diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5541e0fde..5236a352f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,6 +3,7 @@ version: 2 updates: - package-ecosystem: github-actions + target-branch: develop directory: / schedule: interval: daily diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7edc62a03..031e006c1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,7 +6,7 @@ on: workflow_dispatch: workflow_call: inputs: - ref: + target: required: true type: string @@ -20,7 +20,7 @@ jobs: - name: Checkout branch uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: - ref: ${{ inputs.ref }} + ref: ${{ inputs.target }} submodules: recursive - name: Setup .NET diff --git a/.github/workflows/create-prerelease.yml b/.github/workflows/create-prerelease.yml new file mode 100644 index 000000000..138e29a96 --- /dev/null +++ b/.github/workflows/create-prerelease.yml @@ -0,0 +1,86 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Create pre-release + +on: + schedule: + - cron: 0 0 * * * + workflow_dispatch: + +jobs: + check-if-release-needed: + runs-on: ubuntu-latest + outputs: + has-new-commits: "true" + steps: + - name: Extract branch name + id: extract-branch-name + run: | + echo "result=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT" + - name: Sanity checks + if: ${{ github.event_name == 'workflow_dispatch' && steps.extract-branch-name.outputs.result != 'develop' }} + run: | + echo "::error::this workflow can only be run on the \"develop\" branch" + exit 1 + + - name: Get latest nightly-tagged commit + id: get-latest-tag + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 + with: + result-encoding: string + script: | + try { + const ref = await github.rest.git.getRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: "tags/nightly", + }); + return ref.data.object.sha; + } catch (err) { + if (err.name === "HttpError" && err.status === 404) { + return "tag-doesnt-exist"; + } + throw err; + } + + - name: Get latest commit on dev branch + id: get-latest-commit + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 + with: + result-encoding: string + script: | + const ref = await github.rest.git.getRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: "heads/develop", + }); + return ref.data.object.sha; + + - name: Check for new commits + id: check-for-new-commits + if: ${{ steps.get-latest-tag.outputs.result != 'tag-doesnt-exist' }} + env: + LATEST_TAGGED_SHA: "${{ steps.get-latest-tag.outputs.result }}" + LATEST_SHA: "${{ steps.get-latest-commit.outputs.result }}" + run: | + if [[ -z "$LATEST_TAGGED_SHA" ]]; then + echo "::error::LATEST_TAGGED_SHA env var is invalid" + exit 1 + fi + if [[ -z "$LATEST_SHA" ]]; then + echo "::error::LATEST_TAGGED_SHA env var is invalid" + exit 1 + fi + + if [[ "$LATEST_TAGGED_SHA" == "$LATEST_SHA" ]]; then + echo "has-new-commits=false" >> "$GITHUB_STATE" + fi + + publish-release: + needs: [check-if-release-needed] + if: ${{ needs.check-if-release-needed.outputs.has-new-commits == 'true' }} + uses: ./.github/workflows/publish-release.yml + with: + target: ${{ github.event.ref }} + tag: nightly + prerelease: true diff --git a/.github/workflows/harden-ci-security.yml b/.github/workflows/harden-ci-security.yml index 0cd0b6016..7268a9d43 100644 --- a/.github/workflows/harden-ci-security.yml +++ b/.github/workflows/harden-ci-security.yml @@ -5,7 +5,7 @@ name: Harden CI security on: workflow_call: inputs: - ref: + target: required: true type: string @@ -15,5 +15,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + ref: ${{ inputs.target }} - name: Ensure all actions are pinned to a specific commit uses: zgosalvez/github-actions-ensure-sha-pinned-actions@555a30da2656b4a7cf47b107800bef097723363e # v2.1.3 diff --git a/.github/workflows/on-push-master.yml b/.github/workflows/on-push-master.yml index 5aa5d4f97..8a53b2ae5 100644 --- a/.github/workflows/on-push-master.yml +++ b/.github/workflows/on-push-master.yml @@ -5,17 +5,18 @@ name: On push to master branch on: push: branches: [master] + paths-ignore: + - ".github/**" + - "*.md" jobs: - harden-ci-security: - uses: ./.github/workflows/harden-ci-security.yml - with: - ref: ${{ github.event.ref }} - run-tests: uses: ./.github/workflows/run-tests.yml with: - ref: ${{ github.event.ref }} + target: ${{ github.event.ref }} publish-release: uses: ./.github/workflows/publish-release.yml + with: + target: ${{ github.event.ref }} + tag: latest diff --git a/.github/workflows/on-push-other-branch.yml b/.github/workflows/on-push-other-branch.yml index 3125819ac..2fd4b5bd3 100644 --- a/.github/workflows/on-push-other-branch.yml +++ b/.github/workflows/on-push-other-branch.yml @@ -5,14 +5,12 @@ name: On push to a secondary branch on: push: branches-ignore: [master] + paths-ignore: + - ".github/**" + - "*.md" jobs: - harden-ci-security: - uses: ./.github/workflows/harden-ci-security.yml - with: - ref: ${{ github.event.ref }} - run-tests: uses: ./.github/workflows/run-tests.yml with: - ref: ${{ github.event.ref }} + target: ${{ github.event.ref }} diff --git a/.github/workflows/on-push-pr.yml b/.github/workflows/on-push-pr.yml index 09c97102f..0c4437579 100644 --- a/.github/workflows/on-push-pr.yml +++ b/.github/workflows/on-push-pr.yml @@ -9,9 +9,9 @@ jobs: harden-ci-security: uses: ./.github/workflows/harden-ci-security.yml with: - ref: ${{ github.event.pull_request.head.sha }} + target: ${{ github.event.pull_request.head.sha }} run-tests-for-pr: uses: ./.github/workflows/run-tests.yml with: - ref: ${{ github.event.pull_request.head.sha }} + target: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/on-update-dot-github.yml b/.github/workflows/on-update-dot-github.yml new file mode 100644 index 000000000..4b27c59c9 --- /dev/null +++ b/.github/workflows/on-update-dot-github.yml @@ -0,0 +1,14 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: On changes to .github + +on: + push: + paths-ignore: + - "./.github/**" + +jobs: + harden-ci-security: + uses: ./.github/workflows/harden-ci-security.yml + with: + target: ${{ github.event.ref }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index c55501a83..0f408cef0 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -3,8 +3,21 @@ name: Publish release on: - workflow_dispatch: workflow_call: + inputs: + target: + description: "The git ref to checkout, build from and release" + required: true + type: string + tag: + description: "The tag of the release" + required: true + type: string + prerelease: + description: "Prerelease" + required: false + default: false + type: boolean env: CI_DIR: 2049ef39-42a2-46d2-b513-ee6d2e3a7b15 @@ -56,7 +69,7 @@ jobs: build: uses: ./.github/workflows/build.yml with: - ref: ${{ github.event.ref }} + target: ${{ inputs.target }} publish-release: runs-on: ubuntu-latest @@ -144,10 +157,11 @@ jobs: done - name: Publish release - uses: notpeelz/action-gh-create-release@35fc26709d3cf4b5ebde1981f8f9d32012e1ba55 # v4.0.0 + uses: notpeelz/action-gh-create-release@a12edfc71daf5daa7922b931c28e2bf88d3b2ced # v5.0.0 with: - token: ${{ github.token }} - tag: latest + target: ${{ inputs.target }} + tag: ${{ inputs.tag }} + prerelease: ${{ inputs.prerelease }} strategy: replace title: "Automatic build" body: "Automatic build" diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 784152c8d..ffd50cce9 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -5,7 +5,7 @@ name: Run tests on: workflow_call: inputs: - ref: + target: required: true type: string @@ -17,7 +17,7 @@ jobs: uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: repository: ${{ inputs.repository }} - ref: ${{ inputs.ref }} + target: ${{ inputs.target }} submodules: recursive - name: Setup .NET