Skip to content

Commit

Permalink
Merge pull request #92 from DuendeSoftware/ev/build-pull-request
Browse files Browse the repository at this point in the history 
build - don't use pull_request_target anymore
  • Loading branch information
@Erwinvandervalk
Erwinvandervalk authored Feb 10, 2025
2 parents 3fb5402 + 751baf3 commit 1237fca
Show file tree
Hide file tree
Showing 10 changed files with 33 additions and 10 deletions.
11 changes: 9 additions & 2 deletions .github/workflow-gen/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ void GenerateCiWorkflow(Component component)
.Push()
.Paths(paths);
workflow.On
.PullRequestTarget()
.PullRequest()
.Paths(paths);

workflow.EnvDefaults();
Expand Down Expand Up @@ -207,7 +207,7 @@ public static void StepTestAndReport(this Job job, string componentName, string
job.Step()
.Name($"Test report - {testProject}")
.Uses("dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5") // v1.9.1
.If("success() || failure()")
.If("github.event == 'push' && (success() || failure())")
.With(
("name", $"Test Report - {testProject}"),
("path", $"{componentName}/{path}/TestResults/{logFileName}"),
Expand Down Expand Up @@ -240,12 +240,19 @@ public static void StepSign(this Job job)
"--azure-key-vault-certificate NuGetPackageSigning";
job.Step()
.Name("Sign packages")
.IfGithubEventIsPush()
.Run($"""
for file in artifacts/*.nupkg; do
dotnet NuGetKeyVaultSignTool sign "$file" {flags}
done
""");
}
/// <summary>
/// Only run this if the build is triggered on a branch IN the same repo
/// this means it's from a trusted contributor.
/// </summary>
public static Step IfGithubEventIsPush(this Step step)
=> step.If("github.event == 'push'");

public static Step StepPush(this Job job, string destination, string sourceUrl, string secretName)
{
Expand Down
8 changes: 8 additions & 0 deletions .github/workflow-gen/Properties/launchSettings.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"profiles": {
"workflow-gen": {
"commandName": "Project",
"workingDirectory": "$(ProjectDir)"
}
}
}
5 changes: 3 additions & 2 deletions .github/workflows/access-token-management-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on:
- .github/workflows/access-token-management-**
- access-token-management/**
- Directory.Packages.props
pull_request_target:
pull_request:
paths:
- .github/workflows/access-token-management-**
- access-token-management/**
Expand Down Expand Up @@ -45,7 +45,7 @@ jobs:
- name: Test - AccessTokenManagement.Tests
run: dotnet test -c Release test/AccessTokenManagement.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage"
- name: Test report - AccessTokenManagement.Tests
if: success() || failure()
if: github.event == 'push' && (success() || failure())
uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
with:
name: Test Report - AccessTokenManagement.Tests
Expand All @@ -60,6 +60,7 @@ jobs:
- name: Pack AccessTokenManagement.OpenIdConnect
run: dotnet pack -c Release src/AccessTokenManagement.OpenIdConnect -o artifacts
- name: Sign packages
if: github.event == 'push'
run: |-
for file in artifacts/*.nupkg; do
dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/access-token-management-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ jobs:
- name: Tool restore
run: dotnet tool restore
- name: Sign packages
if: github.event == 'push'
run: |-
for file in artifacts/*.nupkg; do
dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/identity-model-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on:
- .github/workflows/identity-model-**
- identity-model/**
- Directory.Packages.props
pull_request_target:
pull_request:
paths:
- .github/workflows/identity-model-**
- identity-model/**
Expand Down Expand Up @@ -45,7 +45,7 @@ jobs:
- name: Test - IdentityModel.Tests
run: dotnet test -c Release test/IdentityModel.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage"
- name: Test report - IdentityModel.Tests
if: success() || failure()
if: github.event == 'push' && (success() || failure())
uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
with:
name: Test Report - IdentityModel.Tests
Expand All @@ -58,6 +58,7 @@ jobs:
- name: Pack IdentityModel
run: dotnet pack -c Release src/IdentityModel -o artifacts
- name: Sign packages
if: github.event == 'push'
run: |-
for file in artifacts/*.nupkg; do
dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/identity-model-oidc-client-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on:
- .github/workflows/identity-model-oidc-client-**
- identity-model-oidc-client/**
- Directory.Packages.props
pull_request_target:
pull_request:
paths:
- .github/workflows/identity-model-oidc-client-**
- identity-model-oidc-client/**
Expand Down Expand Up @@ -45,7 +45,7 @@ jobs:
- name: Test - IdentityModel.OidcClient.Tests
run: dotnet test -c Release test/IdentityModel.OidcClient.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage"
- name: Test report - IdentityModel.OidcClient.Tests
if: success() || failure()
if: github.event == 'push' && (success() || failure())
uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
with:
name: Test Report - IdentityModel.OidcClient.Tests
Expand All @@ -60,6 +60,7 @@ jobs:
- name: Pack IdentityModel.OidcClient.Extensions
run: dotnet pack -c Release src/IdentityModel.OidcClient.Extensions -o artifacts
- name: Sign packages
if: github.event == 'push'
run: |-
for file in artifacts/*.nupkg; do
dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/identity-model-oidc-client-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ jobs:
- name: Tool restore
run: dotnet tool restore
- name: Sign packages
if: github.event == 'push'
run: |-
for file in artifacts/*.nupkg; do
dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/identity-model-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ jobs:
- name: Tool restore
run: dotnet tool restore
- name: Sign packages
if: github.event == 'push'
run: |-
for file in artifacts/*.nupkg; do
dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/ignore-this-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on:
- .github/workflows/ignore-this-**
- ignore-this/**
- Directory.Packages.props
pull_request_target:
pull_request:
paths:
- .github/workflows/ignore-this-**
- ignore-this/**
Expand Down Expand Up @@ -45,7 +45,7 @@ jobs:
- name: Test - IgnoreThis.Tests
run: dotnet test -c Release test/IgnoreThis.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage"
- name: Test report - IgnoreThis.Tests
if: success() || failure()
if: github.event == 'push' && (success() || failure())
uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
with:
name: Test Report - IgnoreThis.Tests
Expand All @@ -58,6 +58,7 @@ jobs:
- name: Pack IgnoreThis
run: dotnet pack -c Release src/IgnoreThis -o artifacts
- name: Sign packages
if: github.event == 'push'
run: |-
for file in artifacts/*.nupkg; do
dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/ignore-this-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ jobs:
- name: Tool restore
run: dotnet tool restore
- name: Sign packages
if: github.event == 'push'
run: |-
for file in artifacts/*.nupkg; do
dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
Expand Down

0 comments on commit 1237fca

Please sign in to comment.