Feature/test SBOM analyser build #176
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - '*' | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| forcePublish: | |
| description: When true the Publish stage will always be run, otherwise it only runs for tagged versions. | |
| required: false | |
| default: false | |
| type: boolean | |
| skipCleanup: | |
| description: When true the pipeline clean-up stage will not be run. For example, the cache used between pipeline stages will be retained. | |
| required: false | |
| default: false | |
| type: boolean | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| actions: write # enable cache clean-up | |
| checks: write # enable test result annotations | |
| contents: write # enable creating releases | |
| issues: read | |
| packages: write # enable publishing packages | |
| pull-requests: write # enable test result annotations | |
| id-token: write # enable generating new GitHub token | |
| jobs: | |
| prepareConfig: | |
| name: Prepare Configuration | |
| runs-on: ubuntu-latest | |
| outputs: | |
| RESOLVED_ENV_VARS: ${{ steps.prepareEnvVarsAndSecrets.outputs.environmentVariablesJsonBase64 }} | |
| RESOLVED_SECRETS: ${{ steps.prepareEnvVarsAndSecrets.outputs.secretsJsonBase64 }} | |
| steps: | |
| # We need a token that will have permissions to the endjin/endjin-sbom-analyser repo | |
| - name: Generate token | |
| id: generate_token | |
| uses: tibdex/github-app-token@v1 | |
| with: | |
| app_id: ${{ secrets.ENDJIN_BOT_APP_ID }} | |
| private_key: ${{ secrets.ENDJIN_BOT_PRIVATE_KEY }} | |
| # Declare any environment variables and/or secrets that need to be available inside the build process | |
| - uses: endjin/Endjin.RecommendedPractices.GitHubActions/actions/prepare-env-vars-and-secrets@main | |
| id: prepareEnvVarsAndSecrets | |
| with: | |
| environmentVariablesJson: | | |
| { | |
| "BUILDVAR_NuGetPublishSource": "${{ startsWith(github.ref, 'refs/tags/') && 'https://api.nuget.org/v3/index.json' || 'https://nuget.pkg.github.com/endjin/index.json' }}" | |
| } | |
| secretsJson: | | |
| { | |
| "NUGET_API_KEY": "${{ startsWith(github.ref, 'refs/tags/') && secrets.ENDJIN_NUGET_APIKEY || secrets.ENDJIN_GITHUB_PUBLISHER_PAT }}", | |
| } | |
| build: | |
| needs: prepareConfig | |
| uses: endjin/Endjin.RecommendedPractices.GitHubActions/.github/workflows/scripted-build-pipeline.yml@feature/custom-github-token | |
| with: | |
| netSdkVersion: '7.x' | |
| # workflow_dispatch inputs are always strings, the type property is just for the UI | |
| forcePublish: ${{ github.event.inputs.forcePublish == 'true' }} | |
| skipCleanup: ${{ github.event.inputs.skipCleanup == 'true' }} | |
| compilePhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }} | |
| publishPhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }} | |
| publishPhaseEnv: ${{ needs.prepareConfig.outputs.RESOLVED_ENV_VARS }} | |
| secrets: | |
| compilePhaseAzureCredentials: ${{ secrets.ENDJIN_PROD_ACR_READER_CREDENTIALS }} | |
| githubReaderPat: ${{ secrets.ENDJIN_GITHUB_READER_PAT }} |