mirror of
https://github.com/irongut/CodeCoverageSummary.git
synced 2026-05-14 14:10:14 +02:00
irongut
121 lines
4.0 KiB
YAML
121 lines
4.0 KiB
YAML
name: Build + Deploy to GHCR
|
|
|
|
on:
|
|
release:
|
|
types: [published]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
DOTNET_NOLOGO: true # Disable the .NET logo in the console output
|
|
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build
|
|
DOTNET_CLI_TELEMETRY_OPTOUT: true # Disable sending .NET CLI telemetry to Microsoft
|
|
REGISTRY: ghcr.io
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
|
|
jobs:
|
|
build:
|
|
name: Test Build
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
|
|
with:
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
api.nuget.org:443
|
|
dotnetbuilds.azureedge.net:443
|
|
dotnetcli.azureedge.net:443
|
|
dotnetcli.blob.core.windows.net:443
|
|
github.com:443
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Setup .Net
|
|
uses: actions/setup-dotnet@c0d4ad69d8bd405d234f1c9166d383b7a4f69ed8
|
|
with:
|
|
dotnet-version: 6.0.x
|
|
|
|
- name: Restore Dependencies
|
|
run: dotnet restore src/CodeCoverageSummary.sln
|
|
|
|
- name: Build CodeCoverageSummary
|
|
run: dotnet build src/CodeCoverageSummary.sln --configuration Release --no-restore
|
|
|
|
- name: Test with sample file
|
|
run: dotnet src/CodeCoverageSummary/bin/Release/net6.0/CodeCoverageSummary.dll --files **/coverage.*.xml --badge true
|
|
|
|
deploy:
|
|
name: Deploy to GHCR
|
|
needs: [build]
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write # Used for identity challenge with sigstore/fulcio
|
|
|
|
steps:
|
|
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
|
|
with:
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
api.github.com:443
|
|
api.nuget.org:443
|
|
auth.docker.io:443
|
|
fulcio.sigstore.dev:443
|
|
ghcr.io:443
|
|
github.com:443
|
|
mcr.microsoft.com:443
|
|
pipelines.actions.githubusercontent.com:443
|
|
pkg-containers.githubusercontent.com:443
|
|
registry-1.docker.io:443
|
|
storage.googleapis.com:443
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@c68f43abf1ae5df2528c9c250088fa14ed2d0ef5
|
|
with:
|
|
cosign-release: 'v1.9.0'
|
|
|
|
- name: Setup Docker Buildx
|
|
uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6
|
|
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract Docker metadata
|
|
id: meta
|
|
uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
|
|
- name: Build + Push Docker image
|
|
id: build-and-push
|
|
uses: docker/build-push-action@1cb9d22b932e4832bb29793b7777ec860fc1cde0
|
|
with:
|
|
context: .
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
|
|
# Sign the Docker image digest
|
|
# Uses the identity token to provision an ephemeral certificate against the community Fulcio instance
|
|
# https://github.com/sigstore/cosign
|
|
- name: Sign the Docker image
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
|