chore(deps): updated to .NET 8 LTS and dep maintenance (#82)

* chore(deps): updated to .NET 8 LTS * ci: switch to standard build workflow * chore(deps): updated all deps and fixed stress test code * style: ran csharpier
miracum · Dec 9, 2023 · a95f6be · a95f6be
1 parent bae5e7f
commit a95f6be
Show file tree

Hide file tree

Showing 40 changed files with 472 additions and 642 deletions.
diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
@@ -3,11 +3,11 @@
   "isRoot": true,
   "tools": {
     "dotnet-outdated-tool": {
-      "version": "4.5.3",
+      "version": "4.6.0",
       "commands": ["dotnet-outdated"]
     },
     "csharpier": {
-      "version": "0.25.0",
+      "version": "0.26.3",
       "commands": ["dotnet-csharpier"]
     }
   }

diff --git a/.github/workflows/benchmarks.yaml b/.github/workflows/benchmarks.yaml
@@ -29,10 +29,9 @@ jobs:
           fetch-depth: 0
 
       - name: Install .NET
-        uses: actions/setup-dotnet@a351d9ea84bc76ec7508debf02a39d88f8b6c0c0 # tag=v2
+        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
         with:
-          dotnet-version: "7.0.x"
-          include-prerelease: true
+          dotnet-version: "8.0.x"
 
       - name: Run benchmark
         run: dotnet run -c Release --project=src/Vfps.Benchmarks

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -11,91 +11,45 @@ on:
 # Declare default permissions as read only.
 permissions: read-all
 
-env:
-  IMAGE_NAME: ghcr.io/${{ github.repository }}
-
 jobs:
   build:
-    name: build
-    runs-on: ubuntu-22.04
+    uses: miracum/.github/.github/workflows/standard-build.yaml@440b93677bc4fb05548dba758734fa770ddcd754 # v1.4.4
     permissions:
-      packages: write
       contents: read
+      id-token: write
+      packages: write
       pull-requests: write
-    outputs:
-      api-image-tags: ${{ steps.container_meta.outputs.tags }}
-      api-image-version: ${{ steps.container_meta.outputs.version }}
-      api-image-digest: ${{ steps.build.outputs.digest }}
-      api-image-name: ${{ env.IMAGE_NAME }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
-        with:
-          fetch-depth: 0
-
-      - name: Container meta for api image
-        id: container_meta
-        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4
-        with:
-          images: |
-            ${{ env.IMAGE_NAME }}
-
-      - name: Container meta for the unit test image
-        id: container_tests_meta
-        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4
-        with:
-          images: |
-            ghcr.io/${{ github.repository }}-tests
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2
+      actions: read
+      security-events: write
+    with:
+      enable-build-test-layer: true
+      enable-upload-test-image: true
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
-        if: ${{ github.event_name != 'pull_request' }}
+  add-code-coverage:
+    runs-on: ubuntu-22.04
+    needs:
+      - build
+    permissions:
+      # for add Coverage PR Comment
+      pull-requests: write
+    steps:
+      - name: Download test image
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          name: test-image
+          path: /tmp
 
-      # ran first to avoid pushing failing images when running on master.
-      - name: Run unit tests
-        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3
-        with:
-          push: false
-          load: true
-          tags: ${{ steps.container_tests_meta.outputs.tags }}
-          labels: ${{ steps.container_tests_meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          target: unit-test
-
-      # can't use `load` and `push` at the same time, so differentiate by whether its a PR or not
-      - name: Build and push api image
-        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3
-        id: build
-        with:
-          load: ${{ github.event_name == 'pull_request' }}
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.container_meta.outputs.tags }}
-          labels: ${{ steps.container_meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # 0.13.1
-        with:
-          image-ref: ${{ fromJson(steps.container_meta.outputs.json).tags[0] }}
-          severity: "CRITICAL,HIGH"
-          exit-code: "1"
-          ignore-unfixed: "true"
+      - name: Load test image
+        run: |
+          ls -lsa /tmp
+          docker load --input /tmp/image-test.tar
+          docker image ls
 
-      - name: Copy unit test coverage reports from container
+      - name: Copy unit test coverage reports from test container
         env:
-          UNIT_TEST_IMAGE: ${{ fromJson(steps.container_tests_meta.outputs.json).tags[0] }}
+          UNIT_TEST_IMAGE: ${{ fromJson(needs.build.outputs.test-image-meta-json).tags[0] }}
         run: |
           docker create --name=unit-test-container "${UNIT_TEST_IMAGE}"
           docker cp unit-test-container:/build/src/Vfps.Tests/coverage ./coverage
@@ -111,7 +65,7 @@ jobs:
           hide_complexity: true
           indicators: true
           output: both
-          thresholds: "60 80"
+          thresholds: "50 50"
 
       - name: Add Coverage PR Comment
         uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0
@@ -120,23 +74,8 @@ jobs:
           recreate: true
           path: code-coverage-results.md
 
-      - name: Save container images as tar archives
-        if: ${{ github.event_name == 'pull_request' }}
-        env:
-          API_IMAGE: ${{ fromJson(steps.container_meta.outputs.json).tags[0] }}
-        run: |
-          docker save "$API_IMAGE" -o /tmp/api-image.tar
-
-      - name: Upload container images
-        if: ${{ github.event_name == 'pull_request' }}
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: container-image-artifacts
-          path: |
-            /tmp/api-image.tar
-
-  test-api-container:
-    name: test api container
+  test-api:
+    name: test api
     runs-on: ubuntu-22.04
     needs:
       - build
@@ -147,21 +86,18 @@ jobs:
       - name: Checkout
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2
-
-      - name: Download container images
+      - name: Download container image
         if: ${{ github.event_name == 'pull_request' }}
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
-          name: container-image-artifacts
+          name: container-image
           path: /tmp
 
-      - name: Load images
+      - name: Load image
         if: ${{ github.event_name == 'pull_request' }}
         run: |
           ls -lar /tmp
-          docker load --input /tmp/api-image.tar
+          docker load --input /tmp/image.tar
           docker image ls -a
 
       - name: Install grpcurl
@@ -186,7 +122,7 @@ jobs:
 
       - name: Start compose deployment
         env:
-          VFPS_IMAGE_TAG: ${{ needs.build.outputs.api-image-version }}
+          VFPS_IMAGE_TAG: ${{ needs.build.outputs.image-version }}
         run: |
           echo "Using VFPS image tag ${VFPS_IMAGE_TAG}"
           docker compose -f docker-compose.yaml --profile=test up -d
@@ -251,32 +187,32 @@ jobs:
       - name: Checkout
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
-      - name: Download container images
+      - name: Download container image
         if: ${{ github.event_name == 'pull_request' }}
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
-          name: container-image-artifacts
+          name: container-image
           path: /tmp
 
-      - name: Load migrations image
+      - name: Load image
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          docker load --input /tmp/api-image.tar
+          ls -lar /tmp
+          docker load --input /tmp/image.tar
           docker image ls -a
 
       - name: Install .NET
-        uses: actions/setup-dotnet@a351d9ea84bc76ec7508debf02a39d88f8b6c0c0 # tag=v2
+        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # tag=v4.0.0
         with:
-          dotnet-version: "7.0.x"
-          include-prerelease: true
+          dotnet-version: "8.0.x"
 
       - name: Run migrations tests
         env:
-          VFPS_IMAGE_TAG: ${{ needs.build.outputs.api-image-version }}
+          VFPS_IMAGE_TAG: ${{ needs.build.outputs.image-version }}
         run: dotnet test src/Vfps.IntegrationTests --configuration=Release -l "console;verbosity=detailed"
 
-  run-iter8-tests:
-    name: run iter8 tests
+  test-iter8:
+    name: iter8 tests
     runs-on: ubuntu-22.04
     if: ${{ github.event_name == 'pull_request' }}
     needs:
@@ -302,23 +238,24 @@ jobs:
         with:
           cluster_name: kind
 
-      - name: Download container images
+      - name: Download container image
+        if: ${{ github.event_name == 'pull_request' }}
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
-          name: container-image-artifacts
+          name: container-image
           path: /tmp
 
-      - name: Load images into KinD
+      - name: Load image into KinD
         run: |
           # vfps api image
-          kind load image-archive /tmp/api-image.tar
+          kind load image-archive /tmp/image.tar
 
       - name: List images in cluster
         run: docker exec kind-control-plane crictl images
 
       - name: Install vfps
         env:
-          IMAGE_TAG: ${{ needs.build.outputs.api-image-version }}
+          IMAGE_TAG: ${{ needs.build.outputs.image-version }}
         run: |
           helm install \
             --set="image.tag=${IMAGE_TAG}" \
@@ -382,53 +319,19 @@ jobs:
           path: |
             kind-cluster-dump.txt
 
-  sign-images:
-    name: sign images
-    runs-on: ubuntu-22.04
-    if: ${{ github.event_name != 'pull_request' }}
-    needs:
-      - build
-      - test-migrations
-      - test-api-container
+  lint:
+    uses: miracum/.github/.github/workflows/standard-lint.yaml@440b93677bc4fb05548dba758734fa770ddcd754 # v1.4.4
     permissions:
       contents: read
-      id-token: write
-      packages: write
-    steps:
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
-
-      - name: Sign vfps image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-          IMAGES: ${{ needs.build.outputs.api-image-tags }}
-        run: |
-          while read -r image; do
-            echo "Signing '$image' using keyless approach"
-            cosign sign "$image"
-          done <<< "$IMAGES"
-
-  container-provenance:
-    if: ${{ startsWith(github.ref, 'refs/tags/') }}
-    needs:
-      - build
-      - test-migrations
-      - test-api-container
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write
-      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+      pull-requests: write
+      issues: write
+      security-events: write
+      actions: read
     with:
-      image: ${{ needs.build.outputs.api-image-name }}
-      digest: ${{ needs.build.outputs.api-image-digest }}
-      registry-username: ${{ github.actor }}
+      dotnet-version: "8.0.x"
+      enable-verify-base-image-signature: false
+      enable-validate-gradle-wrapper: false
+      codeql-languages: '["csharp"]'
+      enable-codeql: true
     secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
+      github-token: ${{ secrets.GITHUB_TOKEN }}