This repository was archived by the owner on Nov 14, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
241 lines (214 loc) · 8.61 KB
/
dotnet.yml
File metadata and controls
241 lines (214 loc) · 8.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
name: .NET Workflow
on:
push:
branches: [main, develop]
paths-ignore:
["**.md", ".github/ISSUE_TEMPLATE/**", ".github/pull_request_template.md"]
pull_request:
paths-ignore:
["**.md", ".github/ISSUE_TEMPLATE/**", ".github/pull_request_template.md"]
schedule:
- cron: "0 23 * * *" # Daily at 11 PM UTC
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Default permissions
permissions: read-all
env:
DOTNET_VERSION: "9.0" # Only needed for actions/setup-dotnet
jobs:
build:
name: Build, Test & Release
runs-on: windows-latest
timeout-minutes: 15
permissions:
contents: write # For creating releases and committing metadata
packages: write # For publishing packages
outputs:
version: ${{ steps.pipeline.outputs.version }}
release_hash: ${{ steps.pipeline.outputs.release_hash }}
should_release: ${{ steps.pipeline.outputs.should_release }}
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for versioning
fetch-tags: true
lfs: true
submodules: recursive
persist-credentials: true
- name: Setup .NET SDK ${{ env.DOTNET_VERSION }}
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}.x
cache: true
cache-dependency-path: "**/*.csproj"
- name: Run PSBuild Pipeline
id: pipeline
shell: pwsh
env:
GH_TOKEN: ${{ github.token }}
run: |
# Import the PSBuild module
Import-Module ${{ github.workspace }}/scripts/PSBuild.psm1
# Get build configuration
$buildConfig = Get-BuildConfiguration `
-ServerUrl "${{ github.server_url }}" `
-GitRef "${{ github.ref }}" `
-GitSha "${{ github.sha }}" `
-GitHubOwner "${{ github.repository_owner }}" `
-GitHubRepo "${{ github.repository }}" `
-GithubToken "${{ github.token }}" `
-NuGetApiKey "${{ secrets.NUGET_KEY }}" `
-WorkspacePath "${{ github.workspace }}" `
-ExpectedOwner "ktsu-dev" `
-ChangelogFile "CHANGELOG.md" `
-AssetPatterns @("staging/*.nupkg", "staging/*.zip")
if (-not $buildConfig.Success) {
throw $buildConfig.Error
}
# Run the complete CI/CD pipeline
$result = Invoke-CIPipeline `
-BuildConfiguration $buildConfig.Data
if (-not $result.Success) {
Write-Information "CI/CD pipeline failed: $($result.Error)" -Tags "Invoke-CIPipeline"
Write-Information "Stack Trace: $($result.StackTrace)" -Tags "Invoke-CIPipeline"
Write-Information "Build Configuration: $($buildConfig.Data | ConvertTo-Json -Depth 10)" -Tags "Invoke-CIPipeline"
throw $result.Error
}
# Set outputs for GitHub Actions from build configuration
"version=$($buildConfig.Data.Version)" >> $env:GITHUB_OUTPUT
"release_hash=$($buildConfig.Data.ReleaseHash)" >> $env:GITHUB_OUTPUT
"should_release=$($buildConfig.Data.ShouldRelease)" >> $env:GITHUB_OUTPUT
- name: Upload Coverage Report
uses: actions/upload-artifact@v4
if: always()
with:
name: coverage-report
path: ./coverage
retention-days: 7
winget:
name: Update Winget Manifests
needs: build
if: needs.build.outputs.should_release == 'true'
runs-on: windows-latest
timeout-minutes: 10
permissions:
contents: write
steps:
- name: Checkout Release Commit
uses: actions/checkout@v4
with:
ref: ${{ needs.build.outputs.release_hash }}
fetch-depth: 0
- name: Update Winget Manifests
shell: pwsh
env:
GH_TOKEN: ${{ github.token }}
run: |
.\scripts\update-winget-manifests.ps1 -Version "${{ needs.build.outputs.version }}"
- name: Upload Updated Manifests
uses: actions/upload-artifact@v4
with:
name: winget-manifests-${{ needs.build.outputs.version }}
path: winget/*.yaml
retention-days: 30
security:
name: Security Scanning
needs: build
if: needs.build.outputs.should_release == 'true'
runs-on: windows-latest
timeout-minutes: 10
permissions:
id-token: write # For dependency submission
contents: write # For dependency submission
steps:
- name: Checkout Release Commit
uses: actions/checkout@v4
with:
ref: ${{ needs.build.outputs.release_hash }}
- name: Detect Dependencies
uses: advanced-security/component-detection-dependency-submission-action@v0.0.2
SonarQube:
name: SonarQube
needs: build
runs-on: windows-latest
steps:
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: 17
distribution: "zulu" # Alternative distribution options are available.
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
lfs: true
submodules: recursive
persist-credentials: true
token: ${{ github.token }}
- name: Determine Target Commit for Analysis
shell: pwsh
run: |
# Check the context to determine the appropriate commit to analyze
$eventName = "${{ github.event_name }}"
$releaseHash = "${{ needs.build.outputs.release_hash }}"
$shouldRelease = "${{ needs.build.outputs.should_release }}"
Write-Host "Event: $eventName"
Write-Host "Should Release: $shouldRelease"
Write-Host "Release Hash: $releaseHash"
Write-Host "Current commit: $(git rev-parse HEAD)"
if ($eventName -eq "pull_request") {
# For PRs, analyze the merge commit (current HEAD)
# PSBuild can't commit/push in PR context, so release_hash won't be valid
Write-Host "Pull Request build detected. Using PR merge commit for analysis."
Write-Host "Analyzing commit: $(git rev-parse HEAD)"
} elseif ($shouldRelease -eq 'true' -and -not [string]::IsNullOrWhiteSpace($releaseHash)) {
# For release builds on main branch, try to use the release commit
Write-Host "Release build detected. Attempting to checkout release commit: $releaseHash"
# Fetch latest to ensure we have the release commit
git fetch origin
git fetch --tags
# Verify the commit exists before checking out
$commitExists = git cat-file -e "$releaseHash" 2>$null
if ($LASTEXITCODE -eq 0) {
git checkout "$releaseHash"
Write-Host "Successfully checked out release commit: $releaseHash"
} else {
Write-Host "Release commit $releaseHash not found, staying on current commit"
Write-Host "This might indicate the commit/push failed in the build process"
Write-Host "Analyzing current commit: $(git rev-parse HEAD)"
}
} else {
# For non-release builds (develop branch, etc.)
Write-Host "Non-release build detected. Using current commit for analysis."
Write-Host "Analyzing commit: $(git rev-parse HEAD)"
}
- name: Cache SonarQube Cloud packages
uses: actions/cache@v4
with:
path: ~\sonar\cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache SonarQube Cloud scanner
id: cache-sonar-scanner
uses: actions/cache@v4
with:
path: .\.sonar\scanner
key: ${{ runner.os }}-sonar-scanner
restore-keys: ${{ runner.os }}-sonar-scanner
- name: Install SonarQube Cloud scanner
if: steps.cache-sonar-scanner.outputs.cache-hit != 'true'
shell: powershell
run: |
New-Item -Path .\.sonar\scanner -ItemType Directory
dotnet tool update dotnet-sonarscanner --tool-path .\.sonar\scanner
- name: Build and analyze
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
shell: powershell
run: |
.\.sonar\scanner\dotnet-sonarscanner begin /k:"${{ github.repository_owner }}_${{ github.event.repository.name }}" /o:"${{ github.repository_owner }}" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io"
dotnet build
.\.sonar\scanner\dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"