Bump github/codeql-action from 3.27.0 to 3.27.1 (#137) #171
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- main | |
concurrency: ${{ github.workflow }}-${{ github.ref }} | |
permissions: { } | |
env: | |
dotnet: 8.0.x | |
node: 20.x | |
Project: src/Serilog.Extensions.Formatting | |
PackageJson: src/Serilog.Extensions.Formatting/package.json | |
Csproj: src/Serilog.Extensions.Formatting/Serilog.Extensions.Formatting.csproj | |
PackageName: alexaka1.serilog.extensions.formatting | |
YARN_ENABLE_HARDENED_MODE: 1 | |
DOTNET_NOLOGO: true | |
DOTNET_CLI_TELEMETRY_OPTOUT: true | |
jobs: | |
tests: | |
name: Tests | |
uses: ./.github/workflows/tests.yml | |
permissions: | |
contents: read | |
check-release: | |
name: Prepare release | |
runs-on: ubuntu-24.04 | |
permissions: | |
pull-requests: write | |
contents: write | |
issues: read | |
id-token: write | |
attestations: write | |
outputs: | |
publishable: ${{ steps.pack.outputs.canPack == 'true'}} | |
version: ${{ steps.pack.outputs.version }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
aka.ms:443 | |
api.github.com:443 | |
api.nuget.org:443 | |
cdn.fwupd.org:443 | |
crl3.digicert.com:80 | |
dotnetbuilds.azureedge.net:443 | |
dotnetcli.azureedge.net:443 | |
dc.services.visualstudio.com:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
registry.yarnpkg.com:443 | |
repo.yarnpkg.com:443 | |
*.sigstore.dev:443 | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
- name: Setup Dotnet ${{ env.dotnet }} | |
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0 | |
with: | |
dotnet-version: ${{ env.dotnet }} | |
- name: Setup Node.js ${{ env.node }} | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version: ${{ env.node }} | |
- name: Enable Corepack | |
run: corepack enable | |
- name: Yarn install | |
run: yarn install --immutable | |
- uses: chainguard-dev/actions/setup-gitsign@57cb0b7560d9b9b081c15ac5ef689f73f4dda03e | |
- name: Create Release Pull Request or Prepare release | |
id: changesets | |
uses: changesets/action@c8bada60c408975afd1a20b3db81d6eee6789308 # v1.4.9 | |
with: | |
# outputs versionExists=true if version already exists on nuget | |
version: yarn run version ${{ env.PackageJson }} ${{ env.Csproj }} | |
setupGitUser: false | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Can pack? | |
id: pack | |
if: steps.changesets.outputs.hasChangesets == 'false' | |
shell: bash | |
run: | | |
set -e | |
VERSION=$(jq -r '.version' "${{ env.PackageJson }}") | |
echo "version=v$VERSION" >> "$GITHUB_OUTPUT" | |
AVAILABLE_VERSIONS=$(curl -s "https://api.nuget.org/v3-flatcontainer/${{ env.PackageName }}/index.json" | jq -r '.versions[]') | |
if echo "$AVAILABLE_VERSIONS" | grep -q "^$VERSION$"; then | |
echo "canPack=false" >> "$GITHUB_OUTPUT" | |
else | |
echo "canPack=true" >> "$GITHUB_OUTPUT" | |
fi | |
- name: Dotnet restore | |
if: steps.pack.outputs.canPack == 'true' | |
run: dotnet restore ${{ env.Project }} | |
- name: Dotnet build | |
if: steps.pack.outputs.canPack == 'true' | |
run: dotnet build ${{ env.Project }} --configuration Release --no-restore | |
- name: Pack nupkg | |
if: steps.pack.outputs.canPack == 'true' | |
run: dotnet pack ${{ env.Project }} -c Release -o ${{ github.workspace }}/artifacts | |
- name: Generate nupkg attestation | |
if: steps.pack.outputs.canPack == 'true' | |
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 | |
with: | |
subject-path: ${{ github.workspace }}/artifacts | |
- name: Upload nupkg | |
if: steps.pack.outputs.canPack == 'true' | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: nuget | |
path: ${{ github.workspace }}/artifacts | |
if-no-files-found: error | |
release: | |
name: Release package | |
environment: production | |
runs-on: ubuntu-latest | |
if: needs.check-release.outputs.publishable == 'true' | |
needs: | |
- check-release | |
- tests | |
permissions: | |
contents: write | |
id-token: write | |
env: | |
changelog: src/Serilog.Extensions.Formatting/CHANGELOG.md | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
# we use credentials to push tags below | |
persist-credentials: true | |
- uses: chainguard-dev/actions/setup-gitsign@57cb0b7560d9b9b081c15ac5ef689f73f4dda03e | |
- name: Download nupkg | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: nuget | |
path: ${{ github.workspace }}/artifacts | |
github-token: ${{ github.token }} | |
- name: Setup Dotnet ${{ env.dotnet }} | |
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0 | |
with: | |
dotnet-version: ${{ env.dotnet }} | |
- name: Publish nupkg | |
run: dotnet nuget push ${{ github.workspace }}/artifacts/*.nupkg -s https://api.nuget.org/v3/index.json -k ${{ secrets.NUGET_API_KEY }} | |
- name: Create changelog for release | |
id: changelog | |
shell: bash | |
run: | | |
input_file="${{ env.changelog }}" | |
output_file="changes.md" | |
# Find the line number of the first version heading | |
start_line=$(grep -nE '^## [0-9]+\.[0-9]+\.[0-9]' "$input_file" | head -n 1 | cut -d: -f1) | |
# Find the line number of the next version heading, if it exists | |
end_line=$(grep -nE '^## [0-9]+\.[0-9]+\.[0-9]' "$input_file" | sed -n '2p' | cut -d: -f1) | |
if [ -z "$end_line" ]; then | |
# If there is no next version, extract till the end of the file | |
sed -n "${start_line},\$p" "$input_file" > "$output_file" | |
else | |
# Extract only the section for the uppermost version | |
sed -n "${start_line},$(($end_line-1))p" "$input_file" > "$output_file" | |
fi | |
echo "changes=$output_file" >> "$GITHUB_OUTPUT" | |
prerelease=false | |
if [ -f ".changeset/pre.json" ]; then | |
prerelease=true | |
fi | |
- name: Tag release | |
run: | | |
git tag -s ${{ needs.check-release.outputs.version }} -m "Release ${{ needs.check-release.outputs.version }}" | |
git push origin ${{ needs.check-release.outputs.version }} | |
- name: Create GitHub release | |
uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9 | |
with: | |
files: | | |
${{ github.workspace }}/artifacts/*.nupkg | |
${{ github.workspace }}/artifacts/*.snupkg | |
${{ env.changelog }} | |
body_path: ${{ steps.changelog.outputs.changes }} | |
body: Oh no, it looks like the change-notes were not generated correctly by the action. | |
draft: false | |
prerelease: ${{ steps.changelog.outputs.prerelease == 'true' }} | |
generate_release_notes: true | |
fail_on_unmatched_files: true | |
append_body: true | |
tag_name: ${{ needs.check-release.outputs.version }} | |
target_commitish: ${{ github.sha }} |