From 234d942624388e3a8528bb100268ef3cc7c5ab7a Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Sun, 18 Feb 2024 02:14:12 +0700 Subject: [PATCH 1/3] security: add permissions block to workflows --- .github/workflows/ci.yml | 3 +++ .github/workflows/license.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3ac61ee..d94e8e9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,9 @@ on: tags: - "*.*.*" +permissions: + contents: read + jobs: test-windows: runs-on: windows-latest diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 1528a9f..0fb0b03 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -2,6 +2,9 @@ name: License headers on: [pull_request] +permissions: + contents: read + jobs: build: From 7b614fadee6dd3aec0b5fca0033a3b709285575c Mon Sep 17 00:00:00 2001 From: Steve Gordon Date: Wed, 27 Mar 2024 11:34:01 +0000 Subject: [PATCH 2/3] Update .NET setup and canary package push --- .github/workflows/ci.yml | 84 +++++++++++++++++++++------------------- 1 file changed, 45 insertions(+), 39 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d94e8e9..9004092 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,76 +21,82 @@ jobs: test-windows: runs-on: windows-latest steps: + - uses: actions/checkout@v4 with: fetch-depth: 1 + - run: | git fetch --prune --unshallow --tags echo exit code $? git tag --list - - uses: actions/setup-dotnet@v1 + + - name: Setup .NET + uses: actions/setup-dotnet@v4 with: - dotnet-version: | - 5.0.x - 6.0.x - source-url: https://nuget.pkg.github.com/elastic/index.json - env: - NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} - - run: build.bat build -s true + global-json-file: ./global.json + + - name: Build + run: build.bat build -s true shell: cmd - name: Build - - run: build.bat test -s true + + - name: Test + run: build.bat test -s true shell: cmd - name: Test build: runs-on: ubuntu-latest steps: + - uses: actions/checkout@v4 with: fetch-depth: 1 + - run: | git fetch --prune --unshallow --tags echo exit code $? git tag --list - - uses: actions/setup-dotnet@v1 + + - name: Setup .NET + uses: actions/setup-dotnet@v4 with: - dotnet-version: | - 5.0.x - 6.0.x - source-url: https://nuget.pkg.github.com/elastic/index.json - env: - NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} + global-json-file: ./global.json - - run: ./build.sh build -s true - name: Build - - run: ./build.sh test -s true - name: Test - - run: ./build.sh generatepackages -s true - name: Generate local nuget packages - - run: ./build.sh validatepackages -s true - name: "validate *.npkg files that were created" - - run: ./build.sh generateapichanges -s true - name: "Inspect public API changes" - - - name: publish canary packages github package repository + - name: Build + run: ./build.sh build -s true + + - name: Test + run: ./build.sh test -s true + + - name: Generate local nuget packages + run: ./build.sh generatepackages -s true + + - name: "Validate *.npkg files" + run: ./build.sh validatepackages -s true + + - name: "Inspect public API changes" + run: ./build.sh generateapichanges -s true + + - name: Publish canary packages to GitHub package repository if: github.event_name == 'push' && startswith(github.ref, 'refs/heads') shell: bash run: | + dotnet nuget add source --username USERNAME --password ${{secrets.GITHUB_TOKEN}} --store-password-in-clear-text --name github "https://nuget.pkg.github.com/elastic/index.json" until dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate --no-symbols; do echo "Retrying"; sleep 1; done; # Github packages requires authentication, this is likely going away in the future so for now we publish to feedz.io - - run: dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.FEEDZ_IO_API_KEY}} -s https://f.feedz.io/elastic/all/nuget/index.json --skip-duplicate --no-symbols - name: publish canary packages to feedz.io + - name: Publish canary packages to feedz.io + run: dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.FEEDZ_IO_API_KEY}} -s https://f.feedz.io/elastic/all/nuget/index.json --skip-duplicate --no-symbols if: github.event_name == 'push' && startswith(github.ref, 'refs/heads') - - run: ./build.sh generatereleasenotes -s true --token ${{secrets.GITHUB_TOKEN}} - name: Generate release notes for tag + - name: Generate release notes for tag + run: ./build.sh generatereleasenotes -s true --token ${{secrets.GITHUB_TOKEN}} if: github.event_name == 'push' && startswith(github.ref, 'refs/tags') - - run: ./build.sh createreleaseongithub -s true --token ${{secrets.GITHUB_TOKEN}} + + - name: Create or update release for tag on github + run: ./build.sh createreleaseongithub -s true --token ${{secrets.GITHUB_TOKEN}} if: github.event_name == 'push' && startswith(github.ref, 'refs/tags') - name: Create or update release for tag on github - - - run: dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.NUGET_ORG_API_KEY}} -s https://api.nuget.org/v3/index.json --skip-duplicate --no-symbols - name: release to nuget.org + + - name: Release to nuget.org + run: dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.NUGET_ORG_API_KEY}} -s https://api.nuget.org/v3/index.json --skip-duplicate --no-symbols if: github.event_name == 'push' && startswith(github.ref, 'refs/tags') From b6055aec9faf9e853dbd885cf32361391f11e9fa Mon Sep 17 00:00:00 2001 From: Steve Gordon Date: Wed, 27 Mar 2024 13:23:18 +0000 Subject: [PATCH 3/3] Update dotnet tools --- dotnet-tools.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dotnet-tools.json b/dotnet-tools.json index 3da4e96..9f406e7 100644 --- a/dotnet-tools.json +++ b/dotnet-tools.json @@ -9,19 +9,19 @@ ] }, "assembly-differ": { - "version": "0.13.0", + "version": "0.15.0", "commands": [ "assembly-differ" ] }, "release-notes": { - "version": "0.5.2", + "version": "0.6.0", "commands": [ "release-notes" ] }, "nupkg-validator": { - "version": "0.5.0", + "version": "0.6.0", "commands": [ "nupkg-validator" ]