Add GitHub Actions build (#449) #25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - '*' | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| forcePublish: | |
| description: When true the Publish stage will always be run, otherwise it only runs for tagged versions. | |
| required: false | |
| default: false | |
| type: boolean | |
| skipCleanup: | |
| description: When true the pipeline clean-up stage will not be run. For example, the cache used between pipeline stages will be retained. | |
| required: false | |
| default: false | |
| type: boolean | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| actions: write # enable cache clean-up | |
| checks: write # enable test result annotations | |
| contents: write # enable creating releases | |
| issues: read | |
| packages: write # enable publishing packages | |
| pull-requests: write # enable test result annotations | |
| jobs: | |
| prepareConfig: | |
| name: Prepare Configuration | |
| runs-on: ubuntu-latest | |
| outputs: | |
| RESOLVED_ENV_VARS: ${{ steps.prepareEnvVarsAndSecrets.outputs.environmentVariablesYamlBase64 }} | |
| RESOLVED_SECRETS: ${{ steps.prepareEnvVarsAndSecrets.outputs.secretsYamlBase64 }} | |
| steps: | |
| # Declare any environment variables and/or secrets that need to be available inside the build process | |
| - uses: endjin/Endjin.RecommendedPractices.GitHubActions/actions/prepare-env-vars-and-secrets@main | |
| id: prepareEnvVarsAndSecrets | |
| with: | |
| # BUILDVAR_NuGetPublishSource: | |
| # When publishing NuGet packages only tagged versions get pushed to nuget.org, otherwise | |
| # they are pushed to GitHub Packages | |
| # BUILDVAR_UseAcrTasks: | |
| # Due to the build phases running as separate jobs the container images built via 'docker build' | |
| # in the Package phase are not available to the Publish phase. Therefore, we use ACR Tasks to | |
| # build the images instead. | |
| environmentVariablesYaml: | | |
| BUILDVAR_NuGetPublishSource: "${{ startsWith(github.ref, 'refs/tags/') && 'https://api.nuget.org/v3/index.json' || 'https://nuget.pkg.github.com/endjin/index.json' }}" | |
| BUILDVAR_ContainerRegistryFqdn: endjin.azurecr.io | |
| BUILDVAR_UseAcrTasks: true | |
| secretsYaml: | | |
| NUGET_API_KEY: "${{ startsWith(github.ref, 'refs/tags/') && secrets.ENDJIN_NUGET_APIKEY || secrets.ENDJIN_GITHUB_PUBLISHER_PAT }}" | |
| build: | |
| needs: prepareConfig | |
| uses: endjin/Endjin.RecommendedPractices.GitHubActions/.github/workflows/scripted-build-matrix-pipeline.yml@main | |
| with: | |
| netSdkVersion: '8.x' | |
| # workflow_dispatch inputs are always strings, the type property is just for the UI | |
| forcePublish: ${{ github.event.inputs.forcePublish == 'true' }} | |
| skipCleanup: ${{ github.event.inputs.skipCleanup == 'true' }} | |
| # These pass arbitrary environment variables to each of the build pipeline phases, | |
| # as defined in the 'environmentVariablesYaml' property above. | |
| compilePhaseEnv: ${{ needs.prepareConfig.outputs.RESOLVED_ENV_VARS }} | |
| testPhaseEnv: ${{ needs.prepareConfig.outputs.RESOLVED_ENV_VARS }} | |
| testPhaseMatrixJson: | | |
| { | |
| "os": ["ubuntu-latest", "windows-latest"], | |
| "dotnetFramework": ["net8.0"], | |
| "exclude": [] | |
| } | |
| packagePhaseEnv: ${{ needs.prepareConfig.outputs.RESOLVED_ENV_VARS }} | |
| publishPhaseEnv: ${{ needs.prepareConfig.outputs.RESOLVED_ENV_VARS }} | |
| secrets: | |
| # Ensures the build pipeline has access to pull images from the ACR and write SBOMs to storage | |
| compilePhaseAzureCredentials: ${{ secrets.ENDJIN_PROD_ACR_READER_CREDENTIALS }} | |
| # Ensures the build pipeline has access to run ACR Tasks | |
| packagePhaseAzureCredentials: ${{ secrets.ENDJIN_PROD_ACR_PUBLISH_CREDENTIALS }} | |
| # Ensures the build pipeline has access to push/re-tag images to the ACR | |
| publishPhaseAzureCredentials: ${{ secrets.ENDJIN_PROD_ACR_PUBLISH_CREDENTIALS }} | |
| # Uncomment the following to pass arbitrary secrets to the required build pipeline phases, | |
| # as defined in the 'secretsYaml' property above. They will be available to the | |
| # scripted build process as environment variables. | |
| # | |
| # compilePhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }} | |
| # testPhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }} | |
| packagePhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }} | |
| publishPhaseSecrets: ${{ needs.prepareConfig.outputs.RESOLVED_SECRETS }} |