Skip to content

[deps]: Lock file maintenance #2912

[deps]: Lock file maintenance

[deps]: Lock file maintenance #2912

Workflow file for this run

name: main
on:
push:
branches:
- main
pull_request:
branches:
- main
release:
types:
- prereleased
- released
workflow_dispatch:
inputs:
version:
description: Application version to use when publishing the project
required: false
env:
# Setting these variables allows .NET CLI to use rich color codes in console output
TERM: xterm
DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: true
# Skip boilerplate output
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_NOLOGO: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
# Note that as much as we'd love to avoid repetitive work, splitting the pipeline into separate jobs
# makes it very difficult to share artifacts between them. Even if we succeed, we'll still end up
# pushing and pulling gigabytes worth of data, which makes the jobs so much slower that we might as
# well just repeat the checkout-restore-build steps instead.
# Having a setup that involves separate jobs gives us significant benefits, on the other hand, namely:
# - Most of the jobs can run in parallel, which reduces the overall execution time significantly,
# despite the repetitive work.
# - We can catch more issues this way, for example if the formatting job fails, we can still see the
# the test results too.
# - If one of the jobs fails due to reasons unrelated to our code (e.g. NuGet server is down), we get
# the option to rerun only that job, saving us time.
# - It's easier to understand what each job does (and later, read its output) because the scope is much
# more narrow.
# - We can set permissions on a more granular (per-job) level, which allows us to expose only a few select
# steps to more sensitive access scopes.
jobs:
# Determine version
version:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Determine stable version
id: stable-version
if: ${{ inputs.version || github.event_name == 'release' }}
run: |
version="${{ inputs.version || github.event.release.tag_name }}"
if ! [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z].*)?$ ]]; then
echo "Invalid version: $version"
exit 1
fi
echo "version=$version" >> $GITHUB_OUTPUT
- name: Determine prerelease version
id: pre-version
run: |
hash="${{ github.event.pull_request.head.sha || github.sha }}"
echo "version=0.0.0-ci-${hash:0:7}" >> $GITHUB_OUTPUT
outputs:
version: ${{ steps.stable-version.outputs.version || steps.pre-version.outputs.version }}
# Check formatting
format:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Install .NET
uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
- name: Validate format
run: dotnet format --verify-no-changes
# Run tests
check-test-secrets:
name: Check for test secrets
runs-on: ubuntu-24.04
outputs:
available: ${{ steps.check-test-secrets.outputs.available }}
permissions:
contents: read
steps:
- name: Check
id: check-test-secrets
run: |
if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then
echo "available=true" >> $GITHUB_OUTPUT;
else
echo "available=false" >> $GITHUB_OUTPUT;
fi
test:
runs-on: ubuntu-24.04
needs: check-test-secrets
permissions:
checks: write
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Install .NET
uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
- name: Run restore
run: dotnet restore
- name: Run build
run: >
dotnet build
--no-restore
--configuration Release
- name: Run tests
# The next step will fail if any tests fail, but we still want to publish the results
continue-on-error: true
run: >
dotnet test
--no-restore
--no-build
--configuration Release
--logger "trx;LogFileName=pw-test-results.trx"
--collect:"XPlat Code Coverage"
--
RunConfiguration.CollectSourceInformation=true
DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
env:
ASPNETCORE_ENVIRONMENT: Development # For Serilog passthrough
- name: Report test results
uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }}
with:
name: Test Results
path: "**/*-test-results.trx"
reporter: dotnet-trx
fail-on-error: true
- name: Upload to codecov.io
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
if: ${{ needs.check-test-secrets.outputs.available == 'true' }}
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
# Publish the apps
pack:
needs: version
strategy:
matrix:
app:
- Api
- AdminConsole
runs-on: ubuntu-latest
permissions:
actions: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Install .NET
uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
- name: Install NodeJS
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: lts/*
- name: Publish app
run: >
dotnet publish src/${{ matrix.app }}/
-p:Version=${{ needs.version.outputs.version }}
--configuration Release
--runtime win-x86
--no-self-contained
--output src/${{ matrix.app }}/publish/
- name: Upload artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ matrix.app }}
path: src/${{ matrix.app }}/publish/
# Dispatches a separate deployment workflow in a private repository
deploy:
if: ${{ github.event_name != 'pull_request' }}
needs:
- version
- format
- test
- pack
strategy:
matrix:
environment:
- devtest
- qa
- prod
exclude:
# Deploy to QA on pre-releases and stable releases
- environment: ${{ !(github.event_name == 'release') && 'qa' }}
# Deploy to PROD on stable release only
- environment: ${{ !(github.event_name == 'release' && github.event.action == 'released') && 'prod' }}
# Deploy to DEVTEST every time
runs-on: ubuntu-latest
permissions: {} # no permissions required
steps:
- name: Dispatch deployment
env:
GITHUB_TOKEN: ${{ secrets.DEPLOYMENT_GITHUB_TOKEN }}
run: >
gh workflow run deploy-passwordless-server
--repo bitwarden/passwordless-devops
--field repository=${{ github.repository }}
--field run-id=${{ github.run_id }}
--field api-artifact=Api
--field admin-console-artifact=AdminConsole
--field environment=${{ matrix.environment }}
--field version=${{ needs.version.outputs.version }}