build.yaml

#
# CI Pipeline
#

# NOTES:
# This workflow builds and tests module updates.

name: Build
on:
  push:
    branches: [ main, 'release/*' ]
  pull_request:
    branches: [ main, 'release/*' ]
  schedule:
    - cron: '26 21 * * 0' # At 09:26 PM, on Sunday each week
  workflow_dispatch: {}

env:
  DOTNET_NOLOGO: true
  DOTNET_CLI_TELEMETRY_OPTOUT: true

permissions: {}

jobs:
  build_module:
    name: Build module
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:

    - name: Checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Setup .NET
      uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
      with:
        global-json-file: global.json

    - name: Install dependencies
      shell: pwsh
      timeout-minutes: 3
      run: ./scripts/pipeline-deps.ps1

    - name: Build module
      shell: pwsh
      timeout-minutes: 5
      run: Invoke-Build -Configuration Release -AssertStyle GitHubActions

    - name: Upload module
      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: Module
        path: ./out/modules/PSRule.Rules.Azure/*
        retention-days: 3
        if-no-files-found: error

    # - name: Upload Test Results
    #   uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
    #   if: always()
    #   with:
    #     name: Module.DotNet.TestResults
    #     path: ./reports/*.trx
    #     retention-days: 3
    #     if-no-files-found: error

    - name: Upload PSRule Results
      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      if: always()
      with:
        name: Results-PSRule
        path: ./reports/ps-rule*.xml
        retention-days: 3
        if-no-files-found: error

  test_module:
    name: 🧪 Test module (${{ matrix.rid }}-${{ matrix.shell }})
    runs-on: ${{ matrix.os }}
    needs: build_module
    permissions:
      contents: read

    strategy:
      # Get full test results from all platforms.
      fail-fast: false

      matrix:
        os: [ 'ubuntu-latest' ]
        rid: [ 'linux-x64' ]
        shell: [ 'pwsh' ]
        include:
          - os: windows-latest
            rid: win-x64
            shell: pwsh
          - os: windows-latest
            rid: win-x64
            shell: powershell
          - os: ubuntu-latest
            rid: linux-x64
            shell: pwsh
          - os: ubuntu-latest
            rid: linux-musl-x64
            shell: pwsh
          - os: macos-latest
            rid: osx-x64
            shell: pwsh

    steps:

    - name: Checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Setup .NET
      uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
      with:
        global-json-file: global.json

    - if: ${{ matrix.shell == 'pwsh' }}
      name: Install dependencies (PowerShell)
      shell: pwsh
      timeout-minutes: 3
      run: ./scripts/pipeline-deps.ps1

    - if: ${{ matrix.shell == 'powershell' }}
      name: Install dependencies (Windows PowerShell)
      shell: powershell
      timeout-minutes: 3
      run: ./scripts/pipeline-deps.ps1

    - name: Download module
      uses: actions/download-artifact@v7
      with:
        name: Module
        path: ./out/modules/PSRule.Rules.Azure

    - if: ${{ matrix.shell == 'pwsh' }}
      name: Test module (PowerShell)
      shell: pwsh
      timeout-minutes: 15
      run: Invoke-Build TestModule -Configuration Release -AssertStyle GitHubActions

    - if: ${{ matrix.shell == 'powershell' }}
      name: Test module (Windows PowerShell)
      shell: powershell
      timeout-minutes: 30
      run: Invoke-Build TestModule -Configuration Release -AssertStyle GitHubActions

  build_docs:
    name: Build docs
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Setup .NET
        uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
        with:
          global-json-file: global.json

      - name: Install dependencies
        run: |
          python3 -m pip install --upgrade pip
          python3 -m pip install wheel
          python3 -m pip install -r requirements-docs.txt

      - name: Build docs
        run: |
          Install-Module InvokeBuild -MinimumVersion 5.4.0 -Scope CurrentUser -Force
          Invoke-Build BuildDocs
        shell: pwsh

      - name: Build site
        run: mkdocs build
        env:
          MKDOCS_GIT_COMMITTERS_APIKEY: ${{ secrets.GITHUB_TOKEN }}

  # ------------------
  # Run analysis tools
  # ------------------
  oss:
    name: 🔍 Analyze with PSRule
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Run PSRule analysis
        uses: microsoft/ps-rule@46451b8f5258c41beb5ae69ed7190ccbba84112c # v2.9.0
        with:
          modules: PSRule.Rules.MSFT.OSS
          prerelease: true
          outputFormat: Sarif
          outputPath: reports/ps-rule-results.sarif

      - name: Upload results to security tab
        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        if: always()
        with:
          sarif_file: reports/ps-rule-results.sarif

      - name: Upload results
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: always()
        with:
          name: PSRule-Sarif
          path: reports/ps-rule-results.sarif
          retention-days: 1
          if-no-files-found: error

  devskim:
    name: 🔍 Analyze with DevSkim
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Run DevSkim scanner
        uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16
        with:
          directory-to-scan: .

      - name: Upload results to security tab
        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        if: always()
        with:
          sarif_file: devskim-results.sarif

      - name: Upload results
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: always()
        with:
          name: DevSkim-Sarif
          path: devskim-results.sarif
          retention-days: 1
          if-no-files-found: error

  codeql:
    name: 🔍 Analyze with CodeQL
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Initialize CodeQL
        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          languages: 'csharp'

      - name: Autobuild
        uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        id: codeql-analyze

      - name: Upload results
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: always()
        with:
          name: CodeQL-Sarif
          path: ${{ steps.codeql-analyze.outputs.sarif-output }}
          retention-days: 1
          if-no-files-found: error