Fix permissions #4399
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| branches: [ main ] | |
| paths-ignore: | |
| - '**/*.gitattributes' | |
| - '**/*.gitignore' | |
| - '**/*.md' | |
| pull_request: | |
| branches: | |
| - main | |
| - dotnet-vnext | |
| - dotnet-nightly | |
| workflow_dispatch: | |
| permissions: {} | |
| env: | |
| DOTNET_CLI_TELEMETRY_OPTOUT: true | |
| DOTNET_GENERATE_ASPNET_CERTIFICATE: false | |
| DOTNET_NOLOGO: true | |
| DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: 1 | |
| FORCE_COLOR: 1 | |
| NUGET_XMLDOC_MODE: skip | |
| TERM: xterm | |
| jobs: | |
| build: | |
| name: ${{ matrix.os-name }} | |
| runs-on: ${{ matrix.runner }} | |
| timeout-minutes: 20 | |
| env: | |
| AZURE_WEBAPP_NAME: website-martincostello | |
| CONTAINER_REGISTRY: ${{ github.repository_owner }}.azurecr.io | |
| PUBLISH_CONTAINER: ${{ github.event.repository.fork == false && ((github.ref_name == github.event.repository.default_branch) || (github.actor == github.repository_owner)) && matrix.os-name == 'linux' }} | |
| outputs: | |
| application-name: ${{ env.AZURE_WEBAPP_NAME }} | |
| container-registry: ${{ env.CONTAINER_REGISTRY }} | |
| container-tag: ${{ steps.publish-container.outputs.container-tag }} | |
| permissions: | |
| attestations: write | |
| contents: read | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os-name: macos | |
| runner: macos-latest | |
| - os-name: linux | |
| runner: ubuntu-latest | |
| - os-name: windows | |
| runner: windows-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| filter: 'tree:0' | |
| show-progress: false | |
| - name: Setup .NET SDK | |
| uses: actions/setup-dotnet@v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - name: Get npm cache directory | |
| id: npm-cache-dir | |
| shell: pwsh | |
| run: | | |
| "dir=$(npm config get cache)" >> ${env:GITHUB_OUTPUT} | |
| - name: Setup npm cache | |
| uses: actions/cache@v4 | |
| id: npm-cache | |
| with: | |
| path: ${{ steps.npm-cache-dir.outputs.dir }} | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: ${{ runner.os }}-node- | |
| - name: Setup NuGet cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.nuget/packages | |
| key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/*.props') }} | |
| restore-keys: ${{ runner.os }}-nuget- | |
| - name: Setup Playwright cache | |
| uses: actions/cache@v4 | |
| with: | |
| key: ${{ runner.os }}-playwright-${{ hashFiles('Directory.Packages.props') }} | |
| path: | | |
| ~/AppData/Local/ms-playwright | |
| ~/.cache/ms-playwright | |
| ~/Library/Caches/ms-playwright | |
| - name: Build, test and publish | |
| id: build | |
| shell: pwsh | |
| run: ./build.ps1 | |
| - uses: codecov/codecov-action@v5 | |
| name: Upload coverage to Codecov | |
| with: | |
| files: ./artifacts/coverage/coverage.cobertura.xml,./src/Website/coverage/lcov.info | |
| flags: ${{ matrix.os-name }} | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| - name: Docker log in | |
| uses: docker/login-action@v3 | |
| if: env.PUBLISH_CONTAINER == 'true' | |
| with: | |
| registry: ${{ env.CONTAINER_REGISTRY }} | |
| username: ${{ secrets.ACR_REGISTRY_USERNAME }} | |
| password: ${{ secrets.ACR_REGISTRY_PASSWORD }} | |
| - name: Publish container | |
| id: publish-container | |
| if: runner.os == 'Linux' | |
| shell: pwsh | |
| env: | |
| ContainerRegistry: ${{ env.PUBLISH_CONTAINER == 'true' && env.CONTAINER_REGISTRY || '' }} | |
| run: | | |
| dotnet publish ./src/Website --arch x64 --os linux -p:PublishProfile=DefaultContainer | |
| - name: Generate SBOM for container | |
| uses: anchore/sbom-action@v0 | |
| if: steps.publish-container.outputs.container-tag != '' | |
| with: | |
| image: ${{ steps.publish-container.outputs.container-tag }} | |
| output-file: ./artifacts/sbom-container.json | |
| - name: Attest container image | |
| uses: actions/attest-build-provenance@v2 | |
| if: steps.publish-container.outputs.container-digest != '' | |
| with: | |
| push-to-registry: true | |
| subject-digest: ${{ steps.publish-container.outputs.container-digest }} | |
| subject-name: ${{ steps.publish-container.outputs.container-image }} | |
| - name: Attest SBOM for container | |
| uses: actions/attest-sbom@v2 | |
| if: steps.publish-container.outputs.container-digest != '' | |
| with: | |
| push-to-registry: true | |
| sbom-path: ./artifacts/sbom-container.json | |
| subject-digest: ${{ steps.publish-container.outputs.container-digest }} | |
| subject-name: ${{ steps.publish-container.outputs.container-image }} | |
| - name: Publish screenshots | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ !cancelled() }} | |
| with: | |
| name: screenshots-${{ matrix.os-name }} | |
| path: ./artifacts/screenshots/* | |
| if-no-files-found: ignore | |
| - name: Publish traces | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ !cancelled() }} | |
| with: | |
| name: traces-${{ matrix.os-name }} | |
| path: ./artifacts/traces/* | |
| if-no-files-found: ignore | |
| - name: Publish videos | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ !cancelled() }} | |
| with: | |
| name: videos-${{ matrix.os-name }} | |
| path: ./artifacts/videos/* | |
| if-no-files-found: ignore | |
| - name: Upload any crash dumps | |
| shell: pwsh | |
| if: | | |
| !cancelled() && | |
| steps.build.outcome == 'failure' && | |
| github.event.repository.fork == false && | |
| github.event.sender.login != 'dependabot[bot]' | |
| env: | |
| AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.CRASH_DUMPS_STORAGE_CONNECTION_STRING }} | |
| PSCOMPRESSION_VERSION: '2.1.0' | |
| run: | | |
| $dumps = Get-ChildItem -Path ${env:GITHUB_WORKSPACE} -Filter "*.dmp" -Recurse | |
| if ($null -ne $dumps) { | |
| $container = ${env:GITHUB_REPOSITORY}.Replace("/", "-") | |
| az storage container create --name $container --public-access off | Out-Null | |
| Install-Module PSCompression -RequiredVersion ${env:PSCOMPRESSION_VERSION} -AcceptLicense -Force -Scope CurrentUser | |
| $dumps | ForEach-Object { | |
| $zipPath = $_.FullName + ".zip" | |
| $zipName = $_.Name + ".zip" | |
| Write-Output "Compressing crash dump $($_.Name)..." | |
| Compress-ZipArchive -Path $_.FullName -Destination $zipPath | |
| az storage blob upload ` | |
| --container-name $container ` | |
| --file $zipPath ` | |
| --name $zipName ` | |
| --metadata "GITHUB_RUN_ATTEMPT=${env:GITHUB_RUN_ATTEMPT}" "GITHUB_WORKFLOW=${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}/actions/runs/${env:GITHUB_RUN_ID}" "RUNNER_OS=${env:RUNNER_OS}" ` | |
| --overwrite true | |
| if ($LASTEXITCODE -eq 0) { | |
| Write-Output "::notice::Uploaded crash dump $($_.Name) to Azure Storage." | |
| } | |
| } | |
| } | |
| deploy-dev: | |
| if: github.event.repository.fork == false && github.ref_name == github.event.repository.default_branch | |
| name: dev | |
| needs: [ build ] | |
| uses: ./.github/workflows/deploy-app.yml | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write | |
| secrets: inherit | |
| with: | |
| application-name: ${{ needs.build.outputs.application-name }} | |
| container-image: ${{ needs.build.outputs.container-tag }} | |
| environment-name: dev | |
| environment-url: https://dev.martincostello.com | |
| ref: ${{ github.sha }} | |
| slot-name: dev | |
| deploy-prod: | |
| name: production | |
| needs: [ build, deploy-dev ] | |
| uses: ./.github/workflows/deploy-app.yml | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write | |
| secrets: inherit | |
| with: | |
| application-name: ${{ needs.build.outputs.application-name }} | |
| container-image: ${{ needs.build.outputs.container-tag }} | |
| environment-name: production | |
| environment-url: https://martincostello.com | |
| ref: ${{ github.sha }} | |
| slot-name: '' |