fix(release): resolve sbom manifest path under artifacts #32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI DevSecOps | |
| on: | |
| push: | |
| branches: ["main", "master"] | |
| pull_request: | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| actions: read | |
| jobs: | |
| build-test-scan: | |
| runs-on: windows-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: "8.0.x" | |
| - name: Restore | |
| run: dotnet restore "ThreadPilot_1.sln" | |
| - name: Verify formatting | |
| continue-on-error: true | |
| run: dotnet format "ThreadPilot_1.sln" --verify-no-changes --verbosity diagnostic --report dotnet-format-report.json | |
| - name: Build Debug | |
| run: dotnet build "ThreadPilot_1.sln" --configuration Debug --no-restore | |
| - name: Build Release | |
| run: dotnet build "ThreadPilot_1.sln" --configuration Release --no-restore | |
| - name: Run tests | |
| run: dotnet test "ThreadPilot_1.sln" --configuration Release --no-build --verbosity normal --collect:"XPlat Code Coverage" --results-directory TestResults | |
| - name: Upload coverage | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| files: '**/coverage.cobertura.xml' | |
| fail_ci_if_error: false | |
| - name: Dependency vulnerability audit | |
| shell: pwsh | |
| run: | | |
| $ErrorActionPreference = "Stop" | |
| $audit = dotnet list "ThreadPilot.csproj" package --vulnerable --include-transitive | |
| $audit | Out-String | Write-Host | |
| if ($LASTEXITCODE -ne 0) { | |
| throw "dotnet list package --vulnerable failed." | |
| } | |
| if ($audit -match "has the following vulnerable packages") { | |
| throw "Vulnerable packages detected." | |
| } | |
| - name: Secret scan (Gitleaks) | |
| shell: pwsh | |
| run: | | |
| $ErrorActionPreference = "Stop" | |
| $version = "8.24.3" | |
| $baseUrl = "https://github.com/gitleaks/gitleaks/releases/download/v$version" | |
| $zipAsset = "gitleaks_${version}_windows_x64.zip" | |
| $tarAsset = "gitleaks_${version}_windows_x64.tar.gz" | |
| $toolDir = Join-Path $env:RUNNER_TEMP "gitleaks-bin" | |
| if (Test-Path $toolDir) { | |
| Remove-Item -Path $toolDir -Recurse -Force | |
| } | |
| try { | |
| Invoke-WebRequest -Uri "$baseUrl/$zipAsset" -OutFile "gitleaks.zip" | |
| Expand-Archive -Path "gitleaks.zip" -DestinationPath $toolDir -Force | |
| } | |
| catch { | |
| Invoke-WebRequest -Uri "$baseUrl/$tarAsset" -OutFile "gitleaks.tar.gz" | |
| New-Item -ItemType Directory -Force -Path $toolDir | Out-Null | |
| tar -xzf "gitleaks.tar.gz" -C $toolDir | |
| } | |
| # Remove vendored tool docs from scan scope to avoid known upstream sample false positives. | |
| if (Test-Path ".\\gitleaks-bin") { | |
| Remove-Item -Path ".\\gitleaks-bin" -Recurse -Force | |
| } | |
| $gitleaksExe = Resolve-Path (Join-Path $toolDir "gitleaks.exe") | |
| & $gitleaksExe detect --source "." --no-git --exit-code 1 --redact --verbose --report-format json --report-path gitleaks-report.json | |
| - name: Upload security artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-reports | |
| path: | | |
| gitleaks-report.json | |
| dotnet-format-report.json |