-
-
Notifications
You must be signed in to change notification settings - Fork 51
120 lines (100 loc) · 3.96 KB
/
release-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: Build + Deploy to GHCR
on:
release:
types: [published]
permissions:
contents: read
env:
DOTNET_NOLOGO: true # Disable the .NET logo in the console output
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build
DOTNET_CLI_TELEMETRY_OPTOUT: true # Disable sending .NET CLI telemetry to Microsoft
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
name: Test Build
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
with:
egress-policy: block
allowed-endpoints: >
api.nuget.org:443
dotnetbuilds.azureedge.net:443
dotnetcli.azureedge.net:443
dotnetcli.blob.core.windows.net:443
github.com:443
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with:
fetch-depth: 0
- name: Setup .Net
uses: actions/setup-dotnet@4d4a70f4a5b2a5a5329f13be4ac933f2c9206ac0
with:
dotnet-version: 6.0.x
- name: Restore Dependencies
run: dotnet restore src/CodeCoverageSummary.sln
- name: Build CodeCoverageSummary
run: dotnet build src/CodeCoverageSummary.sln --configuration Release --no-restore
- name: Test with sample file
run: dotnet src/CodeCoverageSummary/bin/Release/net6.0/CodeCoverageSummary.dll --files **/coverage.*.xml --badge true
deploy:
name: Deploy to GHCR
needs: [build]
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # Used for identity challenge with sigstore/fulcio
steps:
- name: Harden Runner
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.nuget.org:443
auth.docker.io:443
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
mcr.microsoft.com:443
pipelines.actions.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
registry-1.docker.io:443
storage.googleapis.com:443
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
with:
cosign-release: 'v1.9.0'
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325
- name: Login to GitHub Container Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build + Push Docker image
id: build-and-push
uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Sign the Docker image digest
# Uses the identity token to provision an ephemeral certificate against the community Fulcio instance
# https://github.com/sigstore/cosign
- name: Sign the Docker image
env:
COSIGN_EXPERIMENTAL: "true"
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}