-
Notifications
You must be signed in to change notification settings - Fork 11
221 lines (186 loc) · 6.94 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
name: main
on:
push:
branches:
- main
pull_request:
branches:
- main
release:
types:
- published
env:
# Setting these variables allows .NET CLI to use rich color codes in console output
TERM: xterm
DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: true
# Skip boilerplate output
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_NOLOGO: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
# Note that as much as we'd love to avoid repetitive work, splitting the pipeline into separate jobs
# makes it very difficult to share artifacts between them. Even if we succeed, we'll still end up
# pushing and pulling gigabytes worth of data, which makes the jobs so much slower that we might as
# well just repeat the checkout-restore-build steps instead.
# Having a setup that involves separate jobs gives us significant benefits, on the other hand, namely:
# - Most of the jobs can run in parallel, which reduces the overall execution time significantly,
# despite the repetitive work.
# - We can catch more issues this way, for example if the formatting job fails, we can still see the
# the test results too.
# - If one of the jobs fails due to reasons unrelated to our code (e.g. NuGet server is down), we get
# the option to rerun only that job, saving us time.
# - It's easier to understand what each job does (and later, read its output) because the scope is much
# more narrow.
# - We can set permissions on a more granular (per-job) level, which allows us to expose only a few select
# steps to more sensitive access scopes.
jobs:
# Determine version
version:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Determine stable version
id: stable-version
if: ${{ github.event_name == 'release' }}
run: |
if ! [[ "${{ github.event.release.tag_name }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z].*)?$ ]]; then
echo "Invalid version: ${{ github.event.release.tag_name }}"
exit 1
fi
echo "version=${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
- name: Determine prerelease version
id: pre-version
if: ${{ github.event_name != 'release' }}
run: |
hash="${{ github.event.pull_request.head.sha || github.sha }}"
echo "version=0.0.0-ci-${hash:0:7}" >> $GITHUB_OUTPUT
outputs:
version: ${{ steps.stable-version.outputs.version || steps.pre-version.outputs.version }}
# Check formatting
format:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install .NET
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
- name: Validate format
run: dotnet format --verify-no-changes
# Run tests
test:
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
# Windows runners don't support Linux Docker containers (needed for tests),
# so we currently cannot run tests on Windows.
# - windows-latest
runs-on: ${{ matrix.os }}
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install .NET
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
- name: Run restore
run: dotnet restore
- name: Run build
run: >
dotnet build
--no-restore
--configuration Release
- name: Run tests
run: >
dotnet test
--no-restore
--no-build
--configuration Release
${{ runner.os == 'Windows' && '-p:IncludeNetCoreAppTargets=false' || '' }}
--logger "GitHubActions;summary.includePassedTests=true;summary.includeSkippedTests=true"
--collect:"XPlat Code Coverage"
--
RunConfiguration.CollectSourceInformation=true
DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
- name: Upload coverage
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
# Pack the output into NuGet packages
pack:
needs: version
runs-on: ubuntu-latest
permissions:
actions: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install .NET
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
- name: Run restore
run: dotnet restore
- name: Run build
run: >
dotnet build
--no-restore
--configuration Release
-p:ContinuousIntegrationBuild=true
- name: Run pack
run: >
dotnet pack
-p:Version=${{ needs.version.outputs.version }}
-p:ContinuousIntegrationBuild=true
--no-restore
--no-build
--configuration Release
- name: Upload artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: packages
path: "**/*.nupkg"
# Dispatch a separate deployment workflow in a private repository
deploy:
# Remove this if we end up adding more environments than just NuGet
if: ${{ github.event_name == 'release' }}
needs:
- version
- format
- test
- pack
strategy:
matrix:
environment:
- nuget
# - myget
exclude:
# Exclude NuGet if not triggered by a release event
# https://stackoverflow.com/questions/65384420/how-do-i-make-a-github-action-matrix-element-conditional
- environment: ${{ github.event_name != 'release' && 'nuget' }}
runs-on: ubuntu-latest
permissions: {} # no permissions required
steps:
- name: Log in to Azure - CI subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve GitHub PAT secrets
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Dispatch deployment
env:
GITHUB_TOKEN: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
run: >
gh workflow run deploy-passwordless-dotnet
--repo bitwarden/passwordless-devops
--field repository=${{ github.repository }}
--field run-id=${{ github.run_id }}
--field artifact=packages
--field environment=${{ matrix.environment }}
--field version=${{ needs.version.outputs.version }}