From a26b00a5d8e1c1e1396e6553ae94c3163671b427 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 27 May 2023 23:27:41 +0000 Subject: [PATCH 1/5] Bump notpeelz/action-gh-create-release from 4.0.0 to 5.0.0 Bumps [notpeelz/action-gh-create-release](https://github.com/notpeelz/action-gh-create-release) from 4.0.0 to 5.0.0. - [Release notes](https://github.com/notpeelz/action-gh-create-release/releases) - [Commits](https://github.com/notpeelz/action-gh-create-release/compare/35fc26709d3cf4b5ebde1981f8f9d32012e1ba55...a12edfc71daf5daa7922b931c28e2bf88d3b2ced) --- updated-dependencies: - dependency-name: notpeelz/action-gh-create-release dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/publish-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index c55501a83..88c3e5617 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -144,7 +144,7 @@ jobs: done - name: Publish release - uses: notpeelz/action-gh-create-release@35fc26709d3cf4b5ebde1981f8f9d32012e1ba55 # v4.0.0 + uses: notpeelz/action-gh-create-release@a12edfc71daf5daa7922b931c28e2bf88d3b2ced # v5.0.0 with: token: ${{ github.token }} tag: latest From a36157e40f0951a1c4c4d85486c2f708abedf983 Mon Sep 17 00:00:00 2001 From: peelz Date: Sat, 27 May 2023 14:47:05 -0400 Subject: [PATCH 2/5] Add CI workflow for generating nightly builds --- .github/workflows/create-prerelease.yml | 86 +++++++++++++++++++++++++ .github/workflows/on-push-master.yml | 3 + .github/workflows/publish-release.yml | 22 +++++-- 3 files changed, 107 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/create-prerelease.yml diff --git a/.github/workflows/create-prerelease.yml b/.github/workflows/create-prerelease.yml new file mode 100644 index 000000000..50ffcc2b7 --- /dev/null +++ b/.github/workflows/create-prerelease.yml @@ -0,0 +1,86 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Create pre-release + +on: + schedule: + - cron: 0 0 * * * + workflow_dispatch: + +jobs: + check-if-release-needed: + runs-on: ubuntu-latest + outputs: + has-new-commits: "true" + steps: + - name: Extract branch name + id: extract-branch-name + run: | + echo "result=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT" + - name: Sanity checks + if: ${{ github.event_name == 'workflow_dispatch' && steps.extract-branch-name.outputs.result != 'develop' }} + run: | + echo "::error::this workflow can only be run on the \"develop\" branch" + exit 1 + + - name: Get latest nightly-tagged commit + id: get-latest-tag + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 + with: + result-encoding: string + script: | + try { + const ref = await github.rest.git.getRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: "tags/nightly", + }); + return ref.data.object.sha; + } catch (err) { + if (err.name === "HttpError" && err.status === 404) { + return "tag-doesnt-exist"; + } + throw err; + } + + - name: Get latest commit on dev branch + id: get-latest-commit + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 + with: + result-encoding: string + script: | + const ref = await github.rest.git.getRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: "heads/develop", + }); + return ref.data.object.sha; + + - name: Check for new commits + id: check-for-new-commits + if: ${{ steps.get-latest-tag.outputs.result != 'tag-doesnt-exist' }} + env: + LATEST_TAGGED_SHA: "${{ steps.get-latest-tag.outputs.result }}" + LATEST_SHA: "${{ steps.get-latest-commit.outputs.result }}" + run: | + if [[ -z "$LATEST_TAGGED_SHA" ]]; then + echo "::error::LATEST_TAGGED_SHA env var is invalid" + exit 1 + fi + if [[ -z "$LATEST_SHA" ]]; then + echo "::error::LATEST_TAGGED_SHA env var is invalid" + exit 1 + fi + + if [[ "$LATEST_TAGGED_SHA" == "$LATEST_SHA" ]]; then + echo "has-new-commits=false" >> "$GITHUB_STATE" + fi + + publish-release: + needs: [check-if-release-needed] + if: ${{ needs.check-if-release-needed.outputs.has-new-commits == 'true' }} + uses: ./.github/workflows/publish-release.yml + with: + ref: ${{ github.event.ref }} + tag: nightly + prerelease: true diff --git a/.github/workflows/on-push-master.yml b/.github/workflows/on-push-master.yml index 5aa5d4f97..debce86f5 100644 --- a/.github/workflows/on-push-master.yml +++ b/.github/workflows/on-push-master.yml @@ -19,3 +19,6 @@ jobs: publish-release: uses: ./.github/workflows/publish-release.yml + with: + ref: ${{ github.event.ref }} + tag: latest diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 88c3e5617..77fce65ca 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -3,8 +3,21 @@ name: Publish release on: - workflow_dispatch: workflow_call: + inputs: + ref: + description: "The git ref to checkout, build from and release" + required: true + type: string + tag: + description: "The tag of the release" + required: true + type: string + prerelease: + description: "Prerelease" + required: false + default: false + type: boolean env: CI_DIR: 2049ef39-42a2-46d2-b513-ee6d2e3a7b15 @@ -56,7 +69,7 @@ jobs: build: uses: ./.github/workflows/build.yml with: - ref: ${{ github.event.ref }} + ref: ${{ inputs.ref }} publish-release: runs-on: ubuntu-latest @@ -146,8 +159,9 @@ jobs: - name: Publish release uses: notpeelz/action-gh-create-release@a12edfc71daf5daa7922b931c28e2bf88d3b2ced # v5.0.0 with: - token: ${{ github.token }} - tag: latest + target: ${{ inputs.ref }} + tag: ${{ inputs.tag }} + prerelease: ${{ inputs.prerelease }} strategy: replace title: "Automatic build" body: "Automatic build" From 6348ddae63f7476d6cb8c2949e7d026655e7b090 Mon Sep 17 00:00:00 2001 From: peelz Date: Sat, 27 May 2023 15:29:15 -0400 Subject: [PATCH 3/5] Prevent CI from running publish-release for non-code changes --- .github/workflows/on-push-master.yml | 8 +++----- .github/workflows/on-push-other-branch.yml | 8 +++----- .github/workflows/on-update-dot-github.yml | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/on-update-dot-github.yml diff --git a/.github/workflows/on-push-master.yml b/.github/workflows/on-push-master.yml index debce86f5..10584a96d 100644 --- a/.github/workflows/on-push-master.yml +++ b/.github/workflows/on-push-master.yml @@ -5,13 +5,11 @@ name: On push to master branch on: push: branches: [master] + paths-ignore: + - ".github/**" + - "*.md" jobs: - harden-ci-security: - uses: ./.github/workflows/harden-ci-security.yml - with: - ref: ${{ github.event.ref }} - run-tests: uses: ./.github/workflows/run-tests.yml with: diff --git a/.github/workflows/on-push-other-branch.yml b/.github/workflows/on-push-other-branch.yml index 3125819ac..fb75d656f 100644 --- a/.github/workflows/on-push-other-branch.yml +++ b/.github/workflows/on-push-other-branch.yml @@ -5,13 +5,11 @@ name: On push to a secondary branch on: push: branches-ignore: [master] + paths-ignore: + - ".github/**" + - "*.md" jobs: - harden-ci-security: - uses: ./.github/workflows/harden-ci-security.yml - with: - ref: ${{ github.event.ref }} - run-tests: uses: ./.github/workflows/run-tests.yml with: diff --git a/.github/workflows/on-update-dot-github.yml b/.github/workflows/on-update-dot-github.yml new file mode 100644 index 000000000..767252936 --- /dev/null +++ b/.github/workflows/on-update-dot-github.yml @@ -0,0 +1,14 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: On changes to .github + +on: + push: + paths-ignore: + - "./.github/**" + +jobs: + harden-ci-security: + uses: ./.github/workflows/harden-ci-security.yml + with: + ref: ${{ github.event.ref }} From c6b9c753fe312caddc754ca946d57f9dfb35d053 Mon Sep 17 00:00:00 2001 From: peelz Date: Sat, 27 May 2023 19:30:02 -0400 Subject: [PATCH 4/5] Change dependabot's config to target the dev branch --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5541e0fde..5236a352f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,6 +3,7 @@ version: 2 updates: - package-ecosystem: github-actions + target-branch: develop directory: / schedule: interval: daily From 5e84d65cdc4d3797c6d955f77004d183fd3bf0a0 Mon Sep 17 00:00:00 2001 From: peelz Date: Sat, 27 May 2023 21:48:46 -0400 Subject: [PATCH 5/5] Rename CI workflow 'ref' inputs to 'target' --- .github/workflows/build.yml | 4 ++-- .github/workflows/create-prerelease.yml | 2 +- .github/workflows/harden-ci-security.yml | 4 +++- .github/workflows/on-push-master.yml | 4 ++-- .github/workflows/on-push-other-branch.yml | 2 +- .github/workflows/on-push-pr.yml | 4 ++-- .github/workflows/on-update-dot-github.yml | 2 +- .github/workflows/publish-release.yml | 6 +++--- .github/workflows/run-tests.yml | 4 ++-- 9 files changed, 17 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7edc62a03..031e006c1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,7 +6,7 @@ on: workflow_dispatch: workflow_call: inputs: - ref: + target: required: true type: string @@ -20,7 +20,7 @@ jobs: - name: Checkout branch uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: - ref: ${{ inputs.ref }} + ref: ${{ inputs.target }} submodules: recursive - name: Setup .NET diff --git a/.github/workflows/create-prerelease.yml b/.github/workflows/create-prerelease.yml index 50ffcc2b7..138e29a96 100644 --- a/.github/workflows/create-prerelease.yml +++ b/.github/workflows/create-prerelease.yml @@ -81,6 +81,6 @@ jobs: if: ${{ needs.check-if-release-needed.outputs.has-new-commits == 'true' }} uses: ./.github/workflows/publish-release.yml with: - ref: ${{ github.event.ref }} + target: ${{ github.event.ref }} tag: nightly prerelease: true diff --git a/.github/workflows/harden-ci-security.yml b/.github/workflows/harden-ci-security.yml index 0cd0b6016..7268a9d43 100644 --- a/.github/workflows/harden-ci-security.yml +++ b/.github/workflows/harden-ci-security.yml @@ -5,7 +5,7 @@ name: Harden CI security on: workflow_call: inputs: - ref: + target: required: true type: string @@ -15,5 +15,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + ref: ${{ inputs.target }} - name: Ensure all actions are pinned to a specific commit uses: zgosalvez/github-actions-ensure-sha-pinned-actions@555a30da2656b4a7cf47b107800bef097723363e # v2.1.3 diff --git a/.github/workflows/on-push-master.yml b/.github/workflows/on-push-master.yml index 10584a96d..8a53b2ae5 100644 --- a/.github/workflows/on-push-master.yml +++ b/.github/workflows/on-push-master.yml @@ -13,10 +13,10 @@ jobs: run-tests: uses: ./.github/workflows/run-tests.yml with: - ref: ${{ github.event.ref }} + target: ${{ github.event.ref }} publish-release: uses: ./.github/workflows/publish-release.yml with: - ref: ${{ github.event.ref }} + target: ${{ github.event.ref }} tag: latest diff --git a/.github/workflows/on-push-other-branch.yml b/.github/workflows/on-push-other-branch.yml index fb75d656f..2fd4b5bd3 100644 --- a/.github/workflows/on-push-other-branch.yml +++ b/.github/workflows/on-push-other-branch.yml @@ -13,4 +13,4 @@ jobs: run-tests: uses: ./.github/workflows/run-tests.yml with: - ref: ${{ github.event.ref }} + target: ${{ github.event.ref }} diff --git a/.github/workflows/on-push-pr.yml b/.github/workflows/on-push-pr.yml index 09c97102f..0c4437579 100644 --- a/.github/workflows/on-push-pr.yml +++ b/.github/workflows/on-push-pr.yml @@ -9,9 +9,9 @@ jobs: harden-ci-security: uses: ./.github/workflows/harden-ci-security.yml with: - ref: ${{ github.event.pull_request.head.sha }} + target: ${{ github.event.pull_request.head.sha }} run-tests-for-pr: uses: ./.github/workflows/run-tests.yml with: - ref: ${{ github.event.pull_request.head.sha }} + target: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/on-update-dot-github.yml b/.github/workflows/on-update-dot-github.yml index 767252936..4b27c59c9 100644 --- a/.github/workflows/on-update-dot-github.yml +++ b/.github/workflows/on-update-dot-github.yml @@ -11,4 +11,4 @@ jobs: harden-ci-security: uses: ./.github/workflows/harden-ci-security.yml with: - ref: ${{ github.event.ref }} + target: ${{ github.event.ref }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 77fce65ca..0f408cef0 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -5,7 +5,7 @@ name: Publish release on: workflow_call: inputs: - ref: + target: description: "The git ref to checkout, build from and release" required: true type: string @@ -69,7 +69,7 @@ jobs: build: uses: ./.github/workflows/build.yml with: - ref: ${{ inputs.ref }} + target: ${{ inputs.target }} publish-release: runs-on: ubuntu-latest @@ -159,7 +159,7 @@ jobs: - name: Publish release uses: notpeelz/action-gh-create-release@a12edfc71daf5daa7922b931c28e2bf88d3b2ced # v5.0.0 with: - target: ${{ inputs.ref }} + target: ${{ inputs.target }} tag: ${{ inputs.tag }} prerelease: ${{ inputs.prerelease }} strategy: replace diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 784152c8d..ffd50cce9 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -5,7 +5,7 @@ name: Run tests on: workflow_call: inputs: - ref: + target: required: true type: string @@ -17,7 +17,7 @@ jobs: uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: repository: ${{ inputs.repository }} - ref: ${{ inputs.ref }} + target: ${{ inputs.target }} submodules: recursive - name: Setup .NET