fix(debugger): seed initial route replay and stabilize conduit e2e #657
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow will build a .NET project | |
| # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net | |
| name: CD | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup .NET 10 | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: '10.0.x' | |
| - name: Install WASM experimental workload | |
| run: dotnet workload install wasm-experimental wasm-tools | |
| - name: Install GitVersioning | |
| run: dotnet tool install --global nbgv | |
| - name: Set version | |
| id: version | |
| run: echo "::set-output name=VERSION::$(nbgv get-version -v AssemblyInformationalVersion)" | |
| - name: Restore dependencies | |
| run: dotnet restore | |
| - name: Check for vulnerable packages (SCA) | |
| run: | | |
| echo "🔍 Scanning for vulnerable packages..." | |
| dotnet list package --vulnerable --include-transitive 2>&1 | tee vulnerability-report.txt | |
| if grep -qi "critical\|high" vulnerability-report.txt; then | |
| echo "❌ Critical or High severity vulnerabilities detected!" | |
| if [ -n "${ALLOW_TRANSITIVE_VULNS:-}" ]; then | |
| if echo "${ALLOW_TRANSITIVE_VULNS}" | grep -Eq '^https?://'; then | |
| echo "⚠️ Temporarily allowing vulnerabilities due to tracked issue:" | |
| echo " ${ALLOW_TRANSITIVE_VULNS}" | |
| echo "Remove this exception as soon as remediations are available." | |
| else | |
| echo "❌ ALLOW_TRANSITIVE_VULNS is set but is not a valid http(s) URL:" | |
| echo " ${ALLOW_TRANSITIVE_VULNS}" | |
| exit 1 | |
| fi | |
| else | |
| echo "❌ Failing build because high/critical vulnerabilities were found." | |
| echo "To temporarily allow this, set ALLOW_TRANSITIVE_VULNS to a tracking issue URL." | |
| exit 1 | |
| fi | |
| else | |
| echo "✅ No critical or high severity vulnerabilities found" | |
| fi | |
| - name: Build | |
| run: dotnet build --no-restore | |
| - name: Test Picea.Abies.Tests | |
| run: dotnet test --project Picea.Abies.Tests/Picea.Abies.Tests.csproj --no-build --verbosity normal | |
| - name: Test Picea.Abies.Server.Tests | |
| run: dotnet test --project Picea.Abies.Server.Tests/Picea.Abies.Server.Tests.csproj --no-build --verbosity normal | |
| - name: Test Picea.Abies.Server.Kestrel.Tests | |
| run: dotnet test --project Picea.Abies.Server.Kestrel.Tests/Picea.Abies.Server.Kestrel.Tests.csproj --no-build --verbosity normal | |
| - name: Test Picea.Abies.Conduit.Tests | |
| run: dotnet test --project Picea.Abies.Conduit.Tests/Picea.Abies.Conduit.Tests.csproj --no-build --verbosity normal | |
| - name: Test Picea.Abies.Conduit.Wasm.Tests | |
| run: dotnet test --project Picea.Abies.Conduit.Wasm.Tests/Picea.Abies.Conduit.Wasm.Tests.csproj --no-build --verbosity normal | |
| - name: Test Picea.Abies.Conduit.Api.Tests | |
| run: dotnet test --project Picea.Abies.Conduit.Api.Tests/Picea.Abies.Conduit.Api.Tests.csproj --no-build --verbosity normal | |
| - name: Test Picea.Abies.Analyzers.Tests | |
| run: dotnet test --project Picea.Abies.Analyzers.Tests/Picea.Abies.Analyzers.Tests.csproj --no-build --verbosity normal | |
| - name: Test Picea.Abies.Templates.Testing (build-smoke only) | |
| run: dotnet test --project Picea.Abies.Templates.Testing/Picea.Abies.Templates.Testing.csproj --no-build --verbosity normal -- --treenode-filter "/*/*/*/*[Category!=E2E]" | |
| - name: Build container images from Dockerfiles | |
| run: | | |
| mapfile -t dockerfiles < <(find . -name 'Dockerfile' -type f | sort) | |
| if [ "${#dockerfiles[@]}" -eq 0 ]; then | |
| echo "No Dockerfiles found. Skipping image build phase." | |
| exit 0 | |
| fi | |
| : > /tmp/cd-image-tags.txt | |
| for dockerfile in "${dockerfiles[@]}"; do | |
| context_dir=$(dirname "$dockerfile") | |
| rel=${context_dir#./} | |
| tag="abies-$(echo "$rel" | tr '/._' '---' | tr '[:upper:]' '[:lower:]' | tr -cd 'a-z0-9-'):ci" | |
| echo "Building image $tag from $dockerfile" | |
| docker build -f "$dockerfile" -t "$tag" . | |
| echo "$tag" >> /tmp/cd-image-tags.txt | |
| done | |
| echo "Built images:" | |
| cat /tmp/cd-image-tags.txt | |
| - name: Trivy image scan (HIGH/CRITICAL) | |
| run: | | |
| if [ ! -f /tmp/cd-image-tags.txt ]; then | |
| echo "No built image list found. Skipping image scanning." | |
| exit 0 | |
| fi | |
| TRIVY_IMAGE="" | |
| for candidate in ghcr.io/aquasecurity/trivy:latest aquasec/trivy:latest; do | |
| if docker pull "$candidate" >/dev/null 2>&1; then | |
| TRIVY_IMAGE="$candidate" | |
| break | |
| fi | |
| done | |
| if [ -z "$TRIVY_IMAGE" ]; then | |
| echo "❌ Could not pull a usable Trivy image." | |
| exit 1 | |
| fi | |
| echo "Using Trivy image: $TRIVY_IMAGE" | |
| while IFS= read -r image_tag; do | |
| [ -z "$image_tag" ] && continue | |
| echo "Scanning image: $image_tag" | |
| docker run --rm \ | |
| -v /var/run/docker.sock:/var/run/docker.sock \ | |
| "$TRIVY_IMAGE" image \ | |
| --severity HIGH,CRITICAL \ | |
| --ignore-unfixed \ | |
| --exit-code 1 \ | |
| "$image_tag" | |
| done < /tmp/cd-image-tags.txt | |
| # PostgreSQL integration tests are skipped in CD — they require a | |
| # PostgreSQL service container that is not provisioned in this workflow. | |
| # Run locally with: CONDUIT_POSTGRES_CONNECTION="..." dotnet test --project ... | |
| - name: Pack Picea.Abies | |
| if: github.event_name != 'pull_request' | |
| run: dotnet pack ./Picea.Abies/Picea.Abies.csproj --configuration Release --output ./nupkg /p:PackageVersion=${{ steps.version.outputs.VERSION }} | |
| - name: Pack Picea.Abies.Browser | |
| if: github.event_name != 'pull_request' | |
| run: dotnet pack ./Picea.Abies.Browser/Picea.Abies.Browser.csproj --configuration Release --output ./nupkg /p:PackageVersion=${{ steps.version.outputs.VERSION }} | |
| - name: Pack Picea.Abies.Server | |
| if: github.event_name != 'pull_request' | |
| run: dotnet pack ./Picea.Abies.Server/Picea.Abies.Server.csproj --configuration Release --output ./nupkg /p:PackageVersion=${{ steps.version.outputs.VERSION }} | |
| - name: Pack Picea.Abies.Server.Kestrel | |
| if: github.event_name != 'pull_request' | |
| run: dotnet pack ./Picea.Abies.Server.Kestrel/Picea.Abies.Server.Kestrel.csproj --configuration Release --output ./nupkg /p:PackageVersion=${{ steps.version.outputs.VERSION }} | |
| - name: Pack Picea.Abies.Templates | |
| if: github.event_name != 'pull_request' | |
| run: dotnet pack ./Picea.Abies.Templates/Picea.Abies.Templates.csproj --configuration Release --output ./nupkg /p:PackageVersion=${{ steps.version.outputs.VERSION }} | |
| - name: Pack Abies (redirect metapackage) | |
| if: github.event_name != 'pull_request' | |
| run: dotnet pack ./Metapackages/Abies/Abies.csproj --configuration Release --output ./nupkg /p:PackageVersion=${{ steps.version.outputs.VERSION }} | |
| - name: Pack Abies.Browser (redirect metapackage) | |
| if: github.event_name != 'pull_request' | |
| run: dotnet pack ./Metapackages/Abies.Browser/Abies.Browser.csproj --configuration Release --output ./nupkg /p:PackageVersion=${{ steps.version.outputs.VERSION }} | |
| - name: Pack Abies.Server (redirect metapackage) | |
| if: github.event_name != 'pull_request' | |
| run: dotnet pack ./Metapackages/Abies.Server/Abies.Server.csproj --configuration Release --output ./nupkg /p:PackageVersion=${{ steps.version.outputs.VERSION }} | |
| - name: Publish to NuGet | |
| if: github.event_name != 'pull_request' | |
| run: dotnet nuget push ./nupkg/*.nupkg --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json --skip-duplicate |