# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/github-workflow.json name: .NET on: push: branches: [ main ] pull_request: branches: [ main ] env: DOTNET_NOLOGO: true DOTNET_CLI_TELEMETRY_OPTOUT: true DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true NUGET_XMLDOC_MODE: '' DOTNET_MULTILEVEL_LOOKUP: 0 jobs: build: strategy: matrix: config: - Release - Debug runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # so that NerdBank.GitVersioning has access to history - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Restore dependencies run: nix develop --command dotnet restore - name: Build run: 'nix develop --command dotnet build --no-restore --configuration ${{matrix.config}}' - name: Test run: 'nix develop --command dotnet test --no-build --verbosity normal --configuration ${{matrix.config}} --framework net8.0' selftest: runs-on: ubuntu-latest permissions: actions: none checks: write contents: read deployments: none id-token: none issues: none discussions: none packages: none pages: none pull-requests: read repository-projects: none security-events: none statuses: read steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # so that NerdBank.GitVersioning has access to history - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Restore dependencies run: nix develop --command dotnet restore - name: Build run: 'nix develop --command dotnet build --no-restore --configuration Release' - name: Test using self run: 'nix develop --command dotnet exec ./WoofWare.NUnitTestRunner/bin/Release/net6.0/WoofWare.NUnitTestRunner.dll ./Consumer/bin/Release/net8.0/Consumer.dll --trx TrxOut/out.trx' - name: Parse Trx files uses: NasAmin/trx-parser@v0.6.0 if: always() id: trx-parser with: TRX_PATH: ${{ github.workspace }}/TrxOut REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} selftest-net6: runs-on: ubuntu-latest permissions: actions: none checks: write contents: read deployments: none id-token: none issues: none discussions: none packages: none pages: none pull-requests: read repository-projects: none security-events: none statuses: read steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # so that NerdBank.GitVersioning has access to history - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Restore dependencies run: nix develop --command dotnet restore - name: Build runner run: 'nix develop --command dotnet build WoofWare.NUnitTestRunner --configuration Release' - name: Build target run: 'nix develop --command dotnet build Consumer --configuration Release' - name: Test using self run: 'nix develop .#net6 --command ./WoofWare.NUnitTestRunner/bin/Release/net6.0/WoofWare.NUnitTestRunner ./Consumer/bin/Release/net6.0/Consumer.dll --trx TrxOut/out.trx' - name: Parse Trx files uses: NasAmin/trx-parser@v0.6.0 if: always() id: trx-parser with: TRX_PATH: ${{ github.workspace }}/TrxOut REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} analyzers: runs-on: ubuntu-latest permissions: security-events: write steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 # so that NerdBank.GitVersioning has access to history - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Prepare analyzers run: nix develop --command dotnet restore analyzers/analyzers.fsproj - name: Build project run: nix develop --command dotnet build ./WoofWare.NUnitTestRunner/WoofWare.NUnitTestRunner.fsproj - name: Run analyzers run: nix run .#fsharp-analyzers -- --project ./WoofWare.NUnitTestRunner/WoofWare.NUnitTestRunner.fsproj --analyzers-path ./.analyzerpackages/g-research.fsharp.analyzers/*/ --verbosity detailed --report ./analysis.sarif --treat-as-error GRA-STRING-001 GRA-STRING-002 GRA-STRING-003 GRA-UNIONCASE-001 GRA-INTERPOLATED-001 GRA-TYPE-ANNOTATE-001 GRA-VIRTUALCALL-001 GRA-IMMUTABLECOLLECTIONEQUALITY-001 GRA-JSONOPTS-001 GRA-LOGARGFUNCFULLAPP-001 GRA-DISPBEFOREASYNC-001 --exclude-analyzers PartialAppAnalyzer build-nix: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Build run: nix build check-dotnet-format: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Run Fantomas run: nix run .#fantomas -- --check . check-nix-format: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Run Alejandra run: nix develop --command alejandra --check . linkcheck: name: Check links runs-on: ubuntu-latest steps: - uses: actions/checkout@master - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Run link checker run: nix develop --command markdown-link-check README.md flake-check: name: Check flake runs-on: ubuntu-latest steps: - uses: actions/checkout@master - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Flake check run: nix flake check nuget-pack: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # so that NerdBank.GitVersioning has access to history - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Restore dependencies run: nix develop --command dotnet restore - name: Build run: nix develop --command dotnet build --no-restore --configuration Release - name: Pack run: nix develop --command dotnet pack --configuration Release - name: Upload NuGet artifact (lib) uses: actions/upload-artifact@v4 with: name: nuget-package-lib path: WoofWare.NUnitTestRunner.Lib/bin/Release/WoofWare.NUnitTestRunner.Lib.*.nupkg - name: Upload NuGet artifact (tool) uses: actions/upload-artifact@v4 with: name: nuget-package-tool path: WoofWare.NUnitTestRunner/bin/Release/WoofWare.NUnitTestRunner.*.nupkg expected-pack: needs: [nuget-pack] runs-on: ubuntu-latest steps: - name: Download NuGet artifact (lib) uses: actions/download-artifact@v4 with: name: nuget-package-lib path: packed-lib - name: Check NuGet contents (lib) # Verify that there is exactly one nupkg in the artifact that would be NuGet published run: if [[ $(find packed-lib -maxdepth 1 -name 'WoofWare.NUnitTestRunner.Lib.*.nupkg' -printf c | wc -c) -ne "1" ]]; then exit 1; fi - name: Download NuGet artifact (tool) uses: actions/download-artifact@v4 with: name: nuget-package-tool path: packed-tool - name: Check NuGet contents # Verify that there is exactly one nupkg in the artifact that would be NuGet published run: if [[ $(find packed-tool -maxdepth 1 -name 'WoofWare.NUnitTestRunner.*.nupkg' -printf c | wc -c) -ne "1" ]]; then exit 1; fi github-release-tool-dry-run: needs: [nuget-pack] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Download NuGet artifact (lib) uses: actions/download-artifact@v4 with: name: nuget-package-lib - name: Download NuGet artifact (tool) uses: actions/download-artifact@v4 with: name: nuget-package-tool - name: Tag and release tool env: DRY_RUN: 1 GITHUB_TOKEN: mock-token run: sh .github/workflows/tag.sh all-required-checks-complete: needs: [check-dotnet-format, check-nix-format, build, build-nix, linkcheck, flake-check, analyzers, nuget-pack, expected-pack, github-release-tool-dry-run] runs-on: ubuntu-latest steps: - run: echo "All required checks complete." attestation-lib: runs-on: ubuntu-latest needs: [all-required-checks-complete] if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} permissions: id-token: write attestations: write contents: read steps: - name: Download NuGet artifact uses: actions/download-artifact@v4 with: name: nuget-package-lib path: packed - name: Attest Build Provenance uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 with: subject-path: "packed/*.nupkg" attestation-tool: runs-on: ubuntu-latest needs: [all-required-checks-complete] if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} permissions: id-token: write attestations: write contents: read steps: - name: Download NuGet artifact uses: actions/download-artifact@v4 with: name: nuget-package-tool path: packed - name: Attest Build Provenance uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 with: subject-path: "packed/*.nupkg" nuget-publish-lib: runs-on: ubuntu-latest if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} needs: [all-required-checks-complete] environment: main-deploy permissions: id-token: write attestations: write contents: read steps: - uses: actions/checkout@v4 - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Download NuGet artifact uses: actions/download-artifact@v4 with: name: nuget-package-lib path: packed - name: Publish to NuGet id: publish-success env: NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.NUnitTestRunner.Lib.*.nupkg"' - name: Wait for availability if: steps.publish-success.outputs.result == 'published' env: PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }} run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.NUnitTestRunner.Lib/$PACKAGE_VERSION" ; do sleep 10; done' # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/). # So we have to *re-attest* it after it's uploaded. Mind-blowing. - name: Assert package contents if: steps.publish-success.outputs.result == 'published' run: 'bash ./.github/workflows/assert-contents.sh' - name: Attest Build Provenance if: steps.publish-success.outputs.result == 'published' uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 with: subject-path: "from-nuget.nupkg" nuget-publish-tool: runs-on: ubuntu-latest if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} needs: [all-required-checks-complete] environment: main-deploy permissions: id-token: write attestations: write contents: read steps: - uses: actions/checkout@v4 - name: Install Nix uses: cachix/install-nix-action@V27 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Download NuGet artifact uses: actions/download-artifact@v4 with: name: nuget-package-tool path: packed - name: Publish to NuGet id: publish-success env: NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.NUnitTestRunner.*.nupkg"' - name: Wait for availability if: steps.publish-success.outputs.result == 'published' env: PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }} run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.NUnitTestRunner/$PACKAGE_VERSION" ; do sleep 10; done' # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/). # So we have to *re-attest* it after it's uploaded. Mind-blowing. - name: Assert package contents if: steps.publish-success.outputs.result == 'published' run: 'bash ./.github/workflows/assert-contents.sh' - name: Attest Build Provenance if: steps.publish-success.outputs.result == 'published' uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 with: subject-path: "from-nuget.nupkg" github-release-tool: runs-on: ubuntu-latest if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} needs: [all-required-checks-complete] environment: main-deploy permissions: contents: write steps: - uses: actions/checkout@v4 - name: Download NuGet artifact (tool) uses: actions/download-artifact@v4 with: name: nuget-package-tool - name: Download NuGet artifact (lib) uses: actions/download-artifact@v4 with: name: nuget-package-lib - name: Tag and release plugin env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: sh .github/workflows/tag.sh