From c338731dfdf64772644dd2ca94219f6c12a5a9d6 Mon Sep 17 00:00:00 2001 From: Thomas Nieto <38873752+ThomasNieto@users.noreply.github.com> Date: Sun, 15 Sep 2024 18:15:34 -0500 Subject: [PATCH] Add CI and linting --- .github/workflows/ci.yml | 114 +++++++++++++++++++++++++++++++++++++ .github/workflows/lint.yml | 49 ++++++++++++++++ PesterSettings.psd1 | 8 +++ SignSettings.psd1 | 5 ++ 4 files changed, 176 insertions(+) create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/lint.yml create mode 100644 PesterSettings.psd1 create mode 100644 SignSettings.psd1 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..3c59649 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,114 @@ +name: CI + +defaults: + run: + shell: pwsh + +on: + push: + branches: [ main ] + + pull_request: + branches: [ main ] + + release: + types: [ published ] + +jobs: + Build: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Upload module + uses: actions/upload-artifact@v4 + with: + name: module + path: ./src/ + + Test: + needs: Build + runs-on: windows-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Download module + uses: actions/download-artifact@v4 + with: + name: module + path: C:\Users\runneradmin\Documents\PowerShell\Modules\AnyPackage.Pkgx\ + + - name: Install pkgx + run: curl -Ssf https://pkgx.sh | sh + + - name: Install AnyPackage module + run: Install-Module AnyPackage -Force -AllowClobber + + - name: Test with Pester + run: | + $ht = Import-PowerShellDataFile PesterSettings.psd1 + $config = New-PesterConfiguration $ht + Invoke-Pester -Configuration $config + + Sign: + needs: Test + if: github.event_name == 'release' && github.event.action == 'published' + runs-on: windows-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Import certificate + env: + CERTIFICATE_BASE64: ${{ secrets.CERTIFICATE_BASE64 }} + CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} + CERTIFICATE_PASSWORD_KEY_BASE64: ${{ secrets.CERTIFICATE_PASSWORD_KEY_BASE64 }} + run: | + [convert]::FromBase64String($env:CERTIFICATE_BASE64) | Set-Content -Path cert.pfx -AsByteStream + $key = [convert]::FromBase64String($env:CERTIFICATE_PASSWORD_KEY_BASE64) + $password = ConvertTo-SecureString $env:CERTIFICATE_PASSWORD -Key $key + Import-PfxCertificate cert.pfx -Password $password -CertStoreLocation Cert:\CurrentUser\My + + - name: Sign files + run: | + $config = Import-PowerShellDataFile SignSettings.psd1 + $config['Certificate'] = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert + Set-Location .\src + Set-AuthenticodeSignature @config + + - name: Create and sign catalog file + run: | + $config = Import-PowerShellDataFile SignSettings.psd1 + $config['FilePath'] = 'AnyPackage.Pkgx.cat' + $config['Certificate'] = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert + Set-Location .\src + New-FileCatalog $config['FilePath'] -CatalogVersion 2 + Set-AuthenticodeSignature @config + + - name: Upload module + uses: actions/upload-artifact@v4 + with: + name: module-signed + path: ./src/ + + Publish: + needs: Sign + if: github.event_name == 'release' && github.event.action == 'published' + runs-on: ubuntu-latest + steps: + + - name: Download module + uses: actions/download-artifact@v4 + with: + name: module-signed + path: '~/.local/share/powershell/Modules/AnyPackage.Pkgx' + + - name: Install AnyPackage + run: Install-Module AnyPackage -Force -AllowClobber + + - name: Publish Module + env: + NUGET_KEY: ${{ secrets.NUGET_KEY }} + run: Publish-Module -Name AnyPackage.Pkgx -NuGetApiKey $env:NUGET_KEY diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..bb7960b --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,49 @@ +name: Lint + +defaults: + run: + shell: pwsh + +on: + push: + branches: [ "main" ] + + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + psscriptanalzyer: + permissions: + contents: read + security-events: write + name: PSScriptAnalyzer + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Install AnyPackage and ConvertToSARIF + run: Install-Module AnyPackage, ConvertToSARIF -Force -AllowClobber + + - name: Run PSScriptAnalyzer + run: | + Import-Module AnyPackage, ConvertToSARIF + Invoke-ScriptAnalyzer -Path . -Recurse | ConvertTo-SARIF -FilePath results.sarif + + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif + + markdown: + name: Markdown + runs-on: ubuntu-latest + steps: + - name: "Checkout repository" + uses: "actions/checkout@v4" + + - name: "Lint markdown" + uses: DavidAnson/markdownlint-cli2-action@v16 diff --git a/PesterSettings.psd1 b/PesterSettings.psd1 new file mode 100644 index 0000000..39e3849 --- /dev/null +++ b/PesterSettings.psd1 @@ -0,0 +1,8 @@ +@{ + Run = @{ + Exit = $true + } + Output = @{ + Verbosity = 'Detailed' + } +} \ No newline at end of file diff --git a/SignSettings.psd1 b/SignSettings.psd1 new file mode 100644 index 0000000..17a008f --- /dev/null +++ b/SignSettings.psd1 @@ -0,0 +1,5 @@ +@{ + FilePath = @('AnyPackage.Pkgx.psd1', 'AnyPackage.Pkgx.psm1') + TimeStampServer = 'http://timestamp.sectigo.com' + HashAlgorithm = 'SHA256' +}