Skip to content

security: add permissions block to workflows #135

security: add permissions block to workflows

security: add permissions block to workflows #135

Workflow file for this run

name: Always be deploying
on:
pull_request:
paths-ignore:
- 'README.md'
- '.editorconfig'
push:
paths-ignore:
- 'README.md'
- '.editorconfig'
branches:
- main
tags:
- "*.*.*"
permissions:
contents: read
jobs:
test-windows:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- run: |
git fetch --prune --unshallow --tags
echo exit code $?
git tag --list
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
global-json-file: ./global.json
- name: Build
run: build.bat build -s true
shell: cmd
- name: Test
run: build.bat test -s true
shell: cmd
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- run: |
git fetch --prune --unshallow --tags
echo exit code $?
git tag --list
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
global-json-file: ./global.json
- name: Build
run: ./build.sh build -s true
- name: Test
run: ./build.sh test -s true
- name: Generate local nuget packages
run: ./build.sh generatepackages -s true
- name: "Validate *.npkg files"
run: ./build.sh validatepackages -s true
- name: "Inspect public API changes"
run: ./build.sh generateapichanges -s true
- name: Publish canary packages to GitHub package repository
if: github.event_name == 'push' && startswith(github.ref, 'refs/heads')
shell: bash
run: |
dotnet nuget add source --username USERNAME --password ${{secrets.GITHUB_TOKEN}} --store-password-in-clear-text --name github "https://nuget.pkg.github.com/elastic/index.json"
until dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate --no-symbols; do echo "Retrying"; sleep 1; done;
# Github packages requires authentication, this is likely going away in the future so for now we publish to feedz.io
- name: Publish canary packages to feedz.io
run: dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.FEEDZ_IO_API_KEY}} -s https://f.feedz.io/elastic/all/nuget/index.json --skip-duplicate --no-symbols
if: github.event_name == 'push' && startswith(github.ref, 'refs/heads')
- name: Generate release notes for tag
run: ./build.sh generatereleasenotes -s true --token ${{secrets.GITHUB_TOKEN}}
if: github.event_name == 'push' && startswith(github.ref, 'refs/tags')
- name: Create or update release for tag on github
run: ./build.sh createreleaseongithub -s true --token ${{secrets.GITHUB_TOKEN}}
if: github.event_name == 'push' && startswith(github.ref, 'refs/tags')
- name: Release to nuget.org
run: dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.NUGET_ORG_API_KEY}} -s https://api.nuget.org/v3/index.json --skip-duplicate --no-symbols
if: github.event_name == 'push' && startswith(github.ref, 'refs/tags')