Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 11 additions & 6 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,14 @@ env:
DOTNET_NOLOGO: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
MINVERBUILDMETADATA: build.${{ github.run_id }}.${{ github.run_attempt}}
# On pull requests — especially from forks, where GitHub forces the token to
# read-only — this workflow needs no secrets and only read access: it builds,
# tests, and uploads .trx artifacts. Test results are published by a separate
# workflow (test-report.yml, triggered via workflow_run) that runs in the
# base-repo context with checks:write. The only secret is used by the main-only
# Push to MyGet step. CI does not use OIDC, so no id-token. See issue #1172.
permissions:
id-token: write
contents: read
Comment thread
Copilot marked this conversation as resolved.
checks: write
jobs:
build:
runs-on: windows-latest
Expand All @@ -35,13 +39,14 @@ jobs:
- name: Build and Test
run: ./Build.ps1
shell: pwsh
- name: Report Test Results
uses: dorny/test-reporter@v1.9.1
- name: Upload Test Results
# Publishing happens in test-report.yml, which downloads this artifact.
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: Test Results (Windows)
name: test-results-Windows
path: '**/TestResults/**/*.trx'
reporter: dotnet-trx
if-no-files-found: ignore
- name: Get package version
id: version
shell: pwsh
Expand Down
36 changes: 36 additions & 0 deletions .github/workflows/test-report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Test Report

# Publishes test results for runs of the CI workflow, including pull requests
# from forks. The CI workflow itself runs with a read-only token (GitHub forces
# this for fork PRs) and only uploads the .trx files as artifacts. This workflow
# is triggered by workflow_run, so it runs in the *base repository* context with
# a writable token and can call the Checks API to publish inline reports.
# See issue #1172.

on:
workflow_run:
workflows: [CI]
types:
- completed

permissions:
contents: read
actions: read
checks: write

jobs:
report:
runs-on: ubuntu-latest
steps:
- name: Publish Test Results
uses: dorny/test-reporter@v1.9.1
with:
# Download every test-results-* artifact from the triggering CI run and
# publish one check per platform, e.g. "Test Results (Windows)".
artifact: /test-results-(.*)/
name: Test Results ($1)
path: '**/*.trx'
reporter: dotnet-trx
# A build that fails before producing any .trx shouldn't make this
# report red; the CI run already reflects that failure.
fail-on-empty: 'false'
Loading