Merge pull request #123 from microsoft/users/edwinlantigua/code-secur… #802

Workflow file for this run

	#### Build, Test, and Publish ####
	# This is the main workflow for the CoseSignTool project. It handles the following events:
	# - Pull requests: When a user submits a pull request, or pushes a commit to an existing pull request, this workflow
	# - generates a changelog and commits it to the working branch, and then
	# - builds and tests the code.
	# - Pushes to the main branch: When a user pushes a commit to the main branch, this workflow
	# - creates a semantically versioned tag,
	# - creates a release with the new tag, and then
	# - triggers the release portion of the workflow.
	# - Releases: When a user creates a release, or a release is created in response to a push event, this workflow
	# - builds, publishes, and zips the outputs, and then
	# - uploads the zipped assets to the release.
	name: Build, Test, and Publish
	on:
	pull_request:
	branches: [ "*" ] # Trigger on all branches for pull requests.
	push:
	branches: [ "main" ] # Trigger on pushes to the main branch.
	release:
	types: [ created ] # Trigger on new releases.

	jobs:

	#### PULL REQUEST EVENTS ####

	# Build and test the code.
	build:
	name: build-${{matrix.os}}
	if: ${{ github.event_name == 'pull_request' }}
	runs-on: ${{ matrix.os }}
	strategy:
	matrix:
	include:
	- os: windows-latest
	dir_command: gci -Recurse
	- os: ubuntu-latest
	dir_command: ls -a -R
	- os: macos-latest
	dir_command: ls -a -R
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Setup .NET
	uses: actions/setup-dotnet@v3
	with:
	dotnet-version: 8.0.x

	# Use the Dotnet Test command to load dependencies, build, and test the code.
	# We have to run the test projects individually so CoseSignTool.Tests can run under arm64 on the Mac runner.
	- name: Build and Test debug
	id: build-test
	run: \|
	dotnet build --configuration Debug CoseSignTool.sln
	dotnet test --no-restore CoseSign1.Tests/CoseSign1.Tests.csproj
	dotnet test --no-restore CoseSign1.Certificates.Tests/CoseSign1.Certificates.Tests.csproj
	dotnet test --no-restore CoseSign1.Headers.Tests/CoseSign1.Headers.Tests.csproj
	dotnet test --no-restore CoseIndirectSignature.Tests/CoseIndirectSignature.Tests.csproj
	dotnet test --no-restore CoseHandler.Tests/CoseHandler.Tests.csproj
	dotnet test --no-restore CoseSignTool.Tests/CoseSignTool.Tests.csproj

	# List the contents of the working directory to make sure all the artifacts are there.
	- name: List working directory
	run: ${{ matrix.dir_command }}

	# Create a changelog that includes all the PRs merged since the last release.
	# If it's not a pull request, skip to the build job.
	create_changelog:
	needs: [ build ] # Wait here so we don't create any race conditions.
	runs-on: ubuntu-latest
	permissions:
	actions: write
	contents: write
	deployments: write
	packages: write
	pull-requests: write
	security-events: write
	statuses: write
	steps:
	# Checkout the working branch.
	- name: Checkout code
	if: ${{ github.event_name == 'pull_request' }}
	uses: actions/checkout@v2

	# Sync the changelog version.
	- name: Fetch and checkout
	if: ${{ github.event_name == 'pull_request' }}
	run: \|
	git config --local user.email "[email protected]"
	git config --local user.name "GitHub Action"
	echo "Fetch from repository."
	git fetch
	echo "Undo any user changes to CHANGELOG.md. This is needed because the user's copy becomes obsolete after every checkin."
	git reset -- CHANGELOG.md
	echo "Checkout the working branch."
	git checkout $GITHUB_HEAD_REF

	# Generate the new changelog.
	- name: Generate changelog
	if: ${{ github.event_name == 'pull_request' }}
	uses: tj-actions/[email protected]
	with:
	output: CHANGELOG.md
	token: ${{ secrets.GITHUB_TOKEN }}

	# Commit the changelog.
	- name: Commit changelog
	if: ${{ github.event_name == 'pull_request' }}
	run: \|
	git add CHANGELOG.md
	if git diff-index --quiet HEAD; then
	echo "No changes were logged."
	else
	git commit --allow-empty -m "Update changelog for release"
	git push
	fi

	# Print default message if changelog is not updated.
	- name: Print exit message when changelog is not updated
	if: ${{ github.event_name != 'pull_request' }}
	run: echo "Changelog is already up to date."

	#### PUSH EVENTS ####

	# Create a semantically versioned release.
	# A prerelease is created for every push to the main branch.
	# Official releases are created manually on GitHub.
	create_release:
	name: Create Release
	if: ${{ github.event_name == 'push' \|\| github.event_name == 'release'}}
	runs-on: ubuntu-latest
	permissions:
	actions: write
	contents: write
	deployments: write
	packages: write
	pull-requests: write
	security-events: write
	statuses: write
	outputs:
	upload_url: ${{ steps.create_release.outputs.upload_url }}
	tag_name: ${{ steps.output_tag_name.outputs.tag_name }}
	steps:

	# Checkout the main branch and fetch tags.
	- name: Checkout code
	if: ${{ github.event_name == 'push' }}
	uses: actions/checkout@v3

	# Checkout the main branch so we can see the correct tag set.
	- name: Fetch and checkout main
	if: ${{ github.event_name == 'push' }}
	run: \|
	git config --local user.email "[email protected]"
	git config --local user.name "GitHub Action"
	git fetch
	git checkout main

	# Create a semantically versioned tag that increments the last release.
	# If the last release is a pre-release, increment the pre-release number, so v1.2.3-pre4 becomes v1.2.3-pre5.
	# If the last release is an official release, create a new pre-release, so v1.2.3 becomes v1.2.3-pre1.
	- name: Increment pre-release tag
	if: ${{ github.event_name == 'push' }}
	id: new-tag # Output: ${{ steps.new-tag.outputs.newtag }}
	run: \|
	CURRENT_TAG=$(git tag \| sort --version-sort \| tail -n1)
	echo "Current tag is $CURRENT_TAG"
	if [[ $CURRENT_TAG =~ ^v([0-9]+\.[0-9]+\.[0-9]+)(-pre([0-9]+))?$ ]]; then
	BASE_VERSION=${BASH_REMATCH[1]}
	PRE_VERSION=${BASH_REMATCH[3]}
	if [ -z "$PRE_VERSION" ]; then
	NEW_TAG="v$BASE_VERSION-pre1"
	else
	NEW_TAG="v$BASE_VERSION-pre$((PRE_VERSION + 1))"
	fi
	echo "New tag is $NEW_TAG"

	echo "Let's make sure this tag doesn't already exist..."
	tries=0
	maxTries=5
	while true; do
	echo "This is try $tries"
	RESPONSE=$(curl -sl https://api.github.com/repos/microsoft/CoseSignTool/releases/tags/$NEW_TAG)
	if [ "$(echo "$RESPONSE" \| jq -r '.message')" == "Not Found" ]; then
	echo "Tag not found. We're good to go."
	break
	else
	if [ $tries -ge $maxTries ]; then
	echo "Max tries reached. Exiting."
	exit 1
	fi
	echo "Oops! That tag already exists!"
	NEW_TAG="${NEW_TAG%-}-pre$(( ${NEW_TAG##-pre} + 1 ))" # Increment the prerelease number.
	echo "Let's try $NEW_TAG"
	tries=$((tries+1))
	fi
	done

	echo "::set-output name=newtag::$NEW_TAG"
	else
	echo "Invalid tag format"
	exit 1
	fi

	# Create the release. This should generate a release event, which will trigger the release_assets job.
	- name: Create Release
	if: ${{ github.event_name == 'push' }}
	id: create_release
	uses: actions/create-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	# Get the tag name and release name from the previous step.
	tag_name: ${{ steps.new-tag.outputs.newtag }}
	release_name: Release ${{ steps.new-tag.outputs.newtag }}

	# Generate release text from changelog.
	body_path: ./CHANGELOG.md

	# Always use prerelease for automated releases. Official releases are created manually.
	prerelease: true

	# Output the semver tag if it's a push event, or the most recent tag if it's a release event.
	- name: Output tag name
	id: output_tag_name
	run: \|
	if [ "${{ github.event_name }}" == "push" ]; then
	echo "::set-output name=tag_name::${{ steps.new-tag.outputs.newtag }}"
	echo "Generated semver tag is ${{ steps.new-tag.outputs.newtag }}."
	else
	echo "::set-output name=tag_name::${{ github.event.release.tag_name }}"
	echo "Current release tag is ${{ github.event.release.tag_name }}."
	fi

	#### RELEASE EVENTS ####

	# Build, publish, and zip the outputs, and then upload them to the release.
	# We include the push event and the dependency on create_release to support automatic releases, because
	# automatic release creation does not trigger the release event.
	release_assets:
	name: release-assets
	if: ${{ github.event_name == 'release' \|\| github.event_name == 'push'}}
	needs: [ create_release ]
	runs-on: ${{ matrix.os }}
	permissions:
	actions: write
	contents: write
	deployments: write
	packages: write
	pull-requests: write
	security-events: write
	statuses: write
	strategy:
	matrix:
	include:
	- os: windows-latest
	dir_command: gci -Recurse
	zip_command_debug: Compress-Archive -Path ./debug/ -DestinationPath CoseSignTool-Windows-debug.zip
	zip_command_release: Compress-Archive -Path ./release/ -DestinationPath CoseSignTool-Windows-release.zip
	- os: ubuntu-latest
	dir_command: ls -a -R
	zip_command_debug: zip -r CoseSignTool-Linux-debug.zip ./debug/
	zip_command_release: zip -r CoseSignTool-Linux-release.zip ./release/
	- os: macos-latest
	dir_command: ls -a -R
	zip_command_debug: zip -r CoseSignTool-MacOS-debug.zip ./debug/
	zip_command_release: zip -r CoseSignTool-MacOS-release.zip ./release/

	steps:
	# Checkout the branch.
	- name: Checkout code again
	uses: actions/checkout@v3

	# Build and publish the binaries to ./published.
	- name: Publish outputs
	run: \|
	VERSION=${{ needs.create_release.outputs.tag_name }}
	dotnet publish --configuration Debug --self-contained true --output published/debug --property:FileVersion=$VERSION CoseSignTool/CoseSignTool.csproj
	dotnet publish --configuration Release --self-contained true --output published/release --property:FileVersion=$VERSION CoseSignTool/CoseSignTool.csproj
	# Self-contained is needed. Must use .csproj instead of .sln.
	# Ideally we should also verify in the Build and Test job, but that will require pre-caulculating the version number and either
	# Running build and test separately because we can't pass the version number to dotnet test, or
	# Setting the version number dynamically in the csproj files, using <FileVersion>$(VersionBin)</FileVersion>
	shell: bash

	# List the contents of the published directory to make sure all the artifacts are there.
	- name: List published directory
	run: ${{ matrix.dir_command }}
	working-directory: ./published

	# Verify that the file versions on the DLLs match the release version
	- name: Check File Version
	run: \|
	$file = Get-Item "CoseSignTool.dll"
	$version = $file.VersionInfo.FileVersion
	Write-Output "File Version is $version"
	shell: pwsh
	working-directory: ./published/debug

	# Copy the docs, license, and markdown files to the release folders.
	- name: Copy docs to release folders
	run: \|
	mkdir -p published/debug/docs
	cp -r docs/* published/debug/docs/
	mkdir -p published/release/docs
	cp -r docs/* published/release/docs/
	cp -r LICENSE published/debug/
	cp -r LICENSE published/release/
	cp -r *.md published/debug/
	cp -r *.md published/release/

	# Create zip files for release.
	- name: Create zip files for the release
	run: \|
	${{ matrix.zip_command_debug }}
	${{ matrix.zip_command_release }}
	working-directory: ./published

	# List the contents of the published directory to make sure all the artifacts are there.
	- name: List published directory
	run: ${{ matrix.dir_command }}
	working-directory: ./published

	# Upload the zipped assets to the release.
	- name: Upload artifacts
	uses: svenstaro/upload-release-action@v2
	with:
	repo_token: ${{ secrets.GITHUB_TOKEN }}
	file: ./published/CoseSignTool-*.zip
	file_glob: true
	overwrite: true
	tag: ${{ needs.create_release.outputs.tag_name }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #123 from microsoft/users/edwinlantigua/code-secur… #802

Workflow file

Merge pull request #123 from microsoft/users/edwinlantigua/code-secur… #802

Jobs

Run details

Workflow file for this run