[deps]: Lock file maintenance #3031
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: main | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
release: | |
types: | |
- prereleased | |
- released | |
workflow_dispatch: | |
inputs: | |
version: | |
description: Application version to use when publishing the project | |
required: false | |
env: | |
# Setting these variables allows .NET CLI to use rich color codes in console output | |
TERM: xterm | |
DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: true | |
# Skip boilerplate output | |
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true | |
DOTNET_NOLOGO: true | |
DOTNET_CLI_TELEMETRY_OPTOUT: true | |
# Note that as much as we'd love to avoid repetitive work, splitting the pipeline into separate jobs | |
# makes it very difficult to share artifacts between them. Even if we succeed, we'll still end up | |
# pushing and pulling gigabytes worth of data, which makes the jobs so much slower that we might as | |
# well just repeat the checkout-restore-build steps instead. | |
# Having a setup that involves separate jobs gives us significant benefits, on the other hand, namely: | |
# - Most of the jobs can run in parallel, which reduces the overall execution time significantly, | |
# despite the repetitive work. | |
# - We can catch more issues this way, for example if the formatting job fails, we can still see the | |
# the test results too. | |
# - If one of the jobs fails due to reasons unrelated to our code (e.g. NuGet server is down), we get | |
# the option to rerun only that job, saving us time. | |
# - It's easier to understand what each job does (and later, read its output) because the scope is much | |
# more narrow. | |
# - We can set permissions on a more granular (per-job) level, which allows us to expose only a few select | |
# steps to more sensitive access scopes. | |
jobs: | |
# Determine version | |
version: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Determine stable version | |
id: stable-version | |
if: ${{ inputs.version || github.event_name == 'release' }} | |
run: | | |
version="${{ inputs.version || github.event.release.tag_name }}" | |
if ! [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z].*)?$ ]]; then | |
echo "Invalid version: $version" | |
exit 1 | |
fi | |
echo "version=$version" >> $GITHUB_OUTPUT | |
- name: Determine prerelease version | |
id: pre-version | |
run: | | |
hash="${{ github.event.pull_request.head.sha || github.sha }}" | |
echo "version=0.0.0-ci-${hash:0:7}" >> $GITHUB_OUTPUT | |
outputs: | |
version: ${{ steps.stable-version.outputs.version || steps.pre-version.outputs.version }} | |
# Check formatting | |
format: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Install .NET | |
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0 | |
- name: Validate format | |
run: dotnet format --verify-no-changes | |
# Run tests | |
check-test-secrets: | |
name: Check for test secrets | |
runs-on: ubuntu-24.04 | |
outputs: | |
available: ${{ steps.check-test-secrets.outputs.available }} | |
permissions: | |
contents: read | |
steps: | |
- name: Check | |
id: check-test-secrets | |
run: | | |
if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then | |
echo "available=true" >> $GITHUB_OUTPUT; | |
else | |
echo "available=false" >> $GITHUB_OUTPUT; | |
fi | |
test: | |
runs-on: ubuntu-24.04 | |
needs: check-test-secrets | |
permissions: | |
checks: write | |
contents: read | |
pull-requests: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Install .NET | |
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0 | |
- name: Run restore | |
run: dotnet restore | |
- name: Run build | |
run: > | |
dotnet build | |
--no-restore | |
--configuration Release | |
- name: Run tests | |
# The next step will fail if any tests fail, but we still want to publish the results | |
continue-on-error: true | |
run: > | |
dotnet test | |
--no-restore | |
--no-build | |
--configuration Release | |
--logger "trx;LogFileName=pw-test-results.trx" | |
--collect:"XPlat Code Coverage" | |
-- | |
RunConfiguration.CollectSourceInformation=true | |
DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover | |
env: | |
ASPNETCORE_ENVIRONMENT: Development # For Serilog passthrough | |
- name: Report test results | |
uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1 | |
if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }} | |
with: | |
name: Test Results | |
path: "**/*-test-results.trx" | |
reporter: dotnet-trx | |
fail-on-error: true | |
- name: Upload to codecov.io | |
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 | |
if: ${{ needs.check-test-secrets.outputs.available == 'true' }} | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
# Publish the apps | |
pack: | |
needs: version | |
strategy: | |
matrix: | |
app: | |
- Api | |
- AdminConsole | |
runs-on: ubuntu-latest | |
permissions: | |
actions: write | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Install .NET | |
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0 | |
- name: Install NodeJS | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version: lts/* | |
- name: Publish app | |
run: > | |
dotnet publish src/${{ matrix.app }}/ | |
-p:Version=${{ needs.version.outputs.version }} | |
--configuration Release | |
--runtime win-x86 | |
--no-self-contained | |
--output src/${{ matrix.app }}/publish/ | |
- name: Upload artifacts | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
with: | |
name: ${{ matrix.app }} | |
path: src/${{ matrix.app }}/publish/ | |
# Dispatches a separate deployment workflow in a private repository | |
deploy: | |
if: ${{ github.event_name != 'pull_request' }} | |
needs: | |
- version | |
- format | |
- test | |
- pack | |
strategy: | |
matrix: | |
environment: | |
- devtest | |
- qa | |
- prod | |
exclude: | |
# Deploy to QA on pre-releases and stable releases | |
- environment: ${{ !(github.event_name == 'release') && 'qa' }} | |
# Deploy to PROD on stable release only | |
- environment: ${{ !(github.event_name == 'release' && github.event.action == 'released') && 'prod' }} | |
# Deploy to DEVTEST every time | |
runs-on: ubuntu-latest | |
permissions: {} # no permissions required | |
steps: | |
- name: Log in to Azure - CI subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve GitHub PAT secrets | |
id: retrieve-secret-pat | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "github-pat-bitwarden-devops-bot-repo-scope" | |
- name: Dispatch deployment | |
env: | |
GITHUB_TOKEN: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }} | |
run: > | |
gh workflow run deploy-passwordless-server | |
--repo bitwarden/passwordless-devops | |
--field repository=${{ github.repository }} | |
--field run-id=${{ github.run_id }} | |
--field api-artifact=Api | |
--field admin-console-artifact=AdminConsole | |
--field environment=${{ matrix.environment }} | |
--field version=${{ needs.version.outputs.version }} |