-
Notifications
You must be signed in to change notification settings - Fork 5
145 lines (121 loc) · 3.61 KB
/
BuildAndTest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Build and Test
on:
pull_request_target:
branches:
- main
types:
- opened
- synchronize
paths-ignore:
- CHANGELOG.md
push:
branches:
- main
paths-ignore:
- CHANGELOG.md
- .github/**
env:
buildFolderName: output
buildArtifactName: output
testResultFolderName: testResults
jobs:
authorize:
name: Authorization for Secret Access
if: github.event_name == 'pull_request_target'
runs-on: ubuntu-latest
steps:
- run: true
environment:
${{ github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
build:
name: Build Module
runs-on: ubuntu-latest
needs:
- authorize
steps:
- uses: actions/checkout@v4
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0
- name: 'Build and Package Module'
uses: ./.github/actions/build
test:
name: Test Module
strategy:
matrix:
os: [windows-latest, ubuntu-latest, macos-latest]
needs:
- authorize
- build
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0
- name: 'Test Module'
uses: ./.github/actions/test
with:
os: ${{ matrix.os }}
publish-test-results:
permissions:
checks: write
pull-requests: write
name: Publish Test Results
if: success() || failure()
runs-on: ubuntu-latest
needs:
- authorize
- test
steps:
- uses: actions/checkout@v4
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0
- name: 'Publish Test Results'
uses: ./.github/actions/publish-test-results
workload-identity-test:
if: github.event_name == 'pull_request_target'
name: Test Workload Identity Auth
strategy:
matrix:
os: [windows-latest, ubuntu-latest, macos-latest]
needs:
- authorize
- build
permissions:
id-token: write # This is required for requesting the ID token of the pipeline
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0
- name: Download Build Artifact
uses: actions/download-artifact@v4
with:
name: ${{ env.buildArtifactName }}
path: ${{ env.buildFolderName }}
- name: Get token
shell: pwsh
env:
TENANT_ID: ${{ secrets.TENANT_ID }}
CLIENT_ID: ${{ secrets.CLIENT_ID }}
run: |
$Url = $env:ACTIONS_ID_TOKEN_REQUEST_URL
$Params = @{
'Uri' = "$Url&audience=api://AzureADTokenExchange"
'Headers' = @{
'Authorization' = "Bearer $($env:ACTIONS_ID_TOKEN_REQUEST_TOKEN)"
}
}
$OidcTokenResponse = Invoke-RestMethod @Params
$OidcToken = $OidcTokenResponse.value
Import-Module ./output/AzAuth
Get-AzToken -WorkloadIdentity -ExternalToken $OidcToken -TenantId $env:TENANT_ID -ClientId $env:CLIENT_ID -ErrorAction Stop | Out-Null
Write-Host "Successfully retrieved token for Workload Identity."