microsoft/hve-core
Publicmirrored from https://github.com/microsoft/hve-coreAvailable
.github/workflows/main.yml
145lines · modecode
| 1 | name: Main Branch CI |
| 2 | |
| 3 | on: |
| 4 | push: |
| 5 | branches: |
| 6 | - main |
| 7 | |
| 8 | workflow_dispatch: |
| 9 | |
| 10 | concurrency: |
| 11 | group: ${{ github.workflow }}-${{ github.ref }} |
| 12 | cancel-in-progress: false |
| 13 | |
| 14 | # Minimal permissions for security |
| 15 | permissions: |
| 16 | contents: read |
| 17 | |
| 18 | jobs: |
| 19 | spell-check: |
| 20 | name: Spell Check |
| 21 | uses: ./.github/workflows/spell-check.yml |
| 22 | permissions: |
| 23 | contents: read |
| 24 | with: |
| 25 | soft-fail: false |
| 26 | |
| 27 | markdown-lint: |
| 28 | name: Markdown Lint |
| 29 | uses: ./.github/workflows/markdown-lint.yml |
| 30 | permissions: |
| 31 | contents: read |
| 32 | with: |
| 33 | soft-fail: false |
| 34 | |
| 35 | table-format: |
| 36 | name: Table Format Check |
| 37 | uses: ./.github/workflows/table-format.yml |
| 38 | permissions: |
| 39 | contents: read |
| 40 | with: |
| 41 | soft-fail: false |
| 42 | |
| 43 | dependency-pinning-scan: |
| 44 | name: Dependency Pinning Scan |
| 45 | uses: ./.github/workflows/dependency-pinning-scan.yml |
| 46 | permissions: |
| 47 | contents: read |
| 48 | security-events: write |
| 49 | with: |
| 50 | soft-fail: false |
| 51 | upload-sarif: true |
| 52 | upload-artifact: true |
| 53 | |
| 54 | pester-tests: |
| 55 | name: PowerShell Tests |
| 56 | uses: ./.github/workflows/pester-tests.yml |
| 57 | permissions: |
| 58 | contents: read |
| 59 | id-token: write |
| 60 | with: |
| 61 | soft-fail: false |
| 62 | changed-files-only: false |
| 63 | code-coverage: true |
| 64 | |
| 65 | release-please: |
| 66 | name: Release Please |
| 67 | needs: |
| 68 | - spell-check |
| 69 | - markdown-lint |
| 70 | - table-format |
| 71 | - dependency-pinning-scan |
| 72 | - pester-tests |
| 73 | runs-on: ubuntu-latest |
| 74 | outputs: |
| 75 | release_created: ${{ steps.release.outputs.release_created }} |
| 76 | tag_name: ${{ steps.release.outputs.tag_name }} |
| 77 | version: ${{ steps.release.outputs.version }} |
| 78 | major: ${{ steps.release.outputs.major }} |
| 79 | minor: ${{ steps.release.outputs.minor }} |
| 80 | patch: ${{ steps.release.outputs.patch }} |
| 81 | permissions: |
| 82 | contents: read |
| 83 | steps: |
| 84 | - name: Generate GitHub App Token |
| 85 | id: app-token |
| 86 | uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.0.0 |
| 87 | with: |
| 88 | app-id: ${{ vars.RELEASE_APP_ID }} |
| 89 | private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} |
| 90 | |
| 91 | - name: Run release-please |
| 92 | id: release |
| 93 | uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 |
| 94 | with: |
| 95 | token: ${{ steps.app-token.outputs.token }} |
| 96 | config-file: release-please-config.json |
| 97 | manifest-file: .release-please-manifest.json |
| 98 | |
| 99 | extension-package-release: |
| 100 | name: Package VS Code Extension (Release) |
| 101 | needs: [release-please] |
| 102 | if: ${{ needs.release-please.outputs.release_created == 'true' }} |
| 103 | uses: ./.github/workflows/extension-package.yml |
| 104 | with: |
| 105 | version: ${{ needs.release-please.outputs.version }} |
| 106 | permissions: |
| 107 | contents: read |
| 108 | |
| 109 | attest-and-upload: |
| 110 | name: Attest and Upload Release Assets |
| 111 | needs: [release-please, extension-package-release] |
| 112 | if: ${{ needs.release-please.outputs.release_created == 'true' }} |
| 113 | runs-on: ubuntu-latest |
| 114 | permissions: |
| 115 | contents: write |
| 116 | id-token: write |
| 117 | attestations: write |
| 118 | steps: |
| 119 | - name: Download VSIX artifact |
| 120 | uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 |
| 121 | with: |
| 122 | name: extension-vsix |
| 123 | path: ./dist |
| 124 | |
| 125 | - name: Attest build provenance |
| 126 | uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 |
| 127 | with: |
| 128 | subject-path: 'dist/*.vsix' |
| 129 | |
| 130 | - name: Upload VSIX to GitHub Release |
| 131 | env: |
| 132 | GH_TOKEN: ${{ github.token }} |
| 133 | run: | |
| 134 | VSIX_FILE=$(find dist -name '*.vsix' | head -1) |
| 135 | if [ -z "$VSIX_FILE" ]; then |
| 136 | echo "::error::No VSIX file found in dist/" |
| 137 | exit 1 |
| 138 | fi |
| 139 | gh release upload "${{ needs.release-please.outputs.tag_name }}" "$VSIX_FILE" --clobber -R "${{ github.repository }}" |
| 140 | |
| 141 | - name: Publish GitHub Release |
| 142 | env: |
| 143 | GH_TOKEN: ${{ github.token }} |
| 144 | run: | |
| 145 | gh release edit "${{ needs.release-please.outputs.tag_name }}" --draft=false -R "${{ github.repository }}" |