Verifiable .NET build #1325
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verifiable .NET build | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| paths-ignore: | |
| - "**.md" | |
| release: | |
| types: | |
| - published | |
| schedule: | |
| # A daily build to check all is still functioning. | |
| - cron: "0 0 * * *" | |
| env: | |
| # This environment variable is checked in tests. | |
| # For TPM either a Windows simulator or a platform TPM is used. | |
| # Tests check that platform TPM tests must be run on Windows or Linux, | |
| # MacOS tests are skipped. | |
| USE_PLATFORM_TPM: true | |
| DOTNET_ENVIRONMENT: CI | |
| BUILD_CONFIGURATION: Release | |
| DOTNET_CLI_TELEMETRY_OPTOUT: true | |
| DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true | |
| DOTNET_NOLOGO: true | |
| NUGET_XMLDOC_MODE: skip | |
| NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages | |
| NUGET_FEED: https://api.nuget.org/v3/index.json | |
| GITHUB_USER: ${{ github.repository_owner }} | |
| GITHUB_FEED: https://nuget.pkg.github.com/lumoin/ | |
| # These are the Nuget packages that will be packed and uploaded. | |
| VERIFIABLE: Verifiable | |
| VERIFIABLE_BOUNCYCASTLE: Verifiable.BouncyCastle | |
| VERIFIABLE_CORE: Verifiable.Core | |
| VERIFIABLE_DECENTRALIZEDWEBNODE: Verifiable.DecentralizedWebNode | |
| VERIFIABLE_NSEC: Verifiable.NSec | |
| VERIFIABLE_SECURITY_WINDOWS: Verifiable.Security.Windows | |
| VERIFIABLE_SIDETREE: Verifiable.Sidetree | |
| VERIFIABLE_TPM: Verifiable.Tpm | |
| jobs: | |
| build: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu-latest, windows-latest, macos-latest ] | |
| steps: | |
| # Windows builds may have insufficient resource limits, so they're increased. | |
| - name: Harden Runner | |
| if: ${{ matrix.os == 'ubuntu-latest' }} | |
| uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| aka.ms:443 | |
| api.github.com:443 | |
| api.nuget.org:443 | |
| dashboard.stryker-mutator.io:443 | |
| dotnetcli.azureedge.net:443 | |
| github.com:443 | |
| - name: Configure Windows Pagefile | |
| if: ${{ matrix.os == 'windows-latest' }} | |
| uses: al-cheb/configure-pagefile-action@86589fd789a4de3e62ba628dda2cb10027b66d67 | |
| with: | |
| minimum-size: 8GB | |
| maximum-size: 32GB | |
| disk-root: "D:" | |
| # This needs to run always. Only when there is a problem that could | |
| # be because of system changes. | |
| # - name: Windows system information | |
| # if: ${{ matrix.os == 'windows-latest' }} | |
| # run: Get-ComputerInfo | |
| # - name: Get Windows TPM information | |
| # if: ${{ matrix.os == 'windows-latest' }} | |
| # run: Get-Tpm | |
| # This follows instructions at https://wiki.ubuntu.com/TPM/Testing. | |
| # - name: Install Linux TPM 2.0 module (tpm2-abrmd) | |
| # if: ${{ matrix.os == 'ubuntu-latest' }} | |
| # run: | | |
| # sudo apt-get update | |
| # sudo apt-get install tpm2-abrmd | |
| # sudo apt-get install libtss2-tcti-tabrmd-dev | |
| #- name: Check Linux TPM 2.0 module functionality | |
| # if: ${{ matrix.os == 'ubuntu-latest' }} | |
| # run: | | |
| # sudo service tpm2-abrmd start | |
| # sudo tpm2-abrmd --tcti=mssim --allow-root --logger=stdout | |
| - name: Checkout code | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
| with: | |
| fetch-depth: 2 | |
| - name: Cache Nuget packages '${{ matrix.os }}' | |
| uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 | |
| with: | |
| path: ${{ env.NUGET_PACKAGES }} | |
| key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} | |
| restore-keys: | | |
| ${{runner.os}}-nuget- | |
| - name: Setup .NET 7.* SDK | |
| uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a | |
| with: | |
| dotnet-version: '7.*' | |
| - name: Install dependencies | |
| run: dotnet restore --locked-mode | |
| - name: Restore local tools | |
| run: dotnet tool restore | |
| - name: Add Problem Matcher for dotnet-format | |
| uses: xt0rted/dotnet-format-problem-matcher@b90c4f18e3daa4f8fd266e41eba4f351b2e00b75 | |
| # - name: Run dotnet format | |
| # run: dotnet format --check | |
| # There may a difference in libraries between platforms. | |
| - name: Run BOM analysis | |
| run: dotnet CycloneDX Verifiable.sln --json --out ${{ github.workspace }}/bom/${{ matrix.os }}/ | |
| - name: Upload Verifiable JSON SBOM | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce | |
| with: | |
| name: Verifiable BOM report | |
| path: ${{ github.workspace }}/bom/${{ matrix.os }}/bom.json | |
| # The version numbers are determined and set here so it can be set appropriately to code and NuGet packages. | |
| # See explanation at https://dusted.codes/github-actions-for-dotnet-core-nuget-packages. | |
| - name: Set NuGet packages and suffix version | |
| run: | | |
| if [[ $GITHUB_EVENT_NAME == 'release' ]]; then | |
| arrTag=(${GITHUB_REF//\// }) | |
| VERSION="${arrTag[2]}" | |
| VERSION="${VERSION//v}-${GITHUB_SHA::7}" | |
| echo "PACKAGE_VERSION=$VERSION" >> "$GITHUB_ENV" | |
| echo "VERSION=$VERSION" >> "$GITHUB_ENV" | |
| echo "VERSION_SUFFIX=$VERSION-release" >> "$GITHUB_ENV" | |
| elif [[ $GITHUB_REF == 'refs/heads/develop' ]]; then | |
| echo "PACKAGE_VERSION=0.0.0.1-${GITHUB_SHA::7}-develop" >> "$GITHUB_ENV" | |
| echo "PACKAGE=0.0.0.1" >> "$GITHUB_ENV" | |
| echo "VERSION_SUFFIX=${GITHUB_SHA::7}-develop" >> "$GITHUB_ENV" | |
| else | |
| echo "PACKAGE_VERSION=0.0.0.1-${GITHUB_SHA::7}-dev" >> "$GITHUB_ENV" | |
| echo "VERSION=0.0.0.1" >> "$GITHUB_ENV" | |
| echo "VERSION_SUFFIX=${GITHUB_SHA::7}-dev" >> "$GITHUB_ENV" | |
| fi | |
| shell: bash | |
| - name: Print NuGet packages version | |
| run: echo $PACKAGE_VERSION | |
| shell: bash | |
| - name: Print version | |
| run: echo $VERSION-$VERSION_SUFFIX | |
| shell: bash | |
| - name: Build | |
| # The flag /p:Version=$NUGET_VERSION is not used here. The versions are adjusted manually on individual component basis. | |
| run: dotnet build --configuration ${{ env.BUILD_CONFIGURATION }} --no-restore -property:ContinuousIntegrationBuild=true /p:Version=${{ env.VERSION }}-${{ env.VERSION_SUFFIX }} | |
| timeout-minutes: 5 | |
| # - name: Set PR markdown title name | |
| # run: | | |
| # echo "title=Test Run (${{ github.run_number }})" >> $GITHUB_ENV | |
| # echo "file_name=TestReport.${{ github.run_number }}.md" >> $GITHUB_ENV | |
| # shell: bash | |
| - name: Test | |
| # See the difference on drivers and paths at https://github.com/microsoft/vstest/issues/2378 and further | |
| # here on generating the reports. | |
| # run: dotnet test --verbosity normal --no-restore --no-build --configuration ${{ env.BUILD_CONFIGURATION }} -property:CollectCoverage=true -property:CoverletOutputFormat=cobertura -property:DeterministicSourcePaths=true -property:IncludeTestAssembly=true -property:CoverletOutput='${{ github.workspace }}/reports/coverage/' | |
| run: dotnet test --collect:"XPlat Code Coverage" --verbosity normal --no-restore --no-build --configuration ${{ env.BUILD_CONFIGURATION }} --logger JUnit -property:DeterministicSourcePaths=true -property:IncludeTestAssembly=true --results-directory '${{ github.workspace }}/reports/coverage/' | |
| timeout-minutes: 5 | |
| # This either requires cd to test directory or --solution-path Verifiable.sln (which may not work). | |
| - name: Stryker.NET mutation Tests for Verifiable.Core.csproj | |
| if: ${{ matrix.os == 'ubuntu-latest' }} | |
| run: dotnet stryker --config-file stryker-config.json --reporter progress --reporter html --reporter dashboard --dashboard-api-key ${{ secrets.STRYKER_API_KEY }} --project Verifiable.Core.csproj | |
| timeout-minutes: 15 | |
| - name: Upload Stryker output artefacts | |
| if: ${{ matrix.os == 'ubuntu-latest' }} | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce | |
| with: | |
| name: 'Stryker output artefacts' | |
| path: ${{ github.workspace }}/StrykerOutput/ | |
| # - name: Publish | |
| # run: dotnet publish -c Release --verbosity normal -o ./publish/ | |
| # - name: Archive publish results | |
| # uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| # with: | |
| # name: Verifiable.Benchmarks | |
| # path: ./publish/* | |
| # - name: Run Benchmarks | |
| # run: dotnet "./publish/Verifiable.Benchmarks.dll" -f "Verifiable.Benchmarks.*" | |
| # - name: Upload benchmark results | |
| # uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| # with: | |
| # name: Benchmark_Results | |
| # path: ./BenchmarkDotNet.Artifacts/results/* | |
| # This step is run always (e.g. also for non-PRs) so the results can be inspected on the command line too. | |
| - name: ReportGenerator | |
| if: ${{ matrix.os == 'ubuntu-latest' }} | |
| # If not using MSBuild driver but the VSTest one, the files need to be explicitly found due to randomized path segmenets. | |
| # See more at https://github.com/microsoft/vstest/issues/2378. | |
| # run: dotnet reportgenerator -assemblyfilters:'-xunit*' -reports:'${{ github.workspace }}/reports/coverage/coverage.cobertura.xml' -targetdir:'${{ github.workspace }}/reports/coverage/' -reporttypes:'HtmlInline;Cobertura;MarkdownSummary' | |
| run: dotnet reportgenerator -assemblyfilters:'-xunit*' -reports:`find ${{ github.workspace }}/reports/coverage/ -name coverage.cobertura.xml` -targetdir:'${{ github.workspace }}/reports/coverage/' -reporttypes:'HtmlInline;Cobertura;MarkdownSummary' | |
| # - name: Publish coverage report | |
| # if: ${{ matrix.os == 'ubuntu-latest' }} | |
| # uses: 5monkeys/cobertura-action@master | |
| # with: | |
| # path: '${{ github.workspace }}/reports/coverage/Cobertura.xml' | |
| # repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| # minimum_coverage: 75 | |
| - name: Publish coverage summary | |
| if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }} | |
| uses: marocchino/sticky-pull-request-comment@fcf6fe9e4a0409cd9316a5011435be0f3327f1e1 | |
| with: | |
| header: Report | |
| path: '${{ github.workspace }}/reports/coverage/Summary.md' | |
| recreate: true | |
| - name: Create test summary | |
| if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }} | |
| uses: test-summary/action@4ee9ece4bca777a38f05c8fc578ac2007fe266f7 | |
| with: | |
| paths: '${{ github.workspace }}/reports/coverage/TestResults.xml' | |
| # output: '${{ github.workspace }}/${{ env.file_name }}' | |
| # - name: Comment PR with the generated test Markdown | |
| # if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }} | |
| # uses: marocchino/sticky-pull-request-comment@fcf6fe9e4a0409cd9316a5011435be0f3327f1e1 | |
| # with: | |
| # path: ${{ env.file_name }} | |
| # - name: Upload PR build information artefact | |
| # if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }} | |
| # uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| # with: | |
| # name: 'Test Run' | |
| # path: ${{ github.workspace }}/${{ env.file_name }} | |
| # - name: Comment PR with the generated test Markdown | |
| # if: ${{ matrix.os == 'ubuntu-latest' }} | |
| # uses: machine-learning-apps/pr-comment@78e77cd435e0f9706512ea294d846058ae46f7ff | |
| # env: | |
| # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # with: | |
| # path: ${{ env.file_name }} | |
| - name: Pack Nuget files | |
| if: ${{ matrix.os == 'ubuntu-latest' }} | |
| run: | | |
| dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE/$VERIFIABLE.*proj | |
| dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_BOUNCYCASTLE/$VERIFIABLE_BOUNCYCASTLE.*proj | |
| dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:NoWarn=NU5104 -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_CORE/$VERIFIABLE_CORE.csproj | |
| dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_DECENTRALIZEDWEBNODE/$VERIFIABLE_DECENTRALIZEDWEBNODE.*proj | |
| dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:NoWarn=NU5104 -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_NSEC/$VERIFIABLE_NSEC.*proj | |
| dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_SECURITY_WINDOWS/$VERIFIABLE_SECURITY_WINDOWS.*proj | |
| dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_SIDETREE/$VERIFIABLE_SIDETREE.*proj | |
| dotnet pack --verbosity normal --configuration ${{ env.BUILD_CONFIGURATION }} --no-build --include-symbols --include-source -property:PackageVersion=$PACKAGE_VERSION src/$VERIFIABLE_TPM/$VERIFIABLE_TPM.*proj | |
| - name: Upload Verifiable Nuget packages | |
| if: ${{ matrix.os == 'ubuntu-latest' }} | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: nupkg | |
| path: | | |
| ./src/${{ env.VERIFIABLE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg | |
| ./src/${{ env.VERIFIABLE_BOUNCYCASTLE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg | |
| ./src/${{ env.VERIFIABLE_CORE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg | |
| ./src/${{ env.VERIFIABLE_DECENTRALIZEDWEBNODE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg | |
| ./src/${{ env.VERIFIABLE_NSEC }}//bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg | |
| ./src/${{ env.VERIFIABLE_SECURITY_WINDOWS }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg | |
| ./src/${{ env.VERIFIABLE_SIDETREE }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg | |
| ./src/${{ env.VERIFIABLE_TPM }}/bin/${{ env.BUILD_CONFIGURATION }}/*.nupkg | |
| # The release idea is inspired by https://dusted.codes/github-actions-for-dotnet-core-nuget-packages. | |
| prerelease: | |
| permissions: | |
| # For setup-dotnet to create package. | |
| packages: write | |
| needs: build | |
| if: ${{ github.ref == 'refs/heads/develop' && github.repository_owner == 'lumoin' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| aka.ms:443 | |
| api.github.com:443 | |
| api.nuget.org:443 | |
| dashboard.stryker-mutator.io:443 | |
| dotnetcli.azureedge.net:443 | |
| github.com:443 | |
| - name: Download NuGet artifacts | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
| with: | |
| name: nupkg | |
| - name: Push to GitHub developer feed | |
| run: dotnet nuget push "**/*.nupkg" --source ${{ env.GITHUB_FEED }} --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate | |
| deploy: | |
| permissions: | |
| # For setup-dotnet to create package. | |
| packages: write | |
| needs: build | |
| if: ${{ github.event_name == 'release' && github.repository_owner == 'lumoin' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| aka.ms:443 | |
| api.github.com:443 | |
| api.nuget.org:443 | |
| dashboard.stryker-mutator.io:443 | |
| dotnetcli.azureedge.net:443 | |
| github.com:443 | |
| - name: Download NuGet artifacts | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
| with: | |
| name: nupkg | |
| - name: Push to GitHub developer feed | |
| run: dotnet nuget push "**/*.nupkg" --source ${{ env.GITHUB_FEED }} --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate | |
| - name: Push to NuGet feed | |
| run: dotnet nuget push **/*.nupkg --source $NUGET_FEED --api-key ${{ secrets.NUGET_API_KEY }} --skip-duplicate |