Skip to content

ci: Improve security #1023

ci: Improve security

ci: Improve security #1023

Workflow file for this run

# This workflow will build a .NET project
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
name: .NET
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
DOTNET_NOLOGO: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: 🛡️ Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
aka.ms:443
api.codecov.io:443
api.nuget.org:443
auth.docker.io:443
cli.codecov.io:443
dotnetcli.azureedge.net:443
github.com:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
storage.googleapis.com:443
- name: 🛒 Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 0
- name: 🧰 Setup .NET
uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
with:
dotnet-version: |
6.x
8.x
global-json-file: global.json
- name: 🗃️ Setup NuGet cache
uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
restore-keys: ${{ runner.os }}-nuget-
- name: 📥 Restore dependencies
run: dotnet restore --locked-mode
- name: 🏗️ Build
run: dotnet build --no-restore
- name: ✅ Test
run: dotnet test --no-build --verbosity normal /p:CollectCoverage=true /p:CoverletOutputFormat=opencover
- name: ☂️ Upload coverage reports to Codecov
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}