From de625993bd16fa2afd2aa2709b6453306867bd01 Mon Sep 17 00:00:00 2001 From: Pinguladora Date: Sun, 18 Jan 2026 01:49:35 +0100 Subject: [PATCH 1/8] feat(ci): add prototype publish workflow --- .github/workflows/publish.yml | 84 +++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..7be144b --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,84 @@ +name: Build and Publish + +on: + push: + branches: ["main", "feature/**"] + tags: ["**"] + pull_request: + types: [reopened, ready_for_review, review_requested] + branches: ["**"] + workflow_dispatch: + +env: + PROJECT_NAME: BankApi.Service.Stable + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} + +jobs: + build-and-publish: + runs-on: ubuntu-24.04 + timeout-minutes: 30 + + permissions: + contents: read # for actions/checkout + + steps: + - name: Harden Runner + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + disable-telemetry: true + disable-sudo-and-containers: true + - name: Optimize Git config for CI + run: | + # Disable compression for faster network transfer. + git config --global core.compression 0 + # Turn off fsync + git config --global core.fsync -all + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - name: Set up .NET + uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 + with: + global-json-file: global.json # just for explicitness + - name: Restore dependencies + run: dotnet restore ${{env.PROJECT_NAME}} + - name: Build + run: dotnet build ${{env.PROJECT_NAME}} --no-restore --configuration Release + - name: Publish + run: dotnet publish ${{env.PROJECT_NAME}} --no-build --configuration Release -o artifacts/myapp + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + id: upload-app + with: + name: myapp + path: artifacts/myapp + if-no-files-found: error + + generate-attestations: + needs: build-and-publish + runs-on: ubuntu-24.04 + timeout-minutes: 15 + + permissions: + id-token: write # for OIDC token + attestations: write + artifact-metadata: write + + steps: + - name: Harden Runner + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + disable-telemetry: true + disable-sudo-and-containers: true + - name: Generate artifact attestation + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-digest: sha256:${{ steps.upload-app.outputs.artifact-digest }} + show-summary: true + push-to-registry: true From f52647abbca20c28f9b2acaf51a4b9fd6ff5be5c Mon Sep 17 00:00:00 2001 From: Pinguladora Date: Sun, 18 Jan 2026 01:53:44 +0100 Subject: [PATCH 2/8] chore(ci): add subject name to attestation step --- .github/workflows/publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7be144b..b401d8a 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -79,6 +79,7 @@ jobs: - name: Generate artifact attestation uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: + subject-name: myapp subject-digest: sha256:${{ steps.upload-app.outputs.artifact-digest }} show-summary: true push-to-registry: true From 6fde448e82e4b43a2bee773972d40b4053a9a52e Mon Sep 17 00:00:00 2001 From: Pinguladora Date: Sun, 18 Jan 2026 01:59:42 +0100 Subject: [PATCH 3/8] chore(ci): add app artifact output allows consumption for attestation --- .github/workflows/publish.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b401d8a..db2d11b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -26,6 +26,9 @@ jobs: permissions: contents: read # for actions/checkout + outputs: + app-artifact-digest: ${{ steps.upload-app.outputs.artifact-digest }} + steps: - name: Harden Runner uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 @@ -80,6 +83,6 @@ jobs: uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-name: myapp - subject-digest: sha256:${{ steps.upload-app.outputs.artifact-digest }} + subject-digest: sha256:${{ needs.build-and-publish.outputs.app-artifact-digest }} show-summary: true push-to-registry: true From 0b5b77805bc29bce24c7a1933dc5f697b76c15c9 Mon Sep 17 00:00:00 2001 From: Pinguladora Date: Sun, 18 Jan 2026 02:01:35 +0100 Subject: [PATCH 4/8] chore(ci): remove push to registry --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index db2d11b..e5a5ef0 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -85,4 +85,4 @@ jobs: subject-name: myapp subject-digest: sha256:${{ needs.build-and-publish.outputs.app-artifact-digest }} show-summary: true - push-to-registry: true + # push-to-registry: true From ccc71d48ccefd10cfe12da1367cfb477beb02439 Mon Sep 17 00:00:00 2001 From: Pinguladora Date: Sun, 18 Jan 2026 12:57:50 +0100 Subject: [PATCH 5/8] chore(ci): change artifact name --- .github/workflows/publish.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e5a5ef0..87fa37b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -54,12 +54,12 @@ jobs: - name: Build run: dotnet build ${{env.PROJECT_NAME}} --no-restore --configuration Release - name: Publish - run: dotnet publish ${{env.PROJECT_NAME}} --no-build --configuration Release -o artifacts/myapp + run: dotnet publish ${{env.PROJECT_NAME}} --no-build --configuration Release -o artifacts/${{env.PROJECT_NAME}} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 id: upload-app with: - name: myapp - path: artifacts/myapp + name: ${{env.PROJECT_NAME}} + path: artifacts/${{env.PROJECT_NAME}} if-no-files-found: error generate-attestations: @@ -82,7 +82,6 @@ jobs: - name: Generate artifact attestation uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: - subject-name: myapp + subject-name: ${{env.PROJECT_NAME}} subject-digest: sha256:${{ needs.build-and-publish.outputs.app-artifact-digest }} show-summary: true - # push-to-registry: true From 9202055c2121fcd5a3c678f35a3a749d5faf0349 Mon Sep 17 00:00:00 2001 From: Pinguladora Date: Sun, 18 Jan 2026 16:10:34 +0100 Subject: [PATCH 6/8] chore(ci): join workflow jobs reduce complexity of attestation generation --- .github/workflows/publish.yml | 48 +++++++++++++---------------------- 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 87fa37b..dbfa4a3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -20,15 +20,21 @@ permissions: {} jobs: build-and-publish: - runs-on: ubuntu-24.04 + strategy: + max-parallel: 2 + matrix: + os: [ubuntu-24.04, ubuntu-24.04-arm, windows-2025] + dotnet-version: ["10.0.x"] + fail-fast: false # stop running other jobs if one fails + name: ${{ matrix.os}} + runs-on: ${{ matrix.os }} timeout-minutes: 30 - permissions: contents: read # for actions/checkout + id-token: write # for OIDC token + attestations: write + artifact-metadata: write - outputs: - app-artifact-digest: ${{ steps.upload-app.outputs.artifact-digest }} - steps: - name: Harden Runner uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 @@ -45,43 +51,25 @@ jobs: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - name: Set up .NET + - name: Set up .NET ${{ matrix.dotnet-version }} uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 with: - global-json-file: global.json # just for explicitness + dotnet-version: ${{ matrix.dotnet-version }} - name: Restore dependencies run: dotnet restore ${{env.PROJECT_NAME}} - name: Build run: dotnet build ${{env.PROJECT_NAME}} --no-restore --configuration Release - name: Publish - run: dotnet publish ${{env.PROJECT_NAME}} --no-build --configuration Release -o artifacts/${{env.PROJECT_NAME}} + run: dotnet publish ${{env.PROJECT_NAME}} --no-build --configuration Release -o artifacts/${{ env.PROJECT_NAME }}/${{ matrix.dotnet-version }}/${{ matrix.os }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 id: upload-app with: - name: ${{env.PROJECT_NAME}} - path: artifacts/${{env.PROJECT_NAME}} + name: ${{ env.PROJECT_NAME }}-${{ matrix.dotnet-version }}-${{ matrix.os }} + path: artifacts/${{ env.PROJECT_NAME }}/${{ matrix.dotnet-version }}/${{ matrix.os }} if-no-files-found: error - - generate-attestations: - needs: build-and-publish - runs-on: ubuntu-24.04 - timeout-minutes: 15 - - permissions: - id-token: write # for OIDC token - attestations: write - artifact-metadata: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 - with: - egress-policy: audit - disable-telemetry: true - disable-sudo-and-containers: true - name: Generate artifact attestation uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: - subject-name: ${{env.PROJECT_NAME}} - subject-digest: sha256:${{ needs.build-and-publish.outputs.app-artifact-digest }} + subject-name: ${{ env.PROJECT_NAME }}-${{ matrix.dotnet-version }}-${{ matrix.os }} + subject-digest: sha256:${{ steps.upload-app.outputs.artifact-digest }} show-summary: true From bbd724f8a7e2398c24bcf81e3a1d2649e21175a0 Mon Sep 17 00:00:00 2001 From: Pinguladora Date: Sun, 18 Jan 2026 16:46:50 +0100 Subject: [PATCH 7/8] chore(ci): change job matrix adjust to delegate all compiling related settings to projects --- .github/workflows/publish.yml | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index dbfa4a3..7010b87 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,11 +23,16 @@ jobs: strategy: max-parallel: 2 matrix: - os: [ubuntu-24.04, ubuntu-24.04-arm, windows-2025] - dotnet-version: ["10.0.x"] + include: + - vm: ubuntu-24.04 + rid: linux-x64 + - vm: ubuntu-24.04-arm + rid: linux-arm64 + - vm: windows-2025 + rid: win-x64 fail-fast: false # stop running other jobs if one fails - name: ${{ matrix.os}} - runs-on: ${{ matrix.os }} + name: ${{ matrix.vm}}-${{ matrix.rid }} + runs-on: ${{ matrix.vm }} timeout-minutes: 30 permissions: contents: read # for actions/checkout @@ -51,25 +56,26 @@ jobs: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - name: Set up .NET ${{ matrix.dotnet-version }} + - name: Set up .NET + id: setup-dotnet uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 with: - dotnet-version: ${{ matrix.dotnet-version }} + global-json-file: global.json - name: Restore dependencies run: dotnet restore ${{env.PROJECT_NAME}} - name: Build run: dotnet build ${{env.PROJECT_NAME}} --no-restore --configuration Release - name: Publish - run: dotnet publish ${{env.PROJECT_NAME}} --no-build --configuration Release -o artifacts/${{ env.PROJECT_NAME }}/${{ matrix.dotnet-version }}/${{ matrix.os }} + run: dotnet publish ${{env.PROJECT_NAME}} --no-build --configuration Release -o artifacts/${{ env.PROJECT_NAME }}/net${{ steps.setup-dotnet.outputs.dotnet-version }}/${{ matrix.rid }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 id: upload-app with: - name: ${{ env.PROJECT_NAME }}-${{ matrix.dotnet-version }}-${{ matrix.os }} - path: artifacts/${{ env.PROJECT_NAME }}/${{ matrix.dotnet-version }}/${{ matrix.os }} + name: ${{ env.PROJECT_NAME }}-net${{ steps.setup-dotnet.outputs.dotnet-version }}-${{ matrix.rid }} + path: artifacts/${{ env.PROJECT_NAME }}/net${{ steps.setup-dotnet.outputs.dotnet-version }}/${{ matrix.rid }} if-no-files-found: error - name: Generate artifact attestation uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: - subject-name: ${{ env.PROJECT_NAME }}-${{ matrix.dotnet-version }}-${{ matrix.os }} + subject-name: ${{ env.PROJECT_NAME }}-net${{ steps.setup-dotnet.outputs.dotnet-version }}-${{ matrix.rid }} subject-digest: sha256:${{ steps.upload-app.outputs.artifact-digest }} show-summary: true From e73077801f83ec5dcd42888d4bb4812baad60af0 Mon Sep 17 00:00:00 2001 From: Pinguladora Date: Sun, 18 Jan 2026 17:53:20 +0100 Subject: [PATCH 8/8] chore(ci): remove feature branch trigger --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7010b87..ba25586 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -2,7 +2,7 @@ name: Build and Publish on: push: - branches: ["main", "feature/**"] + branches: ["main"] tags: ["**"] pull_request: types: [reopened, ready_for_review, review_requested]