-
Notifications
You must be signed in to change notification settings - Fork 3
385 lines (332 loc) · 18.2 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
name: Verifiable .NET build
on:
workflow_dispatch:
push:
branches:
- main
pull_request:
paths-ignore:
- "**.md"
release:
types:
- published
schedule:
# A daily build to check all is still functioning.
- cron: "0 0 * * *"
env:
# This environment variable is checked in tests.
# For TPM either a Windows simulator or a platform TPM is used.
# Tests check that platform TPM tests must be run on Windows or Linux,
# MacOS tests are skipped.
USE_PLATFORM_TPM: true
DOTNET_ENVIRONMENT: CI
BUILD_CONFIGURATION: Release
DOTNET_CLI_TELEMETRY_OPTOUT: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_NOLOGO: true
NUGET_XMLDOC_MODE: skip
NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
NUGET_FEED: https://api.nuget.org/v3/index.json
GITHUB_USER: ${{ github.repository_owner }}
GITHUB_FEED: https://nuget.pkg.github.com/lumoin/
# These are the Nuget packages that will be packed and uploaded.
VERIFIABLE: Verifiable
VERIFIABLE_BOUNCYCASTLE: Verifiable.BouncyCastle
VERIFIABLE_CORE: Verifiable.Core
VERIFIABLE_DECENTRALIZEDWEBNODE: Verifiable.DecentralizedWebNode
VERIFIABLE_JWT: Verifiable.Jwt
VERIFIABLE_NSEC: Verifiable.NSec
VERIFIABLE_MICROSOFT: Verifiable.Microsoft
VERIFIABLE_SIDETREE: Verifiable.Sidetree
VERIFIABLE_TPM: Verifiable.Tpm
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
steps:
- name: Harden Runner
if: ${{ matrix.os == 'ubuntu-latest' }}
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
aka.ms:443
api.github.com:443
api.nuget.org:443
dashboard.stryker-mutator.io:443
dotnetcli.azureedge.net:443
github.com:443
# Windows builds may have insufficient resource limits, so they're increased.
- name: Configure Windows Pagefile
if: ${{ matrix.os == 'windows-latest' }}
uses: al-cheb/configure-pagefile-action@86589fd789a4de3e62ba628dda2cb10027b66d67
with:
minimum-size: 8GB
maximum-size: 32GB
disk-root: "D:"
# This needs to run always. Only when there is a problem that could
# be because of system changes.
# - name: Windows system information
# if: ${{ matrix.os == 'windows-latest' }}
# run: Get-ComputerInfo
# - name: Get Windows TPM information
# if: ${{ matrix.os == 'windows-latest' }}
# run: Get-Tpm
# This follows instructions at https://wiki.ubuntu.com/TPM/Testing.
# - name: Install Linux TPM 2.0 module (tpm2-abrmd)
# if: ${{ matrix.os == 'ubuntu-latest' }}
# run: |
# sudo apt-get update
# sudo apt-get install tpm2-abrmd
# sudo apt-get install libtss2-tcti-tabrmd-dev
#- name: Check Linux TPM 2.0 module functionality
# if: ${{ matrix.os == 'ubuntu-latest' }}
# run: |
# sudo service tpm2-abrmd start
# sudo tpm2-abrmd --tcti=mssim --allow-root --logger=stdout
- name: Checkout code
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
fetch-depth: 2
- name: Cache Nuget packages '${{ matrix.os }}'
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84
with:
path: ${{ env.NUGET_PACKAGES }}
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
restore-keys: |
${{runner.os}}-nuget-
- name: Setup .NET SDK
uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3
with:
global-json-file: global.json
- name: Install dependencies
run: dotnet restore --locked-mode
- name: Restore local tools
run: dotnet tool restore
- name: Add Problem Matcher for dotnet-format
uses: xt0rted/dotnet-format-problem-matcher@b90c4f18e3daa4f8fd266e41eba4f351b2e00b75
# - name: Run dotnet format
# run: dotnet format --check
# There may a difference in libraries between platforms.
- name: Run BOM analysis
run: dotnet CycloneDX Verifiable.sln --json --out ${{ github.workspace }}/bom/${{ matrix.os }}/
# Uploading BOM does not seem to succeed at the moment...
- name: Upload Verifiable JSON SBOM
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: Verifiable BOM report
path: ${{ github.workspace }}/bom/${{ matrix.os }}/bom.json
# The version numbers are determined and set here so it can be set appropriately to code and NuGet packages.
# See explanation at https://dusted.codes/github-actions-for-dotnet-core-nuget-packages.
- name: Set NuGet packages and suffix version
run: |
# Bash script to determine the version and version suffix for CI/CD
# Use git to find the latest tag; if none are found, default to "0.0.1".
latestTag=$(git describe --tags --abbrev=0 2>/dev/null || echo 0.0.1)
# Case 1: A release is being created.
# Extract the version from the tag and add a suffix with the short SHA.
if [[ $GITHUB_EVENT_NAME == 'release' ]]; then
# Extract the version number from the release tag and remove any 'v' prefix.
arrTag=(${GITHUB_REF//\// })
VERSION="${arrTag[2]}"
VERSION="${VERSION//v}"
# Set PACKAGE_VERSION and VERSION, and add a VERSION_SUFFIX for clarity in identifying the release and commit.
echo "PACKAGE_VERSION=${VERSION}+${GITHUB_SHA::7}" >> "$GITHUB_ENV"
echo "VERSION=${VERSION}+${GITHUB_SHA::7}" >> "$GITHUB_ENV"
# Case 2: The 'develop' branch.
# Use the latestTag as the base version and add a suffix with "develop", the run_id, and the short SHA.
elif [[ $GITHUB_REF == 'refs/heads/develop' ]]; then
# Set PACKAGE_VERSION and PACKAGE, and add a VERSION_SUFFIX for clarity in identifying the development build, run, and commit.
echo "PACKAGE_VERSION=${latestTag//v}-develop.${GITHUB_RUN_ID}+${GITHUB_SHA::7}" >> "$GITHUB_ENV"
echo "PACKAGE=${latestTag//v}-develop.${GITHUB_RUN_ID}+${GITHUB_SHA::7}" >> "$GITHUB_ENV"
echo "VERSION=${latestTag//v}-develop.${GITHUB_RUN_ID}+${GITHUB_SHA::7}" >> "$GITHUB_ENV"
# Case 3: Any other build (e.g., feature branches).
# Use the latestTag as the base version and add a suffix with "build", the run_id, and the short SHA.
else
# Set PACKAGE_VERSION and VERSION, and add a VERSION_SUFFIX for clarity in identifying the build, run, and commit.
echo "PACKAGE_VERSION=${latestTag//v}-build.${GITHUB_RUN_ID}+${GITHUB_SHA::7}" >> "$GITHUB_ENV"
echo "VERSION=${latestTag//v}-build.${GITHUB_RUN_ID}+${GITHUB_SHA::7}" >> "$GITHUB_ENV"
fi
shell: bash
- name: Print NuGet packages version
run: |
echo "PACKAGE_VERSION: ${{ env.PACKAGE_VERSION }}"
echo "VERSION: ${{ env.VERSION }}"
shell: bash
- name: Build
# At the moment Verifiable.Tests cannot be built with -isolate alone due to Coverlet.
run: dotnet build --binaryLogger --graphBuild -isolate:MessageUponIsolationViolation --configuration ${{ env.BUILD_CONFIGURATION }} --no-restore -property:ContinuousIntegrationBuild=true /p:Version=${{ env.VERSION }}
timeout-minutes: 5
# - name: Set PR markdown title name
# run: |
# echo "title=Test Run (${{ github.run_number }})" >> $GITHUB_ENV
# echo "file_name=TestReport.${{ github.run_number }}.md" >> $GITHUB_ENV
# shell: bash
# MacOS is skipped at the moment due to issues with some .NET crypto libraries.
# Until tests are a fixed a bit.
- name: Test
if: runner.os != 'macOS'
# See the difference on drivers and paths at https://github.com/microsoft/vstest/issues/2378 and further
# here on generating the reports.
# run: dotnet test --verbosity normal --no-restore --no-build --configuration ${{ env.BUILD_CONFIGURATION }} -property:CollectCoverage=true -property:CoverletOutputFormat=cobertura -property:DeterministicSourcePaths=true -property:IncludeTestAssembly=true -property:CoverletOutput='${{ github.workspace }}/reports/coverage/'
run: dotnet test --collect:"XPlat Code Coverage" --verbosity normal --no-restore --no-build --configuration ${{ env.BUILD_CONFIGURATION }} --logger JUnit -property:DeterministicSourcePaths=true -property:IncludeTestAssembly=true --results-directory '${{ github.workspace }}/reports/coverage/'
timeout-minutes: 5
# Mutation tests skipped for now due to CI limits and temporarily reduced test coverage...
# This either requires cd to test directory or --solution-path Verifiable.sln (which may not work).
# - name: Stryker.NET mutation Tests for Verifiable.Core.csproj
# if: ${{ matrix.os == 'ubuntu-latest' }}
# run: dotnet stryker --config-file stryker-config.json --reporter progress --reporter html --reporter dashboard --dashboard-api-key ${{ secrets.STRYKER_API_KEY }} --project Verifiable.Core.csproj
# timeout-minutes: 15
#- name: Upload Stryker output artefacts
# if: ${{ matrix.os == 'ubuntu-latest' }}
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
# with:
# name: 'Stryker output artefacts'
# path: ${{ github.workspace }}/StrykerOutput/
# - name: Publish
# run: dotnet publish -c Release --verbosity normal -o ./publish/
# - name: Archive publish results
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
# with:
# name: Verifiable.Benchmarks
# path: ./publish/*
# - name: Run Benchmarks
# run: dotnet "./publish/Verifiable.Benchmarks.dll" -f "Verifiable.Benchmarks.*"
# - name: Upload benchmark results
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
# with:
# name: Benchmark_Results
# path: ./BenchmarkDotNet.Artifacts/results/*
# This step is run always (e.g. also for non-PRs) so the results can be inspected on the command line too.
- name: ReportGenerator
if: ${{ matrix.os == 'ubuntu-latest' }}
# If not using MSBuild driver but the VSTest one, the files need to be explicitly found due to randomized path segmenets.
# See more at https://github.com/microsoft/vstest/issues/2378.
# run: dotnet reportgenerator -assemblyfilters:'-xunit*' -reports:'${{ github.workspace }}/reports/coverage/coverage.cobertura.xml' -targetdir:'${{ github.workspace }}/reports/coverage/' -reporttypes:'HtmlInline;Cobertura;MarkdownSummary'
run: dotnet reportgenerator -assemblyfilters:'-xunit*' -reports:`find ${{ github.workspace }}/reports/coverage/ -name coverage.cobertura.xml` -targetdir:'${{ github.workspace }}/reports/coverage/' -reporttypes:'HtmlInline;Cobertura;MarkdownSummary'
# - name: Publish coverage report
# if: ${{ matrix.os == 'ubuntu-latest' }}
# uses: 5monkeys/cobertura-action@master
# with:
# path: '${{ github.workspace }}/reports/coverage/Cobertura.xml'
# repo_token: ${{ secrets.GITHUB_TOKEN }}
# minimum_coverage: 75
- name: Publish coverage summary
if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd
with:
header: Report
path: '${{ github.workspace }}/reports/coverage/Summary.md'
recreate: true
- name: Create test summary
if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f
with:
paths: '${{ github.workspace }}/reports/coverage/TestResults.xml'
# output: '${{ github.workspace }}/${{ env.file_name }}'
# - name: Comment PR with the generated test Markdown
# if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
# uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd
# with:
# path: ${{ env.file_name }}
# - name: Upload PR build information artefact
# if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
# with:
# name: 'Test Run'
# path: ${{ github.workspace }}/${{ env.file_name }}
# - name: Comment PR with the generated test Markdown
# if: ${{ matrix.os == 'ubuntu-latest' }}
# uses: machine-learning-apps/pr-comment@78e77cd435e0f9706512ea294d846058ae46f7ff
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# path: ${{ env.file_name }}
- name: Pack Nuget files
if: ${{ matrix.os == 'ubuntu-latest' }}
run: |
dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE/$VERIFIABLE.*proj
dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_BOUNCYCASTLE/$VERIFIABLE_BOUNCYCASTLE.*proj
dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:NoWarn=NU5104 -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_CORE/$VERIFIABLE_CORE.csproj
dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_DECENTRALIZEDWEBNODE/$VERIFIABLE_DECENTRALIZEDWEBNODE.*proj
dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_JWT/$VERIFIABLE_JWT.*proj
dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:NoWarn=NU5104 -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_NSEC/$VERIFIABLE_NSEC.*proj
dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_MICROSOFT/$VERIFIABLE_MICROSOFT.*proj
dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_SIDETREE/$VERIFIABLE_SIDETREE.*proj
dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_TPM/$VERIFIABLE_TPM.*proj
- name: Upload Verifiable Nuget packages
if: ${{ matrix.os == 'ubuntu-latest' }}
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: nupkg
path: |
./src/${{ env.VERIFIABLE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg
./src/${{ env.VERIFIABLE_BOUNCYCASTLE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg
./src/${{ env.VERIFIABLE_CORE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg
./src/${{ env.VERIFIABLE_DECENTRALIZEDWEBNODE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg
./src/${{ env.VERIFIABLE_JWT }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg
./src/${{ env.VERIFIABLE_NSEC }}//bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg
./src/${{ env.VERIFIABLE_MICROSOFT }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg
./src/${{ env.VERIFIABLE_SIDETREE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg
./src/${{ env.VERIFIABLE_TPM }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg
# The release idea is inspired by https://dusted.codes/github-actions-for-dotnet-core-nuget-packages.
prerelease:
permissions:
# For setup-dotnet to create package.
packages: write
needs: build
if: ${{ github.ref == 'refs/heads/develop' && github.repository_owner == 'lumoin' }}
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
aka.ms:443
api.github.com:443
api.nuget.org:443
dashboard.stryker-mutator.io:443
dotnetcli.azureedge.net:443
github.com:443
nuget.pkg.github.com:443
- name: Download NuGet artifacts
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
with:
name: nupkg
- name: Push to GitHub developer feed
run: dotnet nuget push "**/*.nupkg" --source $GITHUB_FEED --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate
deploy:
permissions:
# For setup-dotnet to create package.
packages: write
needs: build
if: ${{ github.event_name == 'release' && github.repository_owner == 'lumoin' }}
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
aka.ms:443
api.github.com:443
api.nuget.org:443
dashboard.stryker-mutator.io:443
dotnetcli.azureedge.net:443
github.com:443
nuget.pkg.github.com:443
- name: Download NuGet artifacts
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
with:
name: nupkg
- name: Push to GitHub developer feed
run: dotnet nuget push "**/*.nupkg" --source $GITHUB_FEED --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate
- name: Push to NuGet feed
run: dotnet nuget push "**/*.nupkg" --source $NUGET_FEED --api-key ${{ secrets.NUGET_API_KEY }} --skip-duplicate