Merge pull request #4643 from LuckyPennySoftware/ci/fork-safe-test-re… #1664
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| workflow_dispatch: | |
| env: | |
| DOTNET_NOLOGO: true | |
| DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true | |
| MINVERBUILDMETADATA: build.${{ github.run_id }}.${{ github.run_attempt}} | |
| # On pull requests — especially from forks, where GitHub forces the token to | |
| # read-only — this workflow needs no secrets and no write access: it only builds, | |
| # tests, and uploads .trx artifacts. Test results are published by a separate | |
| # workflow (test-report.yml, triggered via workflow_run) that runs in the | |
| # base-repo context with checks:write. The only steps that touch secrets/OIDC are | |
| # the main-only signing and publishing steps in build-windows, which is the sole | |
| # job granted id-token: write (scoped at the job level below). See issue #4642. | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| strategy: | |
| fail-fast: false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.2.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup dotnet | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: | | |
| 8.0.x | |
| 9.0.x | |
| 10.0.x | |
| - name: Build and Test | |
| run: ./Build.ps1 | |
| shell: pwsh | |
| - name: Upload Test Results | |
| # Publishing happens in test-report.yml, which downloads this artifact. | |
| uses: actions/upload-artifact@v4 | |
| if: success() || failure() | |
| with: | |
| name: test-results-Linux | |
| path: artifacts/**/*.trx | |
| if-no-files-found: ignore | |
| build-windows: | |
| needs: build | |
| # id-token:write is required only for the main-only Azure OIDC login used to | |
| # code-sign packages. Granting it here (not at the workflow level) keeps it | |
| # off the Linux build job and the default for any future jobs. | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| runs-on: windows-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.2.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Azure Login via OIDC | |
| # Only needed to sign and publish packages on main. Skipped on PRs, | |
| # where the Azure secrets aren't available (and are empty on forks). | |
| if: github.ref == 'refs/heads/main' | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Setup dotnet | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: | | |
| 8.0.x | |
| 9.0.x | |
| 10.0.x | |
| - name: Install NuGetKeyVaultSignTool | |
| run: dotnet tool install --global NuGetKeyVaultSignTool | |
| - name: Build and Test | |
| run: ./Build.ps1 | |
| shell: pwsh | |
| - name: Upload Test Results | |
| # Publishing happens in test-report.yml, which downloads this artifact. | |
| uses: actions/upload-artifact@v4 | |
| if: success() || failure() | |
| with: | |
| name: test-results-Windows | |
| path: artifacts/**/*.trx | |
| if-no-files-found: ignore | |
| - name: Sign packages | |
| # Signing uses the Azure Key Vault login above; only runs on main. | |
| if: github.ref == 'refs/heads/main' | |
| run: |- | |
| foreach ($f in Get-ChildItem "./artifacts" -Filter "*.nupkg") { | |
| NuGetKeyVaultSignTool sign $f.FullName --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-managed-identity --azure-key-vault-url ${{ secrets.AZURE_KEYVAULT_URI }} --azure-key-vault-certificate ${{ secrets.CODESIGN_CERT_NAME }} | |
| } | |
| - name: Push to MyGet | |
| if: github.ref == 'refs/heads/main' | |
| env: | |
| NUGET_URL: https://f.feedz.io/lucky-penny-software/automapper/nuget/index.json | |
| NUGET_API_KEY: ${{ secrets.FEEDZIO_ACCESS_TOKEN }} | |
| run: ./Push.ps1 | |
| shell: pwsh | |
| - name: Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: artifacts | |
| path: artifacts/**/* |