microsoft/hve-core
Publicmirrored from https://github.com/microsoft/hve-coreAvailable
.github/workflows/main.yml
180lines · modecode
| 1 | name: Main Branch CI |
| 2 | |
| 3 | on: |
| 4 | push: |
| 5 | branches: |
| 6 | - main |
| 7 | |
| 8 | workflow_dispatch: |
| 9 | |
| 10 | concurrency: |
| 11 | group: ${{ github.workflow }}-${{ github.ref }} |
| 12 | cancel-in-progress: false |
| 13 | |
| 14 | # Minimal permissions for security |
| 15 | permissions: |
| 16 | contents: read |
| 17 | |
| 18 | jobs: |
| 19 | spell-check: |
| 20 | name: Spell Check |
| 21 | uses: ./.github/workflows/spell-check.yml |
| 22 | permissions: |
| 23 | contents: read |
| 24 | with: |
| 25 | soft-fail: false |
| 26 | |
| 27 | markdown-lint: |
| 28 | name: Markdown Lint |
| 29 | uses: ./.github/workflows/markdown-lint.yml |
| 30 | permissions: |
| 31 | contents: read |
| 32 | with: |
| 33 | soft-fail: false |
| 34 | |
| 35 | table-format: |
| 36 | name: Table Format Check |
| 37 | uses: ./.github/workflows/table-format.yml |
| 38 | permissions: |
| 39 | contents: read |
| 40 | with: |
| 41 | soft-fail: false |
| 42 | |
| 43 | dependency-pinning-scan: |
| 44 | name: Dependency Pinning Scan |
| 45 | uses: ./.github/workflows/dependency-pinning-scan.yml |
| 46 | permissions: |
| 47 | contents: read |
| 48 | security-events: write |
| 49 | with: |
| 50 | soft-fail: false |
| 51 | upload-sarif: true |
| 52 | upload-artifact: true |
| 53 | |
| 54 | pester-tests: |
| 55 | name: PowerShell Tests |
| 56 | uses: ./.github/workflows/pester-tests.yml |
| 57 | permissions: |
| 58 | contents: read |
| 59 | id-token: write |
| 60 | with: |
| 61 | soft-fail: false |
| 62 | changed-files-only: false |
| 63 | code-coverage: true |
| 64 | |
| 65 | release-please: |
| 66 | name: Release Please |
| 67 | needs: |
| 68 | - spell-check |
| 69 | - markdown-lint |
| 70 | - table-format |
| 71 | - dependency-pinning-scan |
| 72 | - pester-tests |
| 73 | runs-on: ubuntu-latest |
| 74 | outputs: |
| 75 | release_created: ${{ steps.release.outputs.release_created }} |
| 76 | tag_name: ${{ steps.release.outputs.tag_name }} |
| 77 | version: ${{ steps.release.outputs.version }} |
| 78 | major: ${{ steps.release.outputs.major }} |
| 79 | minor: ${{ steps.release.outputs.minor }} |
| 80 | patch: ${{ steps.release.outputs.patch }} |
| 81 | permissions: |
| 82 | contents: read |
| 83 | steps: |
| 84 | - name: Generate GitHub App Token |
| 85 | id: app-token |
| 86 | uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.0.0 |
| 87 | with: |
| 88 | app-id: ${{ vars.RELEASE_APP_ID }} |
| 89 | private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} |
| 90 | |
| 91 | - name: Run release-please |
| 92 | id: release |
| 93 | uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 |
| 94 | with: |
| 95 | token: ${{ steps.app-token.outputs.token }} |
| 96 | config-file: release-please-config.json |
| 97 | manifest-file: .release-please-manifest.json |
| 98 | |
| 99 | extension-package-release: |
| 100 | name: Package VS Code Extensions (Release) |
| 101 | needs: [release-please] |
| 102 | if: ${{ needs.release-please.outputs.release_created == 'true' }} |
| 103 | uses: ./.github/workflows/extension-package.yml |
| 104 | with: |
| 105 | version: ${{ needs.release-please.outputs.version }} |
| 106 | permissions: |
| 107 | contents: read |
| 108 | |
| 109 | discover-release-collections: |
| 110 | name: Discover Release Collections |
| 111 | needs: [release-please, extension-package-release] |
| 112 | if: ${{ needs.release-please.outputs.release_created == 'true' }} |
| 113 | runs-on: ubuntu-latest |
| 114 | outputs: |
| 115 | matrix: ${{ steps.discover.outputs.matrix }} |
| 116 | steps: |
| 117 | - name: Checkout code |
| 118 | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 |
| 119 | with: |
| 120 | persist-credentials: false |
| 121 | |
| 122 | - name: Discover collection manifests |
| 123 | id: discover |
| 124 | shell: bash |
| 125 | run: | |
| 126 | collections_dir="extension/collections" |
| 127 | matrix_json=$(find "$collections_dir" -name '*.collection.json' -type f | sort | while IFS= read -r file; do |
| 128 | id=$(jq -r '.id' "$file") |
| 129 | echo "{\"id\":\"$id\"}" |
| 130 | done | jq -s '{include: .}') |
| 131 | echo "matrix=$matrix_json" >> "$GITHUB_OUTPUT" |
| 132 | |
| 133 | attest-and-upload: |
| 134 | name: Attest and Upload (${{ matrix.id }}) |
| 135 | needs: [release-please, extension-package-release, discover-release-collections] |
| 136 | if: ${{ needs.release-please.outputs.release_created == 'true' }} |
| 137 | runs-on: ubuntu-latest |
| 138 | strategy: |
| 139 | fail-fast: false |
| 140 | matrix: ${{ fromJson(needs.discover-release-collections.outputs.matrix) }} |
| 141 | permissions: |
| 142 | contents: write |
| 143 | id-token: write |
| 144 | attestations: write |
| 145 | steps: |
| 146 | - name: Download VSIX artifact |
| 147 | uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 |
| 148 | with: |
| 149 | name: extension-vsix-${{ matrix.id }} |
| 150 | path: ./dist |
| 151 | |
| 152 | - name: Attest build provenance |
| 153 | uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 |
| 154 | with: |
| 155 | subject-path: 'dist/*.vsix' |
| 156 | |
| 157 | - name: Upload VSIX to GitHub Release |
| 158 | env: |
| 159 | GH_TOKEN: ${{ github.token }} |
| 160 | run: | |
| 161 | VSIX_FILE=$(find dist -name '*.vsix' | head -1) |
| 162 | if [ -z "$VSIX_FILE" ]; then |
| 163 | echo "::error::No VSIX file found for collection ${{ matrix.id }}" |
| 164 | exit 1 |
| 165 | fi |
| 166 | gh release upload "${{ needs.release-please.outputs.tag_name }}" "$VSIX_FILE" --clobber -R "${{ github.repository }}" |
| 167 | |
| 168 | publish-release: |
| 169 | name: Publish GitHub Release |
| 170 | needs: [release-please, attest-and-upload] |
| 171 | if: ${{ needs.release-please.outputs.release_created == 'true' }} |
| 172 | runs-on: ubuntu-latest |
| 173 | permissions: |
| 174 | contents: write |
| 175 | steps: |
| 176 | - name: Publish GitHub Release |
| 177 | env: |
| 178 | GH_TOKEN: ${{ github.token }} |
| 179 | run: | |
| 180 | gh release edit "${{ needs.release-please.outputs.tag_name }}" --draft=false -R "${{ github.repository }}" |
| 181 | |