[Snyk] Security upgrade Microsoft.Extensions.Configuration.Json from 6.0.0 to 7.0.0 #190

Workflow file for this run

.github/workflows/build-and-deploy.yml at 19fad1b

	name: build-and-deploy

	on:
	push:
	paths:
	- '.github/workflows/build-and-deploy.yml'
	- 'src/**'
	- 'docker/**'
	pull_request:
	paths:
	- '.github/workflows/build-and-deploy.yml'
	- 'src/**'
	- 'docker/**'

	env:
	docker_repo: tfsaggregator/aggregator3
	# any PR, any push to default branch,
	run_integration_tests: ${{ github.event_name == 'pull_request' \|\| github.ref == 'refs/heads/master' \|\| startsWith(github.ref, 'refs/tags/v') }}
	release_new_version: ${{ startsWith(github.ref, 'refs/tags/v') }}

	jobs:

	# HACK workaround for
	# The workflow is not valid. .github/workflows/build-and-deploy.yml (Line: 179, Col: 9): Unrecognized named-value: 'env'.
	# The env context is not available on job..if
	dummy_job:
	runs-on: ubuntu-latest
	outputs:
	run_integration_tests: '${{ env.run_integration_tests }}'
	release_new_version: '${{ env.release_new_version }}'
	steps:
	- name: 'Print conditions'
	run: \|
	echo "run_integration_tests = $run_integration_tests"
	echo "release_new_version = $release_new_version"

	build:

	runs-on: ubuntu-latest
	env:
	DOTNETSDK_VERSION: '6.0.201' # SDK Version to use.
	CONFIGURATION: Release
	SONAR_ORG: 'tfsaggregator'
	SONAR_PROJECTKEY: 'tfsaggregator_aggregator-cli'
	# list of TimeSpan controlling reading app logs from Kudu while running Integration tests
	AGGREGATOR_KUDU_LOGRETRIEVE_ATTEMPTS: '0:0:30 0:1:00 0:1:30 0:2:00 0:3:00'
	outputs:
	dockerTag: 'v${{ steps.gitversion.outputs.fullSemVer }}'
	releaseTag: ${{ steps.get_git_tag.outputs.tag_name }}
	releaseName: ${{ steps.get_git_tag.outputs.tag_name }}
	majorMinorPatch: '${{ steps.gitversion.outputs.majorMinorPatch }}'
	preReleaseTag: '${{ steps.gitversion.outputs.preReleaseTag }}'
	steps:
	- uses: actions/checkout@v3 # CHECK FOR UPDATES
	with:
	fetch-depth: 0
	# versioning
	- name: Fetch Git history for GitVersion
	run: git fetch --tags
	- name: Extract git tag
	id: get_git_tag
	run: echo ::set-output name=tag_name::${GITHUB_REF/refs\/tags\//}
	shell: bash
	- name: Install GitVersion
	uses: gittools/actions/gitversion/setup@v0.9.13 # CHECK FOR UPDATES
	with:
	versionSpec: '5.x' # CHECK FOR UPDATES
	- name: Use GitVersion
	id: gitversion # step id used as reference for output values
	uses: gittools/actions/gitversion/execute@v0.9.13 # CHECK FOR UPDATES
	- name: 'Set version in aggregator-manifest.ini'
	run: 'sed -E -i "s/version=.*/version=${{ steps.gitversion.outputs.fullSemVer }}/" ${GITHUB_WORKSPACE}/src/aggregator-function/aggregator-manifest.ini'
	shell: bash
	# compile and test
	- uses: actions/setup-dotnet@v1 # CHECK FOR UPDATES
	with:
	dotnet-version: '${{ env.DOTNETSDK_VERSION }}'
	- name: Use Java 11 (required by SonarCloud)
	uses: actions/setup-java@v3 # CHECK FOR UPDATES
	with:
	java-version: '11' # CHECK FOR UPDATES
	java-package: jre
	distribution: 'temurin'
	- name: Install dotnet tools
	run: dotnet tool restore
	- name: SonarCloud Setup
	run: \|
	cp ./build/sonarqube-create-project-guids.ps1 .
	pwsh -NonInteractive -ExecutionPolicy RemoteSigned -File ./sonarqube-create-project-guids.ps1
	dotnet sonarscanner begin /o:${{ env.SONAR_ORG }} /k:${{ env.SONAR_PROJECTKEY }} /d:sonar.host.url=https://sonarcloud.io /d:sonar.cs.vstest.reportsPaths=test-results/.trx /d:sonar.cs.opencover.reportsPaths=test-results//coverage.opencover.xml /d:sonar.coverage.exclusions="*Test.cs"
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	- name: 'NuGet Restore'
	run: 'dotnet restore src/aggregator3.sln'
	- name: 'Build solution'
	run: 'dotnet build --configuration $CONFIGURATION src/aggregator3.sln /p:VersionPrefix=${{ steps.gitversion.outputs.majorMinorPatch }} /p:VersionSuffix=${{ steps.gitversion.outputs.preReleaseTag }}'
	- name: 'Unit tests with Code Coverage'
	run: \|
	dotnet test --collect:"XPlat Code Coverage" --results-directory test-results/ --logger "trx;LogFileName=unittests-core.trx" --no-build --no-restore --configuration $CONFIGURATION src/unittests-core/unittests-core.csproj -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
	dotnet test --collect:"XPlat Code Coverage" --results-directory test-results/ --logger "trx;LogFileName=unittests-ruleng.trx" --no-build --no-restore --configuration $CONFIGURATION src/unittests-ruleng/unittests-ruleng.csproj -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
	dotnet test --collect:"XPlat Code Coverage" --results-directory test-results/ --logger "trx;LogFileName=unittests-function.trx" --no-build --no-restore --configuration $CONFIGURATION src/unittests-function/unittests-function.csproj -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
	# Prepare Artifacts (req'd by integration tests)
	- name: 'Package FunctionRuntime'
	if: ${{ fromJSON(env.run_integration_tests) }}
	run: \|
	mkdir -p outputs/function
	dotnet publish --configuration $CONFIGURATION --output $GITHUB_WORKSPACE/outputs/function/ src/aggregator-function/aggregator-function.csproj -p:VersionPrefix=${{ steps.gitversion.outputs.majorMinorPatch }} -p:VersionSuffix=${{ steps.gitversion.outputs.preReleaseTag }}
	pushd outputs/function && \
	7z a -bd -r FunctionRuntime.zip && \
	popd
	# Heavy weight integration tests
	# logon-data.json is stored in project Secrets
	- name: 'Prepare integration tests'
	if: ${{ fromJSON(env.run_integration_tests) }}
	run: \|
	echo "$LOGONDATA_JSON" > $GITHUB_WORKSPACE/src/integrationtests-cli/logon-data.json
	export LOGONDATA_FNAME=$GITHUB_WORKSPACE/src/integrationtests-cli/logon-data.json
	INTEGRATIONTEST_SUBSCRIPTIONID=$(jq -r '.subscription?' $LOGONDATA_FNAME)
	echo "Next message must display a valid Guid"
	echo "Azure subscription for testing: $INTEGRATIONTEST_SUBSCRIPTIONID"
	echo "{\"sdk\":{\"version\":\"$DOTNETSDK_VERSION\"} }" > global.json
	env:
	LOGONDATA_JSON: ${{ secrets.INTEGRATIONTESTS_CLI_LOGONDATA_JSON }}
	shell: bash
	- name: 'Run integration tests'
	if: ${{ fromJSON(env.run_integration_tests) }}
	run: 'dotnet test --collect:"XPlat Code Coverage" --results-directory test-results/ --logger "trx;LogFileName=integrationtests-cli.trx" --no-restore --configuration $CONFIGURATION src/integrationtests-cli/integrationtests-cli.csproj -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover'
	- name: 'Scrap secrets'
	if: always()
	run: rm $GITHUB_WORKSPACE/src/integrationtests-cli/logon-data.json
	- name: 'Report on Code Coverage'
	if: always()
	run: 'dotnet reportgenerator "-reports:test-results//.xml" "-targetdir:coverage-report/" "-reporttypes:Html" "-assemblyfilters:-Tests.*"'
	- name: Upload Code Coverage Reports
	if: always()
	uses: actions/upload-artifact@v2
	with:
	name: coverage_report
	path: coverage-report/**
	- name: SonarCloud Scan
	if: ${{ fromJSON(env.run_integration_tests) }}
	run: dotnet sonarscanner end
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	# Prepare Artifacts
	- name: 'Package aggregator-cli Windows'
	if: ${{ fromJSON(env.release_new_version) }}
	run: \|
	mkdir -p outputs/$RUNTIME
	dotnet publish --configuration $CONFIGURATION --runtime $RUNTIME --self-contained true --output $GITHUB_WORKSPACE/outputs/$RUNTIME/ src/aggregator-cli/aggregator-cli.csproj -p:VersionPrefix=${{ steps.gitversion.outputs.majorMinorPatch }} -p:VersionSuffix=${{ steps.gitversion.outputs.preReleaseTag }}
	pushd outputs/$RUNTIME && \
	7z a -bd -r aggregator-cli-$RUNTIME.zip && \
	popd
	env:
	RUNTIME: win-x64
	- name: 'Package aggregator-cli Linux'
	if: ${{ fromJSON(env.release_new_version) }}
	run: \|
	mkdir -p outputs/$RUNTIME
	dotnet publish --configuration $CONFIGURATION --runtime $RUNTIME --self-contained true --output $GITHUB_WORKSPACE/outputs/$RUNTIME/ src/aggregator-cli/aggregator-cli.csproj -p:VersionPrefix=${{ steps.gitversion.outputs.majorMinorPatch }} -p:VersionSuffix=${{ steps.gitversion.outputs.preReleaseTag }}
	pushd outputs/$RUNTIME && \
	7z a -bd -r aggregator-cli-$RUNTIME.zip && \
	popd
	env:
	RUNTIME: linux-x64
	- name: 'Package aggregator-cli OS/X'
	if: ${{ fromJSON(env.release_new_version) }}
	run: \|
	mkdir -p outputs/$RUNTIME
	dotnet publish --configuration $CONFIGURATION --runtime $RUNTIME --self-contained true --output $GITHUB_WORKSPACE/outputs/$RUNTIME/ src/aggregator-cli/aggregator-cli.csproj -p:VersionPrefix=${{ steps.gitversion.outputs.majorMinorPatch }} -p:VersionSuffix=${{ steps.gitversion.outputs.preReleaseTag }}
	pushd outputs/$RUNTIME && \
	7z a -bd -r aggregator-cli-$RUNTIME.zip && \
	popd
	env:
	RUNTIME: osx-x64
	# Release notes (maybe one day we will use https://gittools.github.io/GitReleaseManager)
	- name: 'Dump commit messages since last tag as draft release notes'
	if: ${{ fromJSON(env.release_new_version) }}
	run: \|
	git log $(git describe --abbrev=0 --always)..HEAD --pretty=format:"%s" --reverse > outputs/git.log
	cp Next-Release-ChangeLog.md outputs/
	# everything in outputs can be used by other jobs
	- name: Upload artifacts
	if: ${{ fromJSON(env.release_new_version) }}
	uses: actions/upload-artifact@v3 # CHECK FOR UPDATES
	with:
	name: release_packages
	path: outputs/**

	release_to_github:

	runs-on: ubuntu-latest
	needs: [dummy_job, build]
	if: ${{ fromJSON(needs.dummy_job.outputs.release_new_version) }}
	steps:
	- name: Download artifacts
	uses: actions/download-artifact@v3 # CHECK FOR UPDATES
	with:
	name: release_packages
	path: outputs/
	- name: 'Move artifacts and Compute Hash'
	run: \|
	cd outputs/
	mv /.zip ./
	shasum -a 256 *.zip > SHA256.txt
	- name: Read git.log
	id: read_packages_sha
	uses: juliangruber/read-file-action@v1 # CHECK FOR UPDATES
	with:
	path: outputs/SHA256.txt
	- name: Read git.log
	id: read_gitlog
	uses: juliangruber/read-file-action@v1 # CHECK FOR UPDATES
	with:
	path: outputs/git.log
	- name: Read package.json
	id: read_changelog
	uses: juliangruber/read-file-action@v1 # CHECK FOR UPDATES
	with:
	path: outputs/Next-Release-ChangeLog.md
	# Create Release in GitHub as Draft
	- name: Create Release
	id: create_release
	uses: actions/create-release@v1 # CHECK FOR UPDATES
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	tag_name: ${{ needs.build.outputs.releaseTag }}
	release_name: ${{ needs.build.outputs.releaseName }}
	body: \|
	${{ steps.read_changelog.outputs.content }}
	${{ steps.read_packages_sha.outputs.content }}
	${{ steps.read_gitlog.outputs.content }}
	draft: true
	prerelease: false
	- name: Upload FunctionRuntime
	uses: actions/upload-release-asset@v1 # CHECK FOR UPDATES
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ steps.create_release.outputs.upload_url }}
	asset_path: ./outputs/FunctionRuntime.zip
	asset_name: FunctionRuntime.zip
	asset_content_type: application/zip
	- name: 'Upload aggregator-cli Windows'
	uses: actions/upload-release-asset@v1 # CHECK FOR UPDATES
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ steps.create_release.outputs.upload_url }}
	asset_path: ./outputs/aggregator-cli-win-x64.zip
	asset_name: aggregator-cli-win-x64.zip
	asset_content_type: application/zip
	- name: 'Upload aggregator-cli Linux'
	uses: actions/upload-release-asset@v1 # CHECK FOR UPDATES
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ steps.create_release.outputs.upload_url }}
	asset_path: ./outputs/aggregator-cli-linux-x64.zip
	asset_name: aggregator-cli-linux-x64.zip
	asset_content_type: application/zip
	- name: 'Upload aggregator-cli OS/X'
	uses: actions/upload-release-asset@v1 # CHECK FOR UPDATES
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ steps.create_release.outputs.upload_url }}
	asset_path: ./outputs/aggregator-cli-osx-x64.zip
	asset_name: aggregator-cli-osx-x64.zip
	asset_content_type: application/zip
	- name: 'Upload SHA256'
	uses: actions/upload-release-asset@v1 # CHECK FOR UPDATES
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ steps.create_release.outputs.upload_url }}
	asset_path: ./outputs/SHA256.txt
	asset_name: SHA256.txt
	asset_content_type: text/plain

	push_to_dockerhub:

	runs-on: ${{ matrix.os }}
	needs: [dummy_job, build]
	if: ${{ fromJSON(needs.dummy_job.outputs.release_new_version) }}
	env:
	map_os_to_rid: '{"ubuntu-latest":"linux-x64", "windows-latest":"win-x64"}'
	docker_repo: tfsaggregator/aggregator3
	strategy:
	matrix:
	os: [ubuntu-latest, windows-latest]
	steps:
	- name: Checkout code
	uses: actions/checkout@v3 # CHECK FOR UPDATES
	# the official docker/build-push-action@v1 does not support Windows!!!
	- name: Build and push Docker ${{ fromJSON(env.map_os_to_rid)[matrix.os] }} image to DockerHub
	uses: mr-smithers-excellent/docker-build-push@v5 # CHECK FOR UPDATES
	with:
	image: ${{ env.docker_repo }}
	tag: ${{ needs.build.outputs.dockerTag }}-${{ fromJSON(env.map_os_to_rid)[matrix.os] }}
	registry: docker.io
	dockerfile: docker/${{ fromJSON(env.map_os_to_rid)[matrix.os] }}.Dockerfile
	buildArgs: MAJOR_MINOR_PATCH=${{ needs.build.outputs.majorMinorPatch }},PRERELEASE_TAG=${{ needs.build.outputs.preReleaseTag }}
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_PASSWORD }}
	- name: Build and push Docker ${{ fromJSON(env.map_os_to_rid)[matrix.os] }} image to GHCR
	uses: mr-smithers-excellent/docker-build-push@v5 # CHECK FOR UPDATES
	with:
	image: ${{ env.docker_repo }}
	tag: ${{ needs.build.outputs.dockerTag }}-${{ fromJSON(env.map_os_to_rid)[matrix.os] }}
	registry: ghcr.io
	dockerfile: docker/${{ fromJSON(env.map_os_to_rid)[matrix.os] }}.Dockerfile
	buildArgs: MAJOR_MINOR_PATCH=${{ needs.build.outputs.majorMinorPatch }},PRERELEASE_TAG=${{ needs.build.outputs.preReleaseTag }}
	username: ${{ secrets.GHCR_USERNAME }}
	password: ${{ secrets.GHCR_PASSWORD }}
	- run: \|
	mkdir tags
	echo . > tags/${{ needs.build.outputs.dockerTag }}-${{ fromJSON(env.map_os_to_rid)[matrix.os] }}
	- name: Upload tags
	uses: actions/upload-artifact@v3 # CHECK FOR UPDATES
	with:
	name: tags
	path: 'tags/*'

	push_manifest_to_registry:

	runs-on: ubuntu-latest
	needs: [dummy_job, build, push_to_dockerhub]
	if: ${{ fromJSON(needs.dummy_job.outputs.release_new_version) }}
	steps:
	- name: Checkout code
	uses: actions/checkout@v3 # CHECK FOR UPDATES
	- name: Download tags
	uses: actions/download-artifact@v3 # CHECK FOR UPDATES
	with:
	name: tags
	path: 'tags/'
	- name: Push manifest to DockerHub
	id: push_manifest_dockerhub
	run: \|
	cd tags
	amends=""; for tag in *; do amends=$amends" --amend ${{ env.docker_repo }}:${tag}"; done
	all_tags="${{ env.docker_repo }}:latest ${{ env.docker_repo }}:${{ needs.build.outputs.dockerTag }}"
	for tag in *; do all_tags=$all_tags" ${{ env.docker_repo }}:${tag}"; done
	echo ::set-output name=all_tags::$all_tags
	cd ..
	echo ${{ secrets.DOCKERHUB_PASSWORD }} \| docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin
	docker manifest create ${{ env.docker_repo }}:latest $amends
	docker manifest push ${{ env.docker_repo }}:latest
	docker manifest create ${{ env.docker_repo }}:${{ needs.build.outputs.dockerTag }} $amends
	docker manifest push ${{ env.docker_repo }}:${{ needs.build.outputs.dockerTag }}
	docker logout
	env:
	DOCKER_CLI_EXPERIMENTAL: enabled
	- name: Push manifest to GHCR
	id: push_manifest_ghcr
	run: \|
	cd tags
	amends=""; for tag in *; do amends=$amends" --amend ghcr.io/${{ env.docker_repo }}:${tag}"; done
	all_tags="ghcr.io/${{ env.docker_repo }}:latest ghcr.io/${{ env.docker_repo }}:${{ needs.build.outputs.dockerTag }}"
	for tag in *; do all_tags=$all_tags" ghcr.io/${{ env.docker_repo }}:${tag}"; done
	echo ::set-output name=all_tags::$all_tags
	cd ..
	echo ${{ secrets.GHCR_PASSWORD }} \| docker login ghcr.io -u ${{ secrets.GHCR_USERNAME }} --password-stdin
	docker manifest create ghcr.io/${{ env.docker_repo }}:latest $amends
	docker manifest push ghcr.io/${{ env.docker_repo }}:latest
	docker manifest create ghcr.io/${{ env.docker_repo }}:${{ needs.build.outputs.dockerTag }} $amends
	docker manifest push ghcr.io/${{ env.docker_repo }}:${{ needs.build.outputs.dockerTag }}
	docker logout
	env:
	DOCKER_CLI_EXPERIMENTAL: enabled
	- name: Generate Docker Hub Description
	uses: cuchi/jinja2-action@v1.2.0 # CHECK FOR UPDATES
	with:
	template: docker/README.md.j2
	output_file: docker/README.md
	strict: false
	variables: \|
	repo=${{ env.docker_repo }}
	all_tags=${{ steps.push_manifest_dockerhub.outputs.all_tags }}
	data_file: docker/older_tags.json
	data_format: json
	- name: Update Docker Hub Description
	uses: peter-evans/dockerhub-description@v2 # CHECK FOR UPDATES
	env:
	DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
	DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
	DOCKERHUB_REPOSITORY: ${{ env.docker_repo }}
	README_FILEPATH: docker/README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade Microsoft.Extensions.Configuration.Json from 6.0.0 to 7.0.0 #190

Workflow file

[Snyk] Security upgrade Microsoft.Extensions.Configuration.Json from 6.0.0 to 7.0.0 #190

Jobs

Run details

Workflow file for this run