This repository was archived by the owner on Mar 5, 2026. It is now read-only.
ci(workflows): pin actions to full sha #1160
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json | |
| --- | |
| name: Radius Build | |
| on: | |
| push: | |
| branches: [bicep-extensibility] | |
| tags: | |
| - v* | |
| pull_request: | |
| branches: [bicep-extensibility] | |
| workflow_dispatch: | |
| env: | |
| CI: true | |
| # don't print dotnet logo | |
| DOTNET_NOLOGO: true | |
| # disable telemetry (reduces dotnet tool output in logs) | |
| DOTNET_CLI_TELEMETRY_OPTOUT: true | |
| RELEASE_PATH: ./release | |
| # ORAS (OCI Registry As Storage) CLI version | |
| ORAS_VERSION: 1.1.0 | |
| # Container registry url for GitHub container registry. | |
| CONTAINER_REGISTRY: ghcr.io/radius-project/radius | |
| # URL to get source code for building the image | |
| IMAGE_SRC: https://github.com/radius-project/bicep | |
| jobs: | |
| build: | |
| name: Build Bicep - ${{ matrix.rid }} | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| # should be the full list of RIDs that we support in the CLI | |
| matrix: | |
| include: | |
| - os: windows-latest | |
| rid: win-x64 | |
| name: windows-x64 | |
| ext: ".exe" | |
| - os: windows-latest | |
| rid: win-arm64 | |
| name: windows-arm64 | |
| ext: ".exe" | |
| - os: ubuntu-latest | |
| rid: linux-x64 | |
| name: linux-x64 | |
| ext: "" | |
| - os: ubuntu-latest | |
| rid: linux-arm | |
| name: linux-arm | |
| ext: "" | |
| - os: ubuntu-latest | |
| rid: linux-arm64 | |
| name: linux-arm64 | |
| ext: "" | |
| - os: macos-latest | |
| rid: osx-x64 | |
| name: macos-x64 | |
| ext: "" | |
| - os: macos-latest | |
| rid: osx-arm64 | |
| name: macos-arm64 | |
| ext: "" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| with: | |
| fetch-depth: 0 # avoid shallow clone so nbgv can do its work. | |
| submodules: true | |
| - name: Parse release version and set environment variables | |
| run: python ./.github/scripts/get_release_version.py | |
| - name: Setup .NET Core | |
| uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 | |
| - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ~/.nuget/packages | |
| # Look to see if there is a cache hit for the corresponding requirements file | |
| key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-nuget | |
| - name: Publish Bicep ${{ matrix.name }} | |
| run: > | |
| dotnet publish ./src/Bicep.Cli/Bicep.Cli.csproj | |
| --configuration Release | |
| --self-contained true | |
| -p:PublishTrimmed=true | |
| -p:PublishSingleFile=true | |
| -p:TrimmerDefaultAction=copyused | |
| -p:SuppressTrimAnalysisWarnings=true | |
| -r ${{ matrix.rid }} | |
| -o ./artifacts/bicep/${{ matrix.name }} | |
| - name: Test | |
| if: ${{ matrix.name == 'linux-x64' }} | |
| run: dotnet test --configuration release --blame --collect:"XPlat Code Coverage" --settings ./.github/workflows/codecov.runsettings --results-directory ./TestResults/ | |
| - name: Upload Test Results | |
| if: ${{ matrix.name == 'linux-x64' }} | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: Bicep.TestResults | |
| path: ./TestResults/**/*.trx | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: artifacts-${{ matrix.name }} | |
| path: ./artifacts | |
| if-no-files-found: error | |
| - name: Move rad-bicep to release directory | |
| shell: bash | |
| run: | | |
| mkdir ${{ env.RELEASE_PATH }} | |
| cp ./artifacts/bicep/${{ matrix.name }}/rad-bicep${{ matrix.ext }} ./release/$release_file | |
| env: | |
| release_file: rad-bicep-${{ matrix.name }}${{ matrix.ext }} | |
| - name: Upload rad-bicep | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: release-${{ matrix.name }} | |
| path: ${{ env.RELEASE_PATH }} | |
| if-no-files-found: error | |
| vscode-bicep-build: | |
| name: Build Bicep vscode extension | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| with: | |
| fetch-depth: 0 # avoid shallow clone so nbgv can do its work. | |
| submodules: true | |
| - name: Parse release version and set environment variables | |
| run: python ./.github/scripts/get_release_version.py | |
| - name: Setup Node | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: 16 | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 | |
| with: | |
| dotnet-version: | | |
| 6.0.400 | |
| - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ~/.nuget/packages | |
| # Look to see if there is a cache hit for the corresponding requirements file | |
| key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-nuget | |
| - name: Publish Language Server | |
| run: > | |
| dotnet publish --configuration release | |
| ./src/Bicep.LangServer/Bicep.LangServer.csproj | |
| -o "./src/vscode-bicep/bicepLanguageServer" | |
| - name: npm ci | |
| run: npm ci | |
| working-directory: ./src/vscode-bicep | |
| - name: Enable params | |
| run: npm run params | |
| working-directory: ./src/vscode-bicep | |
| - name: Run lint | |
| run: npm run lint | |
| working-directory: ./src/vscode-bicep | |
| - name: Run unit tests | |
| run: npm run test:unit | |
| working-directory: ./src/vscode-bicep | |
| - name: Run snapshot tests | |
| run: npm run test:snapshot | |
| working-directory: ./src/vscode-bicep | |
| - name: Build prod | |
| run: npm run build:prod | |
| working-directory: ./src/vscode-bicep | |
| - name: Create VSIX | |
| run: npm run package | |
| working-directory: ./src/vscode-bicep | |
| - name: Copy VSIX | |
| run: > | |
| mkdir -p ./artifacts/vscode && | |
| cp ./src/vscode-bicep/rad-vscode-bicep.vsix ./artifacts/vscode/rad-vscode-bicep.vsix | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: artifacts | |
| path: ./artifacts | |
| if-no-files-found: error | |
| - name: Copy VSIX to release | |
| run: > | |
| mkdir -p ${{ env.RELEASE_PATH }}/vscode && | |
| cp ./src/vscode-bicep/rad-vscode-bicep.vsix ${{ env.RELEASE_PATH }}/rad-vscode-bicep.vsix | |
| - name: Upload VSIX to release | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: release-vscode-ext | |
| path: ${{ env.RELEASE_PATH }} | |
| if-no-files-found: error | |
| publish_release: | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| name: Publish to GitHub Release | |
| needs: [build, vscode-bicep-build] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| with: | |
| fetch-depth: 0 # avoid shallow clone so nbgv can do its work. | |
| submodules: true | |
| - name: Parse release version and set environment variables | |
| run: python ./.github/scripts/get_release_version.py | |
| - name: Download releases | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| pattern: release-* | |
| merge-multiple: true | |
| path: ${{ env.RELEASE_PATH }} | |
| - name: generate checksum files | |
| run: cd ${{ env.RELEASE_PATH }} && for i in *; do sha256sum -b $i > "$i.sha256"; done && cd - | |
| - name: Display release | |
| run: ls -R | |
| working-directory: ./release | |
| - name: Pre-release | |
| if: ${{ contains(env.REL_VERSION, '-rc') }} | |
| run: | | |
| gh release create v${{ env.REL_VERSION }} \ | |
| ${{ env.RELEASE_PATH }}/* \ | |
| --generate-notes \ | |
| --prerelease \ | |
| --verify-tag \ | |
| --title "Radius Bicep v${{ env.REL_VERSION }}" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }} | |
| - name: Official release | |
| if: ${{ !contains(env.REL_VERSION, '-rc') }} | |
| run: | | |
| gh release create v${{ env.REL_VERSION }} \ | |
| ${{ env.RELEASE_PATH }}/* \ | |
| --generate-notes \ | |
| --verify-tag \ | |
| --title "Radius Bicep v${{ env.REL_VERSION }}" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }} | |
| publish: | |
| if: ${{ github.event_name == 'push' }} | |
| name: Publish to GHCR | |
| needs: [build, vscode-bicep-build] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| runtime: | |
| - name: windows-x64 | |
| id: win-x64 | |
| extension: .exe | |
| - name: windows-arm64 | |
| id: win-arm64 | |
| extension: .exe | |
| - name: linux-x64 | |
| id: linux-x64 | |
| - name: linux-arm | |
| id: linux-arm | |
| - name: linux-arm64 | |
| id: linux-arm64 | |
| - name: macos-x64 | |
| id: osx-x64 | |
| - name: macos-arm64 | |
| id: osx-arm64 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| with: | |
| fetch-depth: 0 # avoid shallow clone so nbgv can do its work. | |
| submodules: true | |
| - name: Parse release version and set environment variables | |
| run: python ./.github/scripts/get_release_version.py | |
| - name: Download artifacts | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: artifacts-${{ matrix.runtime.name }} | |
| path: artifacts | |
| - name: Display artifacts | |
| run: ls -R | |
| working-directory: ./artifacts | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4 | |
| with: | |
| version: ${{ env.ORAS_VERSION }} | |
| - run: oras version | |
| - name: Push rad bicep binaries to GHCR (${{ matrix.runtime.name }}) | |
| run: | | |
| cd ./artifacts/bicep/${{ matrix.runtime.name }} && oras push --annotation "org.opencontainers.image.source=${{ env.IMAGE_SRC }}" ${{ env.CONTAINER_REGISTRY }}/bicep/rad-bicep/${{ matrix.runtime.name }}:${{ env.UPDATE_RELEASE == 'true' && env.REL_CHANNEL || 'latest' }} ./rad-bicep${{ matrix.runtime.extension }} | |
| - name: Check uploaded | |
| run: curl --fail ${{ env.CONTAINER_REGISTRY }}/bicep/rad-bicep/${{ matrix.runtime.name }}:latest -v > out |