-
-
Notifications
You must be signed in to change notification settings - Fork 0
148 lines (127 loc) · 4.1 KB
/
build.yml
File metadata and controls
148 lines (127 loc) · 4.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Build
on:
push:
branches: [main]
paths:
- '**.cs'
- '**.csproj'
- '**.sln'
- 'Directory.Build.props'
- 'Directory.Packages.props'
- 'nuget.config'
- 'extension/**'
pull_request:
branches: [main]
paths:
- '**.cs'
- '**.csproj'
- '**.sln'
- 'Directory.Build.props'
- 'Directory.Packages.props'
- 'nuget.config'
- 'extension/**'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# Dependency review for PRs - checks for vulnerabilities in dependency changes
dependency-review:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
# Allow existing vulnerabilities, only fail on new ones
deny-licenses: ''
build:
runs-on: windows-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0 # Required for MinVer to read git history
- name: Setup .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: |
8.0.x
9.0.x
10.0.x
- name: Restore dependencies
run: dotnet restore
- name: Check for vulnerable packages
shell: pwsh
run: |
# Run vulnerability check - capture output and exit code separately
# Note: dotnet list package can crash with CLR errors on some SDK versions
$output = dotnet list package --vulnerable --include-transitive 2>&1
$dotnetExitCode = $LASTEXITCODE
$output | Write-Host
# Handle CLR crashes or other unexpected failures gracefully
if ($dotnetExitCode -ne 0 -and $output -notmatch "has the following vulnerable packages") {
Write-Host ""
Write-Host "::warning::Vulnerable package check exited with code $dotnetExitCode (possible SDK bug, continuing)"
}
elseif ($output -match "has the following vulnerable packages") {
Write-Host ""
Write-Host "::warning::Vulnerable packages detected - review security advisories above"
# Note: Not failing the build to avoid blocking on transitive dependencies
# that require upstream fixes. Dependency-review-action will catch new vulns.
}
else {
Write-Host "No known vulnerabilities found in packages"
}
# Always succeed - vulnerability blocking is handled by dependency-review-action
exit 0
- name: Build
run: dotnet build --configuration Release --no-restore
- name: Upload build artifacts
uses: actions/upload-artifact@v6
with:
name: packages
path: |
src/PPDS.Plugins/bin/Release/*.nupkg
src/PPDS.Plugins/bin/Release/*.snupkg
if-no-files-found: warn
# Extension build (TypeScript)
extension:
runs-on: ubuntu-latest
# Only run if extension files changed
if: |
github.event_name == 'push' && contains(github.event.head_commit.modified, 'extension/') ||
github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: extension/package-lock.json
- name: Install dependencies
working-directory: extension
run: npm ci
- name: Lint
working-directory: extension
run: npm run lint
- name: Build
working-directory: extension
run: npm run compile
# Gate job for branch protection
build-status:
runs-on: ubuntu-latest
needs: [build, extension]
if: always()
steps:
- name: Check build status
run: |
if [[ "${{ needs.build.result }}" == "success" || "${{ needs.build.result }}" == "skipped" ]]; then
echo "Build passed"
exit 0
else
echo "Build failed: ${{ needs.build.result }}"
exit 1
fi