Bump ApiSurface from 4.0.42 to 4.0.43 #420
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/github-workflow.json | |
| name: .NET | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| DOTNET_NOLOGO: true | |
| DOTNET_CLI_TELEMETRY_OPTOUT: true | |
| DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true | |
| NUGET_XMLDOC_MODE: '' | |
| DOTNET_MULTILEVEL_LOOKUP: 0 | |
| jobs: | |
| build: | |
| strategy: | |
| matrix: | |
| config: | |
| - Release | |
| - Debug | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # so that NerdBank.GitVersioning has access to history | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Restore dependencies | |
| run: nix develop --command dotnet restore | |
| - name: Build | |
| run: nix develop --command dotnet build --no-restore --configuration ${{matrix.config}} | |
| - name: Test | |
| run: nix develop --command dotnet test --no-build --verbosity normal --configuration ${{matrix.config}} | |
| analyzers: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # so that NerdBank.GitVersioning has access to history | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Prepare analyzers | |
| run: nix develop --command dotnet restore analyzers/analyzers.fsproj | |
| - name: Build project | |
| run: nix develop --command dotnet build ./WoofWare.Myriad.Plugins/WoofWare.Myriad.Plugins.fsproj | |
| - name: Run analyzers | |
| run: nix run .#fsharp-analyzers -- --project ./WoofWare.Myriad.Plugins/WoofWare.Myriad.Plugins.fsproj --analyzers-path ./.analyzerpackages/g-research.fsharp.analyzers/*/ --verbosity detailed --report ./analysis.sarif --treat-as-error GRA-STRING-001 GRA-STRING-002 GRA-STRING-003 GRA-UNIONCASE-001 GRA-INTERPOLATED-001 GRA-TYPE-ANNOTATE-001 GRA-VIRTUALCALL-001 GRA-IMMUTABLECOLLECTIONEQUALITY-001 GRA-JSONOPTS-001 GRA-LOGARGFUNCFULLAPP-001 GRA-DISPBEFOREASYNC-001 --exclude-analyzers PartialAppAnalyzer | |
| build-nix: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Build | |
| run: nix build | |
| check-dotnet-format: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Fantomas | |
| run: nix run .#fantomas -- --check . | |
| check-accurate-generations: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # so that NerdBank.GitVersioning has access to history | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Whitespace change | |
| run: "echo ' ' >> ConsumePlugin/List.fs" | |
| - name: Generate code | |
| run: nix develop --command dotnet build | |
| - name: Run Fantomas | |
| run: nix run .#fantomas -- . | |
| - name: Verify there is no diff | |
| run: git diff --name-only --no-color --exit-code | |
| check-nix-format: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Alejandra | |
| run: nix develop --command alejandra --check . | |
| linkcheck: | |
| name: Check links | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@master | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Run link checker | |
| run: nix develop --command markdown-link-check README.md CONTRIBUTING.md | |
| flake-check: | |
| name: Check flake | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@master | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Flake check | |
| run: nix flake check | |
| nuget-pack: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # so that NerdBank.GitVersioning has access to history | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Restore dependencies | |
| run: nix develop --command dotnet restore | |
| - name: Build | |
| run: nix develop --command dotnet build --no-restore --configuration Release | |
| - name: Pack | |
| run: nix develop --command dotnet pack --configuration Release | |
| - name: Upload NuGet artifact (plugin) | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: nuget-package-plugin | |
| path: WoofWare.Myriad.Plugins/bin/Release/WoofWare.Myriad.Plugins.*.nupkg | |
| - name: Upload NuGet artifact (attributes) | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: nuget-package-attribute | |
| path: WoofWare.Myriad.Plugins.Attributes/bin/Release/WoofWare.Myriad.Plugins.Attributes.*.nupkg | |
| expected-pack: | |
| needs: [nuget-pack] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download NuGet artifact (plugin) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-plugin | |
| path: packed-plugin | |
| - name: Check NuGet contents | |
| # Verify that there is exactly one nupkg in the artifact that would be NuGet published | |
| run: if [[ $(find packed-plugin -maxdepth 1 -name 'WoofWare.Myriad.Plugins.*.nupkg' -printf c | wc -c) -ne "1" ]]; then exit 1; fi | |
| - name: Download NuGet artifact (attributes) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-attribute | |
| path: packed-attribute | |
| - name: Check NuGet contents | |
| # Verify that there is exactly one nupkg in the artifact that would be NuGet published | |
| run: if [[ $(find packed-attribute -maxdepth 1 -name 'WoofWare.Myriad.Plugins.Attributes.*.nupkg' -printf c | wc -c) -ne "1" ]]; then exit 1; fi | |
| github-release-plugin-dry-run: | |
| needs: [nuget-pack] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download NuGet artifact (plugin) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-plugin | |
| - name: Download NuGet artifact (attribute) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-attribute | |
| - name: Tag and release plugin | |
| env: | |
| DRY_RUN: 1 | |
| GITHUB_TOKEN: mock-token | |
| run: sh .github/workflows/tag.sh | |
| all-required-checks-complete: | |
| needs: [check-dotnet-format, check-nix-format, check-accurate-generations, build, build-nix, linkcheck, flake-check, analyzers, nuget-pack, expected-pack, github-release-plugin-dry-run] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: echo "All required checks complete." | |
| attestation-attribute: | |
| runs-on: ubuntu-latest | |
| needs: [all-required-checks-complete] | |
| if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| steps: | |
| - name: Download NuGet artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-attribute | |
| path: packed | |
| - name: Attest Build Provenance | |
| uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 | |
| with: | |
| subject-path: "packed/*.nupkg" | |
| attestation-plugin: | |
| runs-on: ubuntu-latest | |
| needs: [all-required-checks-complete] | |
| if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| steps: | |
| - name: Download NuGet artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-plugin | |
| path: packed | |
| - name: Attest Build Provenance | |
| uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 | |
| with: | |
| subject-path: "packed/*.nupkg" | |
| nuget-publish-attribute: | |
| runs-on: ubuntu-latest | |
| if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} | |
| needs: [all-required-checks-complete] | |
| environment: main-deploy | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Download NuGet artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-attribute | |
| path: packed | |
| - name: Publish to NuGet | |
| id: publish-success | |
| env: | |
| NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} | |
| run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.Myriad.Plugins.Attributes.*.nupkg"' | |
| - name: Wait for availability | |
| if: steps.publish-success.outputs.result == 'published' | |
| env: | |
| PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }} | |
| run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.Myriad.Plugins.Attributes/$PACKAGE_VERSION" ; do sleep 10; done' | |
| # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/). | |
| # So we have to *re-attest* it after it's uploaded. Mind-blowing. | |
| - name: Assert package contents | |
| if: steps.publish-success.outputs.result == 'published' | |
| run: 'bash ./.github/workflows/assert-contents.sh' | |
| - name: Attest Build Provenance | |
| if: steps.publish-success.outputs.result == 'published' | |
| uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 | |
| with: | |
| subject-path: "from-nuget.nupkg" | |
| nuget-publish-plugin: | |
| runs-on: ubuntu-latest | |
| if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} | |
| needs: [all-required-checks-complete] | |
| environment: main-deploy | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@V27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - name: Download NuGet artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-plugin | |
| path: packed | |
| - name: Publish to NuGet | |
| id: publish-success | |
| env: | |
| NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} | |
| run: 'nix develop --command bash ./.github/workflows/nuget-push.sh "packed/WoofWare.Myriad.Plugins.*.nupkg"' | |
| - name: Wait for availability | |
| if: steps.publish-success.outputs.result == 'published' | |
| env: | |
| PACKAGE_VERSION: ${{ steps.publish-success.outputs.version }} | |
| run: 'echo "$PACKAGE_VERSION" && while ! curl -L --fail -o from-nuget.nupkg "https://www.nuget.org/api/v2/package/WoofWare.Myriad.Plugins/$PACKAGE_VERSION" ; do sleep 10; done' | |
| # Astonishingly, NuGet.org considers it to be "more secure" to tamper with my package after upload (https://devblogs.microsoft.com/nuget/introducing-repository-signatures/). | |
| # So we have to *re-attest* it after it's uploaded. Mind-blowing. | |
| - name: Assert package contents | |
| if: steps.publish-success.outputs.result == 'published' | |
| run: 'bash ./.github/workflows/assert-contents.sh' | |
| - name: Attest Build Provenance | |
| if: steps.publish-success.outputs.result == 'published' | |
| uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 | |
| with: | |
| subject-path: "from-nuget.nupkg" | |
| github-release-plugin: | |
| runs-on: ubuntu-latest | |
| if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }} | |
| needs: [all-required-checks-complete] | |
| environment: main-deploy | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download NuGet artifact (plugin) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-plugin | |
| - name: Download NuGet artifact (attribute) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: nuget-package-attribute | |
| - name: Tag and release plugin | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: sh .github/workflows/tag.sh |