Skip to content

Bump github/codeql-action from 3.27.7 to 3.27.9 (#2423) #4205

Bump github/codeql-action from 3.27.7 to 3.27.9 (#2423)

Bump github/codeql-action from 3.27.7 to 3.27.9 (#2423) #4205

Workflow file for this run

name: build
on:
push:
branches:
- main
- release/*
tags: [ '*' ]
pull_request:
branches:
- main
- release/*
- dotnet-vnext
workflow_dispatch:
env:
DOTNET_CLI_TELEMETRY_OPTOUT: true
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
DOTNET_NOLOGO: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: 1
NUGET_XMLDOC_MODE: skip
TERM: xterm
permissions:
contents: read
jobs:
build:
name: ${{ matrix.os }}
runs-on: ${{ matrix.os }}
timeout-minutes: 20
outputs:
dotnet-sdk-version: ${{ steps.setup-dotnet.outputs.dotnet-version }}
dotnet-sign-version: ${{ steps.get-dotnet-tools-versions.outputs.dotnet-sign-version }}
dotnet-validate-version: ${{ steps.get-dotnet-tools-versions.outputs.dotnet-validate-version }}
package-names: ${{ steps.build.outputs.package-names }}
package-version: ${{ steps.build.outputs.package-version }}
strategy:
fail-fast: false
matrix:
os: [ windows-latest ]
include:
- os: macos-latest
os_name: macos
- os: ubuntu-latest
os_name: linux
- os: windows-latest
os_name: windows
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Setup .NET SDKs
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: |
6.0.x
- name: Setup .NET SDK
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
id: setup-dotnet
- name: Setup NuGet cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/*.props') }}
restore-keys: ${{ runner.os }}-nuget-
- name: Build, Test and Package
id: build
shell: pwsh
run: ./build.ps1
- name: Upload Coverage Reports
if: always()
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: coverage-${{ matrix.os_name }}
path: ./artifacts/coverage-reports
if-no-files-found: ignore
- name: Upload coverage to Codecov
if: always() && github.event.repository.fork == false
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
with:
flags: ${{ matrix.os_name }}
token: ${{ secrets.CODECOV_TOKEN }}
- name: Publish NuGet packages
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: packages-${{ matrix.os_name }}
path: ./artifacts/package/release
if-no-files-found: error
- name: Upload signing file list
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: matrix.os_name == 'windows'
with:
name: signing-config
path: eng/signing
if-no-files-found: error
- name: Get .NET tools versions
id: get-dotnet-tools-versions
shell: pwsh
run: |
$manifest = (Get-Content "./.config/dotnet-tools.json" | Out-String | ConvertFrom-Json)
$dotnetSignVersion = $manifest.tools.sign.version
$dotnetValidateVersion = $manifest.tools.'dotnet-validate'.version
"dotnet-sign-version=${dotnetSignVersion}" >> $env:GITHUB_OUTPUT
"dotnet-validate-version=${dotnetValidateVersion}" >> $env:GITHUB_OUTPUT
validate-packages:
needs: build
runs-on: ubuntu-latest
steps:
- name: Download packages
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: packages-windows
- name: Setup .NET SDK
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}
- name: Validate NuGet packages
shell: pwsh
env:
DOTNET_VALIDATE_VERSION: ${{ needs.build.outputs.dotnet-validate-version }}
run: |
dotnet tool install --global dotnet-validate --version ${env:DOTNET_VALIDATE_VERSION}
$packages = Get-ChildItem -Filter "*.nupkg" | ForEach-Object { $_.FullName }
$invalidPackages = 0
foreach ($package in $packages) {
dotnet validate package local $package
if ($LASTEXITCODE -ne 0) {
$invalidPackages++
}
}
if ($invalidPackages -gt 0) {
Write-Output "::error::$invalidPackages NuGet package(s) failed validation."
exit 1
}
sign:
needs: [ build, validate-packages ]
runs-on: windows-latest
if: |
github.event.repository.fork == false &&
startsWith(github.ref, 'refs/tags/')
steps:
- name: Download unsigned packages
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: packages-windows
path: packages
- name: Download signing configuration
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: signing-config
path: signing-config
- name: Setup .NET SDK
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}
- name: Install Sign CLI tool
env:
DOTNET_SIGN_VERSION: ${{ needs.build.outputs.dotnet-sign-version }}
run: dotnet tool install --tool-path . sign --version ${env:DOTNET_SIGN_VERSION}
- name: Sign artifacts
shell: pwsh
env:
AZURE_CLIENT_ID: ${{ secrets.SIGN_CLI_APPLICATION_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.SIGN_CLI_SECRET }}
AZURE_TENANT_ID: ${{ secrets.SIGN_CLI_TENANT_ID }}
run: |
./sign code azure-key-vault `
**/*.nupkg `
--base-directory "${{ github.workspace }}/packages" `
--file-list "${{ github.workspace }}/signing-config/filelist.txt" `
--application-name "Polly" `
--publisher-name "App vNext" `
--description "Polly" `
--description-url "https://github.com/${{ github.repository }}" `
--azure-key-vault-certificate "${{ secrets.SIGN_CLI_CERT_NAME }}" `
--azure-key-vault-url "${{ secrets.SIGN_CLI_VAULT_URI }}" `
--verbosity "${{ runner.debug == '1' && 'Debug' || 'Warning' }}"
if ($LASTEXITCODE -ne 0) {
Write-Output "::error::Failed to sign NuGet packages"
exit 1
}
- name: Upload signed packages
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: signed-packages
path: packages
if-no-files-found: error
validate-signed-packages:
needs: [ build, sign ]
runs-on: windows-latest
steps:
- name: Download packages
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: signed-packages
- name: Setup .NET SDK
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}
- name: Validate NuGet packages
shell: pwsh
env:
DOTNET_VALIDATE_VERSION: ${{ needs.build.outputs.dotnet-validate-version }}
run: |
dotnet tool install --global dotnet-validate --version ${env:DOTNET_VALIDATE_VERSION} --allow-roll-forward
$packages = Get-ChildItem -Filter "*.nupkg" | ForEach-Object { $_.FullName }
$invalidPackages = 0
foreach ($package in $packages) {
dotnet validate package local $package
if ($LASTEXITCODE -ne 0) {
$invalidPackages++
}
}
if ($invalidPackages -gt 0) {
Write-Output "::error::$invalidPackages NuGet package(s) failed validation."
exit 1
}
- name: Checkout vcsjones/AuthenticodeLint
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: AuthenticodeLint
ref: 90dd05293effe918b149c7f8323540b7730c06d2
repository: martincostello/AuthenticodeLint
submodules: recursive
- name: Setup .NET SDK
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
global-json-file: AuthenticodeLint/global.json
- name: Validate signatures
shell: pwsh
run: |
$authlintSource = Join-Path "." "AuthenticodeLint"
$authLintProject = Join-Path $authlintSource "AuthenticodeLint" "AuthenticodeLint.csproj"
$artifacts = Join-Path $authlintSource "artifacts"
$authlint = Join-Path $artifacts "authlint.exe"
dotnet publish $authLintProject `
--configuration Release `
--output $artifacts `
--runtime win-x64 `
--self-contained false `
/p:NoWarn=NU1902
if ($LASTEXITCODE -ne 0) {
throw "Failed to publish AuthenticodeLint."
}
$packages = Get-ChildItem -Filter "*.nupkg" | ForEach-Object { $_.FullName }
if ($packages.Length -eq 0) {
throw "Failed to publish AuthenticodeLint."
}
$invalidPackages = 0
foreach ($package in $packages) {
$packageName = Split-Path $package -Leaf
$extractedNupkg = Join-Path "." "extracted" $packageName
Expand-Archive -Path $package -DestinationPath $extractedNupkg -Force
$dlls = Get-ChildItem -Path $extractedNupkg -Filter "*.dll" -Recurse | ForEach-Object { $_.FullName }
$invalidDlls = 0
foreach ($dll in $dlls) {
$authlintProcess = Start-Process -FilePath $authlint -ArgumentList @("-in", $dll, "-verbose") -PassThru
$authlintProcess.WaitForExit()
if ($authlintProcess.ExitCode -ne 0) {
Write-Output "::warning::$dll in NuGet package $package failed signature validation."
$invalidDlls++
} else {
Write-Output "$dll in NuGet package $package has a valid signature."
}
}
if ($invalidDlls -gt 0) {
$invalidPackages++
} else {
Write-Output "All $($dlls.Length) DLLs in NuGet package $package have valid signatures."
}
dotnet nuget verify $package
if ($LASTEXITCODE -ne 0) {
Write-Output "::warning::$package failed signature validation."
$invalidPackages++
} else {
Write-Output "$package has a valid signature."
}
}
if ($invalidPackages -gt 0) {
Write-Output "::error::$invalidPackages NuGet package(s) failed signature validation."
throw "One or more NuGet packages failed signature validation."
} else {
Write-Output "All $($packages.Length) NuGet packages have valid signatures."
}
publish-nuget:
needs: [ build, validate-signed-packages ]
runs-on: ubuntu-latest
steps:
- name: Download signed packages
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: signed-packages
- name: Setup .NET SDK
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}
- name: Push signed NuGet packages to NuGet.org
run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.NUGET_TOKEN }} --skip-duplicate --source https://api.nuget.org/v3/index.json
- name: Generate GitHub application token
id: generate-application-token
uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974 # v4.0.0
with:
application_id: ${{ secrets.POLLY_UPDATER_BOT_APP_ID }}
application_private_key: ${{ secrets.POLLY_UPDATER_BOT_KEY }}
permissions: 'contents:write'
- name: Publish nuget_packages_published
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
event-type: nuget_packages_published
token: ${{ steps.generate-application-token.outputs.token }}
client-payload: |-
{
"packages": "${{ needs.build.outputs.package-names }}",
"version": "${{ needs.build.outputs.package-version }}"
}