-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #620 from Particular/actions-8
GitHub Actions - release-8.2
- Loading branch information
Showing
9 changed files
with
331 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| name: CI | ||
| on: | ||
| push: | ||
| branches: | ||
| - master | ||
| - release-[8-9].* | ||
| - release-1[0-9].* | ||
| pull_request: | ||
| branches-ignore: | ||
| - release-[0-7].* | ||
| pull_request_target: | ||
| branches-ignore: | ||
| - release-[0-7].* | ||
| workflow_dispatch: | ||
| env: | ||
| DOTNET_NOLOGO: true | ||
| jobs: | ||
| build: | ||
| if: | ||
| (github.event_name == 'pull_request_target' && github.event.pull_request.user.login == 'dependabot[bot]') || | ||
| (github.event_name == 'pull_request' && github.event.pull_request.user.login != 'dependabot[bot]') || | ||
| github.event_name == 'push' || github.event_name == 'workflow_dispatch' | ||
| name: ${{ matrix.name }} | ||
| runs-on: ${{ matrix.os }} | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - os: windows-2019 | ||
| name: Windows | ||
| - os: ubuntu-20.04 | ||
| name: Linux | ||
| fail-fast: false | ||
| steps: | ||
| - name: Check for secrets | ||
| env: | ||
| SECRETS_AVAILABLE: ${{ secrets.SECRETS_AVAILABLE }} | ||
| shell: pwsh | ||
| run: exit $(If ($env:SECRETS_AVAILABLE -eq 'true') { 0 } Else { 1 }) | ||
| - name: Checkout | ||
| if: github.event_name != 'pull_request_target' | ||
| uses: actions/[email protected] | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Checkout for Dependabot | ||
| if: github.event_name == 'pull_request_target' | ||
| uses: actions/[email protected] | ||
| with: | ||
| ref: 'refs/pull/${{ github.event.number }}/merge' | ||
| fetch-depth: 0 | ||
| - name: Setup .NET SDK | ||
| uses: actions/[email protected] | ||
| with: | ||
| dotnet-version: 5.0.x | ||
| - name: Setup .NET Core 3.1 runtime | ||
| uses: actions/[email protected] | ||
| with: | ||
| dotnet-version: 3.1.x | ||
| - name: Build | ||
| run: dotnet build src --configuration Release | ||
| - name: Upload packages | ||
| if: runner.os == 'Windows' | ||
| uses: actions/[email protected] | ||
| with: | ||
| name: NuGet packages | ||
| path: nugets/ | ||
| retention-days: 7 | ||
| - name: Azure login | ||
| uses: azure/[email protected] | ||
| with: | ||
| creds: ${{ secrets.AZURE_ACI_CREDENTIALS }} | ||
| - name: Setup storage accounts | ||
| id: infra | ||
| shell: pwsh | ||
| run: | | ||
| $rand = Get-Random | ||
| $accountname1 = "pswasq$($rand)a" | ||
| $accountname2 = "pswasq$($rand)b" | ||
| echo "::set-output name=accountname1::$accountname1" | ||
| echo "::set-output name=accountname2::$accountname2" | ||
| echo "Creating storage account #1" | ||
| $details1 = az storage account create --name $accountname1 --resource-group GitHubActions-RG --sku Standard_LRS | ConvertFrom-Json | ||
| echo "Creating storage account #2" | ||
| $details2 = az storage account create --name $accountname2 --resource-group GitHubActions-RG --sku Standard_LRS | ConvertFrom-Json | ||
| echo "Getting account access keys" | ||
| $keys1 = az storage account keys list --account-name $accountname1 --resource-group GitHubActions-RG | ConvertFrom-Json | ||
| $keys2 = az storage account keys list --account-name $accountname2 --resource-group GitHubActions-RG | ConvertFrom-Json | ||
| $key1 = $keys1[0].value | ||
| $key2 = $keys2[0].value | ||
| echo "::add-mask::$key1" | ||
| echo "::add-mask::$key2" | ||
| echo "Tagging storage accounts" | ||
| $dateTag = "Created=$(Get-Date -Format "yyyy-MM-dd")" | ||
| $ignore = az tag create --resource-id $details1.id --tags Package=ASQTransport RunnerOS=${{ runner.os }} $dateTag | ||
| $ignore = az tag create --resource-id $details2.id --tags Package=ASQTransport RunnerOS=${{ runner.os }} $dateTag | ||
| $connectString1 = "DefaultEndpointsProtocol=https;AccountName=$accountname1;AccountKey=$key1" | ||
| $connectString2 = "DefaultEndpointsProtocol=https;AccountName=$accountname2;AccountKey=$key2" | ||
| echo "AzureStorageQueueTransport_ConnectionString=$connectString1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append | ||
| echo "AzureStorageQueueTransport_ConnectionString_2=$connectString2" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append | ||
| - name: Run Windows tests | ||
| if: runner.os == 'Windows' | ||
| run: dotnet test src --configuration Release --no-build -m:1 --logger "GitHubActions;report-warnings=false" | ||
| - name: Run Linux tests | ||
| if: runner.os == 'Linux' | ||
| run: dotnet test src --configuration Release --no-build -m:1 --framework netcoreapp3.1 --logger "GitHubActions;report-warnings=false" | ||
| - name: Teardown storage accounts | ||
| if: ${{ always() }} | ||
| shell: pwsh | ||
| run: | | ||
| $ignore = az storage account delete --resource-group GitHubActions-RG --name ${{ steps.infra.outputs.accountname1 }} --yes | ||
| $ignore = az storage account delete --resource-group GitHubActions-RG --name ${{ steps.infra.outputs.accountname2 }} --yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| name: Release | ||
| on: | ||
| push: | ||
| tags: | ||
| - '[8-9].[0-9]+.[0-9]+' | ||
| - '[8-9].[0-9]+.[0-9]+-*' | ||
| - '1[0-9].[0-9]+.[0-9]+' | ||
| - '1[0-9].[0-9]+.[0-9]+-*' | ||
| env: | ||
| DOTNET_NOLOGO: true | ||
| jobs: | ||
| release: | ||
| runs-on: windows-2019 # Code signing requirement https://github.com/NuGet/Home/issues/7939 | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/[email protected] | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Parse repo name | ||
| run: | | ||
| $FullName = "$env:GITHUB_REPOSITORY" | ||
| $Org,$RepoName = $FullName.Split('/') | ||
| echo "PARTICULAR_REPO_NAME=$RepoName" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | ||
| shell: pwsh | ||
| - name: Setup .NET SDK | ||
| uses: actions/[email protected] | ||
| with: | ||
| dotnet-version: 5.0.x | ||
| - name: Build | ||
| run: dotnet build src --configuration Release | ||
| - name: Get signing cert | ||
| run: | | ||
| [IO.File]::WriteAllBytes("signing-cert.pfx", [Convert]::FromBase64String("${{ secrets.NUGET_SIGNING_CERT_BASE64 }}")) | ||
| shell: pwsh | ||
| - name: Setup NuGet for signing | ||
| uses: nuget/[email protected] | ||
| - name: Sign NuGet Packages | ||
| run: nuget sign nugets\*.nupkg -CertificatePath signing-cert.pfx -Timestamper "http://timestamp.digicert.com/?alg=sha256" -NonInteractive | ||
| shell: pwsh | ||
| - name: Publish artifacts | ||
| uses: actions/[email protected] | ||
| with: | ||
| name: nugets | ||
| path: nugets/* | ||
| retention-days: 1 | ||
| - name: Install Octopus CLI | ||
| uses: OctopusDeploy/[email protected] | ||
| with: | ||
| version: latest | ||
| - name: Create Octopus Package | ||
| run: | | ||
| # Creating the expected file layout for the Octopus package, including intermediate directories | ||
| mkdir -p packaging/content | ||
| # Octopus expects NuGet packages to have an extra .nzip extension for NuGet, .czip for Chocolatey | ||
| $nugets = Get-ChildItem -Path "./nugets/*.nupkg" | ||
| foreach ($file in $nugets) { | ||
| cp $file "./packaging/content/$($file.Name).nzip" | ||
| } | ||
| # Octopus Deploy scripts need an executable file to recreate this metadata | ||
| @" | ||
| `$Branch = "${{env.GitVersion_BranchName}}" | ||
| `$Version = "${{env.GitVersion_LegacySemVer}}" | ||
| `$Product = "${{env.PARTICULAR_REPO_NAME}}" | ||
| `$Major = "${{env.GitVersion_Major}}" | ||
| `$Minor = "${{env.GitVersion_Minor}}" | ||
| `$Commit = "${{env.GitVersion_Sha}}" | ||
| "@ > packaging/Metadata.ps1 | ||
| # Create the Octopus package | ||
| octo pack --id="${{env.PARTICULAR_REPO_NAME}}.Deploy" --version="${{env.GitVersion_SemVer}}" --format="nupkg" --basePath="packaging" --outFolder="octopus-package" | ||
| shell: pwsh | ||
| - name: Publish Octopus Package Artifacts | ||
| uses: actions/[email protected] | ||
| with: | ||
| name: octopus-package | ||
| path: octopus-package/* | ||
| retention-days: 1 | ||
| - name: Push package to Octopus Deploy | ||
| uses: OctopusDeploy/[email protected] | ||
| with: | ||
| server: https://deploy.particular.net | ||
| api_key: ${{ secrets.OCTOPUS_DEPLOY_API_KEY }} | ||
| packages: octopus-package/${{env.PARTICULAR_REPO_NAME}}.Deploy.${{env.GitVersion_SemVer}}.nupkg | ||
| - name: Create Octopus Deploy release | ||
| uses: OctopusDeploy/[email protected] | ||
| with: | ||
| server: https://deploy.particular.net | ||
| api_key: ${{ secrets.OCTOPUS_DEPLOY_API_KEY }} | ||
| project: ${{env.PARTICULAR_REPO_NAME}} | ||
| release_number: ${{env.GitVersion_SemVer}} | ||
| package_version: ${{env.GitVersion_SemVer}} | ||
| package: "GitReleaseManager:0.11.0" | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| name: Virus scan | ||
| on: | ||
| release: | ||
| types: [published] | ||
| jobs: | ||
| virus-scan: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Install ClamAV | ||
| id: installClamAV | ||
| run: | | ||
| sudo apt-get update && sudo apt-get install clamav | ||
| clamVersion=$(clamscan --version) | ||
| echo $clamVersion | ||
| echo "CLAMAV_VERSION=$clamVersion" >> $GITHUB_ENV | ||
| - name: Update virus signature database | ||
| run: | | ||
| sudo systemctl stop clamav-freshclam | ||
| sudo freshclam | ||
| sudo systemctl start clamav-freshclam | ||
| - name: Get release | ||
| uses: actions/[email protected] | ||
| id: getRelease | ||
| with: | ||
| github-token: ${{secrets.RELEASE_ANTIVIRUS_GITHUB_ACCESS_TOKEN_PBOT4}} | ||
| script: | | ||
| const fs = require('fs'); | ||
| await io.mkdirP('github-release-assets'); | ||
| let release = await github.repos.getReleaseByTag({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| tag: '${{ github.event.release.name }}' | ||
| }); | ||
| core.exportVariable('RELEASE_ID', release.data.id); | ||
| core.exportVariable('RELEASE_BODY', release.data.body); | ||
| core.exportVariable('RELEASE_HTML_URL', release.data.html_url); | ||
| for (const assetInfo of release.data.assets) { | ||
| let asset = await github.request(assetInfo.browser_download_url); | ||
| await fs.writeFile('github-release-assets/' + assetInfo.name, Buffer.from(asset.data), () => {}); | ||
| } | ||
| let zipball = await github.request(release.data.zipball_url); | ||
| await fs.writeFile('github-release-assets/source.zip', Buffer.from(zipball.data), () => {}); | ||
| let tarball = await github.request(release.data.tarball_url); | ||
| await fs.writeFile('github-release-assets/source.tar.gz', Buffer.from(tarball.data), () => {}); | ||
| - name: Run ClamAV | ||
| # Don't automatically fail on first non-zero return code by skipping -e parameter | ||
| # May highlight as error but docs say is valid: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#custom-shell | ||
| shell: "/usr/bin/bash {0}" | ||
| run: | | ||
| sudo clamscan --infected github-release-assets/ > scan-results.log | ||
| echo "CLAMAV_RETURN_CODE=$?" >> $GITHUB_ENV | ||
| exit 0; | ||
| - name: Notify Slack on viruses detected | ||
| if: ${{ env.CLAMAV_RETURN_CODE == '1' }} | ||
| uses: 8398a7/[email protected] | ||
| with: | ||
| username: ClamAV Virus Scanning Workflow | ||
| status: failure | ||
| text: "ClamAV has detected a virus in the release at ${{ env.RELEASE_HTML_URL }}" | ||
| author_name: "" | ||
| fields: repo,ref,action,commit,author | ||
| icon_emoji: ":biohazard_sign:" | ||
| env: | ||
| SLACK_WEBHOOK_URL: ${{ secrets.RELEASE_ANTIVIRUS_SLACK_WEBHOOK_URL }} | ||
| - name: Update release notes | ||
| if: ${{ always() }} | ||
| uses: actions/[email protected] | ||
| with: | ||
| github-token: ${{secrets.RELEASE_ANTIVIRUS_GITHUB_ACCESS_TOKEN_PBOT4}} | ||
| script: | | ||
| const { CLAMAV_VERSION, CLAMAV_RETURN_CODE, RELEASE_ID, RELEASE_BODY } = process.env; | ||
| const fs = require('fs'); | ||
| let status = 'No viruses detected'; | ||
| if (CLAMAV_RETURN_CODE === '1') { | ||
| status = 'Virus(es) detected'; | ||
| } else if (CLAMAV_RETURN_CODE === '2') { | ||
| status = 'Scanning error occurred'; | ||
| } | ||
| fs.readFile('scan-results.log', { encoding: 'utf8' }, (err, fileText) => { | ||
| console.log(fileText); | ||
| let releaseBody = RELEASE_BODY + '\n\n<details><summary><b>🛡 ClamAV virus scan results: ' + | ||
| status + '</b></summary>\n\n```\nVersion: ' + CLAMAV_VERSION + | ||
| '\nScan Date: ' + new Date().toUTCString() + '\n' + fileText + '\n```\n\n</details>'; | ||
| github.repos.updateRelease({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| release_id: RELEASE_ID, | ||
| body: releaseBody | ||
| }); | ||
| }); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.