Skip to content

[deps]: Update System.Text.Json to 8.0.5 [SECURITY] (#162) #494

[deps]: Update System.Text.Json to 8.0.5 [SECURITY] (#162)

[deps]: Update System.Text.Json to 8.0.5 [SECURITY] (#162) #494

Workflow file for this run

name: main
on:
push:
branches:
- main
pull_request:
branches:
- main
release:
types:
- published
env:
# Setting these variables allows .NET CLI to use rich color codes in console output
TERM: xterm
DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: true
# Skip boilerplate output
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_NOLOGO: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
# Note that as much as we'd love to avoid repetitive work, splitting the pipeline into separate jobs
# makes it very difficult to share artifacts between them. Even if we succeed, we'll still end up
# pushing and pulling gigabytes worth of data, which makes the jobs so much slower that we might as
# well just repeat the checkout-restore-build steps instead.
# Having a setup that involves separate jobs gives us significant benefits, on the other hand, namely:
# - Most of the jobs can run in parallel, which reduces the overall execution time significantly,
# despite the repetitive work.
# - We can catch more issues this way, for example if the formatting job fails, we can still see the
# the test results too.
# - If one of the jobs fails due to reasons unrelated to our code (e.g. NuGet server is down), we get
# the option to rerun only that job, saving us time.
# - It's easier to understand what each job does (and later, read its output) because the scope is much
# more narrow.
# - We can set permissions on a more granular (per-job) level, which allows us to expose only a few select
# steps to more sensitive access scopes.
jobs:
# Determine version
version:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Determine stable version
id: stable-version
if: ${{ github.event_name == 'release' }}
run: |
if ! [[ "${{ github.event.release.tag_name }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z].*)?$ ]]; then
echo "Invalid version: ${{ github.event.release.tag_name }}"
exit 1
fi
echo "version=${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
- name: Determine prerelease version
id: pre-version
if: ${{ github.event_name != 'release' }}
run: |
hash="${{ github.event.pull_request.head.sha || github.sha }}"
echo "version=0.0.0-ci-${hash:0:7}" >> $GITHUB_OUTPUT
outputs:
version: ${{ steps.stable-version.outputs.version || steps.pre-version.outputs.version }}
# Check formatting
format:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install .NET
uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
- name: Validate format
run: dotnet format --verify-no-changes
# Run tests
test:
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
# Windows runners don't support Linux Docker containers (needed for tests),
# so we currently cannot run tests on Windows.
# - windows-latest
runs-on: ${{ matrix.os }}
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install .NET
uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
- name: Run restore
run: dotnet restore
- name: Run build
run: >
dotnet build
--no-restore
--configuration Release
- name: Run tests
run: >
dotnet test
--no-restore
--no-build
--configuration Release
${{ runner.os == 'Windows' && '-p:IncludeNetCoreAppTargets=false' || '' }}
--logger "GitHubActions;summary.includePassedTests=true;summary.includeSkippedTests=true"
--collect:"XPlat Code Coverage"
--
RunConfiguration.CollectSourceInformation=true
DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
- name: Upload coverage
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
# Pack the output into NuGet packages
pack:
needs: version
runs-on: ubuntu-latest
permissions:
actions: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install .NET
uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
- name: Run restore
run: dotnet restore
- name: Run build
run: >
dotnet build
--no-restore
--configuration Release
-p:ContinuousIntegrationBuild=true
- name: Run pack
run: >
dotnet pack
-p:Version=${{ needs.version.outputs.version }}
-p:ContinuousIntegrationBuild=true
--no-restore
--no-build
--configuration Release
- name: Upload artifacts
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: packages
path: "**/*.nupkg"
# Dispatch a separate deployment workflow in a private repository
deploy:
# Remove this if we end up adding more environments than just NuGet
if: ${{ github.event_name == 'release' }}
needs:
- version
- format
- test
- pack
strategy:
matrix:
environment:
- nuget
# - myget
exclude:
# Exclude NuGet if not triggered by a release event
# https://stackoverflow.com/questions/65384420/how-do-i-make-a-github-action-matrix-element-conditional
- environment: ${{ github.event_name != 'release' && 'nuget' }}
runs-on: ubuntu-latest
permissions: {} # no permissions required
steps:
- name: Dispatch deployment
env:
GITHUB_TOKEN: ${{ secrets.DEPLOYMENT_GITHUB_TOKEN }}
run: >
gh workflow run deploy-passwordless-dotnet
--repo bitwarden/passwordless-devops
--field repository=${{ github.repository }}
--field run-id=${{ github.run_id }}
--field artifact=packages
--field environment=${{ matrix.environment }}
--field version=${{ needs.version.outputs.version }}