diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ddaa86af..451c3501 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,6 +23,11 @@ jobs: name: build-${{ matrix.os }} runs-on: ${{ matrix.os }} + permissions: + attestations: write + contents: read + id-token: write + strategy: fail-fast: false matrix: @@ -37,15 +42,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup .NET - uses: actions/setup-dotnet@v4 - with: - dotnet-version: | - 6.0.423 - 7.0.410 - 8.0.302 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Arcade only allows the revision to contain up to two characters, and GitHub Actions does not roll-over # build numbers every day like Azure DevOps does. To balance these two requirements, set the official @@ -73,22 +70,33 @@ jobs: shell: pwsh run: ./eng/common/cibuild.sh -configuration Release -prepareMachine -integrationTest /p:SuppressSymbolPackageFormatValidation=true + - name: Attest artifacts + uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 + if: | + runner.os == 'Windows' && + github.event.repository.fork == false && + startsWith(github.ref, 'refs/tags/') + with: + subject-path: | + ./artifacts/bin/**/Release/**/OpenIddict.*.dll + ./artifacts/packages/Release/Shipping/* + - name: Publish logs if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: logs-${{ matrix.os_name }} path: ./artifacts/log/Release - name: Publish NuGet packages - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: packages-${{ matrix.os_name }} path: ./artifacts/packages/Release/Shipping - name: Publish test results if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: testresults-${{ matrix.os_name }} path: ./artifacts/TestResults/Release @@ -98,14 +106,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Download packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: packages-windows - name: Setup .NET - uses: actions/setup-dotnet@v4 - with: - dotnet-version: '8.0.302' + uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0 - name: Validate NuGet packages shell: pwsh @@ -121,42 +127,51 @@ jobs: } if ($invalidPackages -gt 0) { Write-Output "::error::$invalidPackages NuGet package(s) failed validation." + exit 1 } push-packages-myget: - needs: validate-packages + needs: [ build, validate-packages ] runs-on: ubuntu-latest if: | - github.event.repository.fork == false && - (github.ref == 'refs/heads/dev' || startsWith(github.ref, 'refs/heads/rel/') || startsWith(github.ref, 'refs/tags/')) + (github.ref_name == github.event.repository.default_branch || + startsWith(github.ref, 'refs/heads/dev') || + startsWith(github.ref, 'refs/heads/rel/') || + startsWith(github.ref, 'refs/tags/')) steps: - name: Download packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: packages-windows - name: Setup NuGet - uses: nuget/setup-nuget@v2 + uses: nuget/setup-nuget@a21f25cd3998bf370fde17e3f1b4c12c175172f9 # v2.0.0 with: nuget-version: '5.11.0' - name: Push packages to MyGet.org - run: nuget push "*.nupkg" -ApiKey ${{ secrets.MYGET_API_KEY }} -SkipDuplicate -Source https://www.myget.org/F/openiddict/api/v3/index.json + env: + MYGET_API_KEY: ${{ secrets.MYGET_API_KEY }} + run: nuget push "*.nupkg" -ApiKey "${MYGET_API_KEY}" -SkipDuplicate -Source https://www.myget.org/F/openiddict/api/v3/index.json push-packages-nuget: - needs: validate-packages + needs: [ build, validate-packages ] runs-on: ubuntu-latest - if: github.event.repository.fork == false && startsWith(github.ref, 'refs/tags/') + if: | + github.event.repository.fork == false && + startsWith(github.ref, 'refs/tags/') steps: - name: Download packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: packages-windows - name: Setup NuGet - uses: nuget/setup-nuget@v2 + uses: nuget/setup-nuget@a21f25cd3998bf370fde17e3f1b4c12c175172f9 # v2.0.0 with: nuget-version: '5.11.0' - name: Push packages to NuGet.org - run: nuget push "*.nupkg" -ApiKey ${{ secrets.NUGET_API_KEY }} -SkipDuplicate -Source https://api.nuget.org/v3/index.json + env: + NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} + run: nuget push "*.nupkg" -ApiKey "${NUGET_API_KEY}" -SkipDuplicate -Source https://api.nuget.org/v3/index.json diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 5f692771..b4d55a76 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -10,16 +10,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Generate sponsors section - uses: JamesIves/github-sponsors-readme-action@v1 + uses: JamesIves/github-sponsors-readme-action@1fb9ea792bba91e6c450e4aaefe951c245b789ed # v1.3.1 with: token: ${{ secrets.SPONSORS_TOKEN }} file: 'README.md' - name: Deploy to GitHub Pages - uses: JamesIves/github-pages-deploy-action@v4 + uses: JamesIves/github-pages-deploy-action@5c6e9e9f3672ce8fd37b9856193d2a537941e66c # v4.6.0 with: branch: dev folder: '.'