Merge pull request #139 from notpeelz/feat-nightly-ci-builds

Add nightly CI builds

.github/dependabot.yml

@@ -3,6 +3,7 @@
 version: 2
 updates:
   - package-ecosystem: github-actions
+    target-branch: develop
     directory: /
     schedule:
       interval: daily

.github/workflows/build.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
   workflow_call:
     inputs:
-      ref:
+      target:
         required: true
         type: string
 
@@ -20,7 +20,7 @@ jobs:
       - name: Checkout branch
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
-          ref: ${{ inputs.ref }}
+          ref: ${{ inputs.target }}
           submodules: recursive
 
       - name: Setup .NET

.github/workflows/create-prerelease.yml

@@ -0,0 +1,86 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Create pre-release
+
+on:
+  schedule:
+    - cron: 0 0 * * *
+  workflow_dispatch:
+
+jobs:
+  check-if-release-needed:
+    runs-on: ubuntu-latest
+    outputs:
+      has-new-commits: "true"
+    steps:
+      - name: Extract branch name
+        id: extract-branch-name
+        run: |
+          echo "result=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
+      - name: Sanity checks
+        if: ${{ github.event_name == 'workflow_dispatch' && steps.extract-branch-name.outputs.result != 'develop' }}
+        run: |
+          echo "::error::this workflow can only be run on the \"develop\" branch"
+          exit 1
+
+      - name: Get latest nightly-tagged commit
+        id: get-latest-tag
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        with:
+          result-encoding: string
+          script: |
+            try {
+              const ref = await github.rest.git.getRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: "tags/nightly",
+              });
+              return ref.data.object.sha;
+            } catch (err) {
+              if (err.name === "HttpError" && err.status === 404) {
+                return "tag-doesnt-exist";
+              }
+              throw err;
+            }
+
+      - name: Get latest commit on dev branch
+        id: get-latest-commit
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        with:
+          result-encoding: string
+          script: |
+            const ref = await github.rest.git.getRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: "heads/develop",
+            });
+            return ref.data.object.sha;
+
+      - name: Check for new commits
+        id: check-for-new-commits
+        if: ${{ steps.get-latest-tag.outputs.result != 'tag-doesnt-exist' }}
+        env:
+          LATEST_TAGGED_SHA: "${{ steps.get-latest-tag.outputs.result }}"
+          LATEST_SHA: "${{ steps.get-latest-commit.outputs.result }}"
+        run: |
+          if [[ -z "$LATEST_TAGGED_SHA" ]]; then
+            echo "::error::LATEST_TAGGED_SHA env var is invalid"
+            exit 1
+          fi
+          if [[ -z "$LATEST_SHA" ]]; then
+            echo "::error::LATEST_TAGGED_SHA env var is invalid"
+            exit 1
+          fi
+
+          if [[ "$LATEST_TAGGED_SHA" == "$LATEST_SHA" ]]; then
+            echo "has-new-commits=false" >> "$GITHUB_STATE"
+          fi
+
+  publish-release:
+    needs: [check-if-release-needed]
+    if: ${{ needs.check-if-release-needed.outputs.has-new-commits == 'true' }}
+    uses: ./.github/workflows/publish-release.yml
+    with:
+      target: ${{ github.event.ref }}
+      tag: nightly
+      prerelease: true

.github/workflows/harden-ci-security.yml

@@ -5,7 +5,7 @@ name: Harden CI security
 on:
   workflow_call:
     inputs:
-      ref:
+      target:
         required: true
         type: string
 
@@ -15,5 +15,7 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          ref: ${{ inputs.target }}
       - name: Ensure all actions are pinned to a specific commit
         uses: zgosalvez/github-actions-ensure-sha-pinned-actions@555a30da2656b4a7cf47b107800bef097723363e # v2.1.3

.github/workflows/on-push-master.yml

@@ -5,17 +5,18 @@ name: On push to master branch
 on:
   push:
     branches: [master]
+    paths-ignore:
+      - ".github/**"
+      - "*.md"
 
 jobs:
-  harden-ci-security:
-    uses: ./.github/workflows/harden-ci-security.yml
-    with:
-      ref: ${{ github.event.ref }}
-
   run-tests:
     uses: ./.github/workflows/run-tests.yml
     with:
-      ref: ${{ github.event.ref }}
+      target: ${{ github.event.ref }}
 
   publish-release:
     uses: ./.github/workflows/publish-release.yml
+    with:
+      target: ${{ github.event.ref }}
+      tag: latest

.github/workflows/on-push-other-branch.yml

@@ -5,14 +5,12 @@ name: On push to a secondary branch
 on:
   push:
     branches-ignore: [master]
+    paths-ignore:
+      - ".github/**"
+      - "*.md"
 
 jobs:
-  harden-ci-security:
-    uses: ./.github/workflows/harden-ci-security.yml
-    with:
-      ref: ${{ github.event.ref }}
-
   run-tests:
     uses: ./.github/workflows/run-tests.yml
     with:
-      ref: ${{ github.event.ref }}
+      target: ${{ github.event.ref }}

.github/workflows/on-push-pr.yml

@@ -9,9 +9,9 @@ jobs:
   harden-ci-security:
     uses: ./.github/workflows/harden-ci-security.yml
     with:
-      ref: ${{ github.event.pull_request.head.sha }}
+      target: ${{ github.event.pull_request.head.sha }}
 
   run-tests-for-pr:
     uses: ./.github/workflows/run-tests.yml
     with:
-      ref: ${{ github.event.pull_request.head.sha }}
+      target: ${{ github.event.pull_request.head.sha }}

.github/workflows/on-update-dot-github.yml

@@ -0,0 +1,14 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: On changes to .github
+
+on:
+  push:
+    paths-ignore:
+      - "./.github/**"
+
+jobs:
+  harden-ci-security:
+    uses: ./.github/workflows/harden-ci-security.yml
+    with:
+      target: ${{ github.event.ref }}

.github/workflows/publish-release.yml

@@ -3,8 +3,21 @@
 name: Publish release
 
 on:
-  workflow_dispatch:
   workflow_call:
+    inputs:
+      target:
+        description: "The git ref to checkout, build from and release"
+        required: true
+        type: string
+      tag:
+        description: "The tag of the release"
+        required: true
+        type: string
+      prerelease:
+        description: "Prerelease"
+        required: false
+        default: false
+        type: boolean
 
 env:
   CI_DIR: 2049ef39-42a2-46d2-b513-ee6d2e3a7b15
@@ -56,7 +69,7 @@ jobs:
   build:
     uses: ./.github/workflows/build.yml
     with:
-      ref: ${{ github.event.ref }}
+      target: ${{ inputs.target }}
 
   publish-release:
     runs-on: ubuntu-latest
@@ -144,10 +157,11 @@ jobs:
           done
 
       - name: Publish release
-        uses: notpeelz/action-gh-create-release@35fc26709d3cf4b5ebde1981f8f9d32012e1ba55 # v4.0.0
+        uses: notpeelz/action-gh-create-release@a12edfc71daf5daa7922b931c28e2bf88d3b2ced # v5.0.0
         with:
-          token: ${{ github.token }}
-          tag: latest
+          target: ${{ inputs.target }}
+          tag: ${{ inputs.tag }}
+          prerelease: ${{ inputs.prerelease }}
           strategy: replace
           title: "Automatic build"
           body: "Automatic build"

.github/workflows/run-tests.yml

@@ -5,7 +5,7 @@ name: Run tests
 on:
   workflow_call:
     inputs:
-      ref:
+      target:
         required: true
         type: string
 
@@ -17,7 +17,7 @@ jobs:
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           repository: ${{ inputs.repository }}
-          ref: ${{ inputs.ref }}
+          target: ${{ inputs.target }}
           submodules: recursive
 
       - name: Setup .NET