-
Notifications
You must be signed in to change notification settings - Fork 28
261 lines (221 loc) · 8.11 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
name: main
on:
push:
branches:
- main
pull_request:
branches:
- main
release:
types:
- prereleased
- released
workflow_dispatch:
inputs:
version:
description: Application version to use when publishing the project
required: false
env:
# Setting these variables allows .NET CLI to use rich color codes in console output
TERM: xterm
DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: true
# Skip boilerplate output
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_NOLOGO: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
# Note that as much as we'd love to avoid repetitive work, splitting the pipeline into separate jobs
# makes it very difficult to share artifacts between them. Even if we succeed, we'll still end up
# pushing and pulling gigabytes worth of data, which makes the jobs so much slower that we might as
# well just repeat the checkout-restore-build steps instead.
# Having a setup that involves separate jobs gives us significant benefits, on the other hand, namely:
# - Most of the jobs can run in parallel, which reduces the overall execution time significantly,
# despite the repetitive work.
# - We can catch more issues this way, for example if the formatting job fails, we can still see the
# the test results too.
# - If one of the jobs fails due to reasons unrelated to our code (e.g. NuGet server is down), we get
# the option to rerun only that job, saving us time.
# - It's easier to understand what each job does (and later, read its output) because the scope is much
# more narrow.
# - We can set permissions on a more granular (per-job) level, which allows us to expose only a few select
# steps to more sensitive access scopes.
jobs:
# Determine version
version:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Determine stable version
id: stable-version
if: ${{ inputs.version || github.event_name == 'release' }}
run: |
version="${{ inputs.version || github.event.release.tag_name }}"
if ! [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z].*)?$ ]]; then
echo "Invalid version: $version"
exit 1
fi
echo "version=$version" >> $GITHUB_OUTPUT
- name: Determine prerelease version
id: pre-version
run: |
hash="${{ github.event.pull_request.head.sha || github.sha }}"
echo "version=0.0.0-ci-${hash:0:7}" >> $GITHUB_OUTPUT
outputs:
version: ${{ steps.stable-version.outputs.version || steps.pre-version.outputs.version }}
# Check formatting
format:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install .NET
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
- name: Validate format
run: dotnet format --verify-no-changes
# Run tests
check-test-secrets:
name: Check for test secrets
runs-on: ubuntu-24.04
outputs:
available: ${{ steps.check-test-secrets.outputs.available }}
permissions:
contents: read
steps:
- name: Check
id: check-test-secrets
run: |
if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then
echo "available=true" >> $GITHUB_OUTPUT;
else
echo "available=false" >> $GITHUB_OUTPUT;
fi
test:
runs-on: ubuntu-24.04
needs: check-test-secrets
permissions:
checks: write
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install .NET
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
- name: Run restore
run: dotnet restore
- name: Add node_modules/.bin to PATH
run: echo "NODE_PATH=$(pwd)/node_modules/.bin" >> $GITHUB_ENV
- name: Run build
run: >
dotnet build
--no-restore
--configuration Release
- name: Run tests
# The next step will fail if any tests fail, but we still want to publish the results
continue-on-error: true
run: >
dotnet test
--no-restore
--no-build
--configuration Release
--logger "trx;LogFileName=pw-test-results.trx"
--collect:"XPlat Code Coverage"
--
RunConfiguration.CollectSourceInformation=true
DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
env:
ASPNETCORE_ENVIRONMENT: Development # For Serilog passthrough
- name: Report test results
uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }}
with:
name: Test Results
path: "**/*-test-results.trx"
reporter: dotnet-trx
fail-on-error: true
- name: Upload to codecov.io
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
if: ${{ needs.check-test-secrets.outputs.available == 'true' }}
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
# Publish the apps
pack:
needs: version
strategy:
matrix:
app:
- Api
- AdminConsole
runs-on: ubuntu-latest
permissions:
actions: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install .NET
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
- name: Install NodeJS
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: lts/*
- name: Publish app
run: >
dotnet publish src/${{ matrix.app }}/
-p:Version=${{ needs.version.outputs.version }}
--configuration Release
--runtime win-x86
--no-self-contained
--output src/${{ matrix.app }}/publish/
- name: Upload artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ matrix.app }}
path: src/${{ matrix.app }}/publish/
# Dispatches a separate deployment workflow in a private repository
deploy:
if: ${{ github.event_name != 'pull_request' }}
needs:
- version
- format
- test
- pack
strategy:
matrix:
environment:
- devtest
- qa
- prod
exclude:
# Deploy to QA on pre-releases and stable releases
- environment: ${{ !(github.event_name == 'release') && 'qa' }}
# Deploy to PROD on stable release only
- environment: ${{ !(github.event_name == 'release' && github.event.action == 'released') && 'prod' }}
# Deploy to DEVTEST every time
runs-on: ubuntu-latest
permissions: {} # no permissions required
steps:
- name: Log in to Azure - CI subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve GitHub PAT secrets
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Dispatch deployment
env:
GITHUB_TOKEN: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
run: >
gh workflow run deploy-passwordless-server
--repo bitwarden/passwordless-devops
--field repository=${{ github.repository }}
--field run-id=${{ github.run_id }}
--field api-artifact=Api
--field admin-console-artifact=AdminConsole
--field environment=${{ matrix.environment }}
--field version=${{ needs.version.outputs.version }}