROLE }} | |
NUGET_XMLDOC_MODE: skip | |
TERM: xterm | |
permissions: | |
contents: read | |
jobs: | |
build: | |
name: ${{ matrix.os }} | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 20 | |
permissions: | |
attestations: write | |
contents: read | |
id-token: write | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ macos-latest, ubuntu-latest, windows-latest ] | |
include: | |
- os: macos-latest | |
os_name: macos | |
- os: ubuntu-latest | |
os_name: linux | |
- os: windows-latest | |
os_name: windows | |
steps: | |
- name: Setup arm64 support for native AoT | |
if: runner.os == 'Linux' | |
shell: bash | |
run: | | |
sudo dpkg --add-architecture arm64 | |
sudo bash -c 'cat > /etc/apt/sources.list.d/arm64.list <<EOF | |
deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports/ jammy main restricted | |
deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports/ jammy-updates main restricted | |
deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports/ jammy-backports main restricted universe multiverse | |
EOF' | |
sudo sed -i -e 's/deb http/deb [arch=amd64] http/g' /etc/apt/sources.list | |
sudo sed -i -e 's/deb mirror/deb [arch=amd64] mirror/g' /etc/apt/sources.list | |
sudo apt update | |
sudo apt install --yes clang llvm binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu linux-libc-dev:arm64 zlib1g-dev:arm64 | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup .NET SDK | |
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0 | |
- name: Build, Test and Package | |
id: build | |
shell: pwsh | |
run: ./build.ps1 | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1 | |
with: | |
flags: ${{ matrix.os_name }} | |
token: ${{ secrets.CODECOV_TOKEN }} | |
- name: Publish artifacts | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: artifacts-${{ matrix.os_name }} | |
path: ./artifacts | |
- name: Create Lambda ZIP file | |
if: runner.os == 'Linux' | |
shell: bash | |
run: | | |
cd "./artifacts/publish/LondonTravel.Skill/release_linux-arm64" || exit | |
if [ -f "./bootstrap" ] | |
then | |
chmod +x ./bootstrap | |
fi | |
zip -r "../../../${LAMBDA_FUNCTION}.zip" . || exit 1 | |
- name: Attest artifacts | |
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
if: | | |
runner.os == 'Linux' && | |
github.event.repository.fork == false && | |
github.ref_name == github.event.repository.default_branch | |
with: | |
subject-path: ./artifacts/${{ env.LAMBDA_FUNCTION }}.zip | |
- name: Publish deployment package | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
if: runner.os == 'Linux' && success() | |
with: | |
name: ${{ env.ARTIFACT_NAME }} | |
path: ./artifacts/${{ env.LAMBDA_FUNCTION }}.zip | |
if-no-files-found: error | |
- name: Upload any crash dumps | |
shell: pwsh | |
if: | | |
!cancelled() && | |
steps.build.outcome == 'failure' && | |
github.event.repository.fork == false && | |
github.event.sender.login != 'dependabot[bot]' | |
env: | |
AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.CRASH_DUMPS_STORAGE_CONNECTION_STRING }} | |
PSCOMPRESSION_VERSION: '2.0.6' | |
run: | | |
$dumps = Get-ChildItem -Path ${env:GITHUB_WORKSPACE} -Filter "*.dmp" -Recurse | |
if ($null -ne $dumps) { | |
$container = ${env:GITHUB_REPOSITORY}.Replace("/", "-") | |
az storage container create --name $container --public-access off | Out-Null | |
Install-Module PSCompression -RequiredVersion ${env:PSCOMPRESSION_VERSION} -AcceptLicense -Force -Scope CurrentUser | |
$dumps | ForEach-Object { | |
$zipPath = $_.FullName + ".zip" | |
$zipName = $_.Name + ".zip" | |
Write-Output "Compressing crash dump $($_.Name)..." | |
Compress-ZipArchive -Path $_.FullName -Destination $zipPath | |
az storage blob upload ` | |
--container-name $container ` | |
--file $zipPath ` | |
--name $zipName ` | |
--metadata "GITHUB_RUN_ATTEMPT=${env:GITHUB_RUN_ATTEMPT}" "GITHUB_WORKFLOW=${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}/actions/runs/${env:GITHUB_RUN_ID}" "RUNNER_OS=${env:RUNNER_OS}" ` | |
--overwrite true | |
if ($LASTEXITCODE -eq 0) { | |
Write-Output "::notice::Uploaded crash dump $($_.Name) to Azure Storage." | |
} | |
} | |
} | |
deploy-dev: | |
if: | | |
github.event.repository.fork == false && | |
github.ref_name == github.event.repository.default_branch | |
name: dev | |
needs: build | |
concurrency: dev_environment | |
runs-on: ubuntu-latest | |
environment: | |
name: dev | |
permissions: | |
id-token: write | |
steps: | |
- name: Set function name | |
shell: bash | |
run: | | |
echo "FUNCTION_NAME=${LAMBDA_FUNCTION}-dev" >> "$GITHUB_ENV" | |
- name: Download artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ${{ env.ARTIFACT_NAME }} | |
- name: Get Lambda configuration | |
shell: bash | |
run: | | |
LAMBDA_CONFIG="$(unzip -p "${LAMBDA_FUNCTION}.zip" aws-lambda-tools-defaults.json)" | |
{ | |
echo "LAMBDA_ARCHITECTURES=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-architecture"')" | |
echo "LAMBDA_HANDLER=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-handler"')" | |
echo "LAMBDA_MEMORY=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-memory-size"')" | |
echo "LAMBDA_RUNTIME=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-runtime"')" | |
echo "LAMBDA_TIMEOUT=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-timeout"')" | |
} >> "$GITHUB_ENV" | |
- name: Get Lambda environment variables | |
env: | |
SKILL_API_URL: ${{ vars.SKILL_API_URL }} | |
SKILL_ID: ${{ secrets.SKILL_ID }} | |
TFL_APPLICATION_ID: ${{ secrets.TFL_APPLICATION_ID }} | |
TFL_APPLICATION_KEY: ${{ secrets.TFL_APPLICATION_KEY }} | |
VERIFY_SKILL_ID: "true" | |
shell: bash | |
run: | | |
lambda_vars="{\ | |
\"Variables\": {\ | |
\"Skill__SkillApiUrl\": \"${SKILL_API_URL}\",\ | |
\"Skill__SkillId\": \"${SKILL_ID}\",\ | |
\"Skill__TflApplicationId\": \"${TFL_APPLICATION_ID}\",\ | |
\"Skill__TflApplicationKey\": \"${TFL_APPLICATION_KEY}\",\ | |
\"Skill__VerifySkillId\": \"${VERIFY_SKILL_ID}\"\ | |
}\ | |
}" | |
echo "LAMBDA_ENVIRONMENT_VARIABLES=${lambda_vars}" >> "$GITHUB_ENV" | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-deploy | |
role-session-name: ${{ github.event.repository.name }}-${{ github.run_id }}-deploy-dev | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Update function code | |
shell: bash | |
run: | | |
aws lambda update-function-code \ | |
--function-name "${FUNCTION_NAME}" \ | |
--architectures "${LAMBDA_ARCHITECTURES}" \ | |
--zip-file "fileb://./${LAMBDA_FUNCTION}.zip" | |
- name: Wait for function code update | |
shell: bash | |
run: | | |
aws lambda wait function-updated-v2 \ | |
--function-name "${FUNCTION_NAME}" | |
- name: Update function configuration | |
shell: bash | |
env: | |
LAMBDA_LAYERS: ${{ vars.AWS_LAMBDA_LAYERS }} | |
LAMBDA_LOGGING_CONFIG: ${{ vars.AWS_LAMBDA_LOGGING_CONFIG }} | |
LAMBDA_TRACING_MODE: ${{ vars.AWS_TRACING_MODE }} | |
run: | | |
aws lambda update-function-configuration \ | |
--function-name "${FUNCTION_NAME}" \ | |
--description "${LAMBDA_DESCRIPTION}" \ | |
--environment "${LAMBDA_ENVIRONMENT_VARIABLES}" \ | |
--handler "${LAMBDA_HANDLER}" \ | |
--layers "${LAMBDA_LAYERS}" \ | |
--logging-config "${LAMBDA_LOGGING_CONFIG}" \ | |
--memory-size "${LAMBDA_MEMORY}" \ | |
--role "${LAMBDA_ROLE}" \ | |
--runtime "${LAMBDA_RUNTIME}" \ | |
--timeout "${LAMBDA_TIMEOUT}" \ | |
--tracing-config "Mode=${LAMBDA_TRACING_MODE}" | |
- name: Wait for function configuration update | |
shell: bash | |
run: | | |
aws lambda wait function-updated-v2 \ | |
--function-name "${FUNCTION_NAME}" | |
tests-dev: | |
name: tests-dev | |
needs: deploy-dev | |
runs-on: ubuntu-latest | |
concurrency: dev_environment | |
permissions: | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup .NET SDK | |
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-test | |
role-session-name: ${{ github.event.repository.name }}-${{ github.run_id }}-tests-dev | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Run end-to-end tests | |
shell: pwsh | |
run: dotnet test ./test/LondonTravel.Skill.EndToEndTests --configuration Release --logger "GitHubActions;report-warnings=false" | |
env: | |
LAMBDA_FUNCTION_NAME: ${{ env.LAMBDA_FUNCTION }}-dev | |
LWA_CLIENT_ID: ${{ secrets.LWA_CLIENT_ID }} | |
LWA_CLIENT_SECRET: ${{ secrets.LWA_CLIENT_SECRET }} | |
LWA_REFRESH_TOKEN: ${{ secrets.LWA_REFRESH_TOKEN }} | |
SKILL_ID: ${{ secrets.SKILL_ID }} | |
SKILL_STAGE: development | |
deploy-prod: | |
name: production | |
needs: tests-dev | |
runs-on: ubuntu-latest | |
concurrency: production_environment | |
environment: | |
name: production | |
permissions: | |
id-token: write | |
steps: | |
- name: Set function name | |
shell: bash | |
run: | | |
echo "FUNCTION_NAME=${LAMBDA_FUNCTION}" >> "$GITHUB_ENV" | |
- name: Download artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ${{ env.ARTIFACT_NAME }} | |
- name: Get Lambda configuration | |
shell: bash | |
run: | | |
LAMBDA_CONFIG="$(unzip -p "${LAMBDA_FUNCTION}.zip" aws-lambda-tools-defaults.json)" | |
{ | |
echo "LAMBDA_ARCHITECTURES=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-architecture"')" | |
echo "LAMBDA_HANDLER=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-handler"')" | |
echo "LAMBDA_MEMORY=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-memory-size"')" | |
echo "LAMBDA_RUNTIME=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-runtime"')" | |
echo "LAMBDA_TIMEOUT=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-timeout"')" | |
} >> "$GITHUB_ENV" | |
- name: Get Lambda environment variables | |
env: | |
SKILL_API_URL: ${{ vars.SKILL_API_URL }} | |
SKILL_ID: ${{ secrets.SKILL_ID }} | |
TFL_APPLICATION_ID: ${{ secrets.TFL_APPLICATION_ID }} | |
TFL_APPLICATION_KEY: ${{ secrets.TFL_APPLICATION_KEY }} | |
VERIFY_SKILL_ID: "true" | |
shell: bash | |
run: | | |
lambda_vars="{\ | |
\"Variables\": {\ | |
\"Skill__SkillApiUrl\": \"${SKILL_API_URL}\",\ | |
\"Skill__SkillId\": \"${SKILL_ID}\",\ | |
\"Skill__TflApplicationId\": \"${TFL_APPLICATION_ID}\",\ | |
\"Skill__TflApplicationKey\": \"${TFL_APPLICATION_KEY}\",\ | |
\"Skill__VerifySkillId\": \"${VERIFY_SKILL_ID}\"\ | |
}\ | |
}" | |
echo "LAMBDA_ENVIRONMENT_VARIABLES=${lambda_vars}" >> "$GITHUB_ENV" | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-deploy | |
role-session-name: ${{ github.event.repository.name }}-${{ github.run_id }}-deploy-production | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Update function code | |
shell: bash | |
run: | | |
aws lambda update-function-code \ | |
--function-name "${FUNCTION_NAME}" \ | |
--architectures "${LAMBDA_ARCHITECTURES}" \ | |
--zip-file "fileb://./${LAMBDA_FUNCTION}.zip" | |
- name: Wait for function code update | |
shell: bash | |
run: | | |
aws lambda wait function-updated-v2 \ | |
--function-name "${FUNCTION_NAME}" | |
- name: Update function configuration | |
shell: bash | |
env: | |
LAMBDA_LAYERS: ${{ vars.AWS_LAMBDA_LAYERS }} | |
LAMBDA_LOGGING_CONFIG: ${{ vars.AWS_LAMBDA_LOGGING_CONFIG }} | |
LAMBDA_TRACING_MODE: ${{ vars.AWS_TRACING_MODE }} | |
run: | | |
aws lambda update-function-configuration \ | |
--function-name "${FUNCTION_NAME}" \ | |
--description "${LAMBDA_DESCRIPTION}" \ | |
--environment "${LAMBDA_ENVIRONMENT_VARIABLES}" \ | |
--handler "${LAMBDA_HANDLER}" \ | |
--layers "${LAMBDA_LAYERS}" \ | |
--logging-config "${LAMBDA_LOGGING_CONFIG}" \ | |
--memory-size "${LAMBDA_MEMORY}" \ | |
--role "${LAMBDA_ROLE}" \ | |
--runtime "${LAMBDA_RUNTIME}" \ | |
--timeout "${LAMBDA_TIMEOUT}" \ | |
--tracing-config "Mode=${LAMBDA_TRACING_MODE}" | |
- name: Wait for function configuration update | |
shell: bash | |
run: | | |
aws lambda wait function-updated-v2 \ | |
--function-name "${FUNCTION_NAME}" | |
tests-prod: | |
needs: deploy-prod | |
runs-on: ubuntu-latest | |
concurrency: production_environment | |
permissions: | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup .NET SDK | |
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-test | |
role-session-name: ${{ github.event.repository.name }}-${{ github.run_id }}-tests-production | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Run end-to-end tests | |
shell: pwsh | |
run: dotnet test ./test/LondonTravel.Skill.EndToEndTests --configuration Release --logger "GitHubActions;report-warnings=false" | |
env: | |
LAMBDA_FUNCTION_NAME: ${{ env.LAMBDA_FUNCTION }} | |
LWA_CLIENT_ID: ${{ secrets.LWA_CLIENT_ID }} | |
LWA_CLIENT_SECRET: ${{ secrets.LWA_CLIENT_SECRET }} | |
LWA_REFRESH_TOKEN: ${{ secrets.LWA_REFRESH_TOKEN }} | |
SKILL_ID: ${{ secrets.SKILL_ID }} | |
SKILL_STAGE: live |