TheCombine/.github/workflows/backend.yml at a372fac5c0dc37c582c2ec7966c3dbc493f1cb5a · sillsdev/TheCombine · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: backend

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]
    paths-ignore:
      - "docs/user_guide/**"
      - "package-lock.json"
      - "public/**"
      - "src/**"

concurrency:
  cancel-in-progress: true
  group: ${{ github.workflow }}-${{ github.ref_protected && github.run_id || github.event.pull_request.number }}

permissions: # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  test_build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        dotnet: ["8.0.x"]
    steps:
      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
      # configuring harden-runner and identifying allowed endpoints.
      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            *.actions.githubusercontent.com:443
            aka.ms:443
            api.github.com:443
            api.nuget.org:443
            builds.dotnet.microsoft.com:443
            dc.services.visualstudio.com:443
            deb.debian.org:80
            github.com:443
            md-hdd-t032zjxllntc.z26.blob.storage.azure.net:443
            objects.githubusercontent.com:443
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Setup dotnet
        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1
        with:
          dotnet-version: ${{ matrix.dotnet }}
      - name: Install ffmpeg
        uses: FedericoCarboni/setup-ffmpeg@36c6454b5a2348e7794ba2d82a21506605921e3d # v3
      - name: Run coverage tests
        run: dotnet test Backend.Tests/Backend.Tests.csproj
        shell: bash
      - name: Upload coverage artifact
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          if-no-files-found: error
          name: coverage
          path: Backend.Tests/coverage.cobertura.xml
          retention-days: 5
      - name: Development build
        run: dotnet build BackendFramework.sln
      - name: Release build
        run: dotnet publish BackendFramework.sln
      - name: Format check
        run: dotnet format --verify-no-changes

  upload_coverage:
    needs: test_build
    runs-on: ubuntu-latest
    steps:
      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
      # configuring harden-runner and identifying allowed endpoints.
      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            cli.codecov.io:443
            github.com:443
            ingest.codecov.io:443
            keybase.io:443
            storage.googleapis.com:443
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Download coverage artifact
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: coverage
      - name: Upload coverage report
        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          fail_ci_if_error: true
          files: coverage.cobertura.xml
          flags: backend
          name: Backend

  docker_build:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
      # configuring harden-runner and identifying allowed endpoints.
      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          disable-sudo: true
          disable-file-monitoring: true
          egress-policy: block
          allowed-endpoints: >
            *.data.mcr.microsoft.com:443
            api.nuget.org:443
            archive.ubuntu.com:80
            dc.services.visualstudio.com:443
            deb.debian.org:80
            github.com:443
            mcr.microsoft.com:443
            security.ubuntu.com:80
      # For subfolders, currently a full checkout is required.
      # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
      - name: Build backend
        run: |
          deploy/scripts/build.py --components backend
        shell: bash
      - name: Image digest
        run: |
          docker image inspect combine_backend:latest -f '{{json .Id}}'
        shell: bash