Skip to content
Package

ci: bump actions/setup-dotnet from 5.2.0 to 5.3.0 #706

Sign in to view logs

ci: bump actions/setup-dotnet from 5.2.0 to 5.3.0

ci: bump actions/setup-dotnet from 5.2.0 to 5.3.0 #706

Workflow file for this run

.github/workflows/release.yml at 6845f1c
name: Package
# Produces the framework NuGet (.nupkg + .snupkg) and the agent skill kit
# (reactor-skill-kit-<version>.zip with bin/x64 + bin/arm64).
#
# Versions come from MinVer (see "Resolve version" step). Both PR and main
# builds get the same MinVer-computed version; they differ by sha in build
# metadata and by workflow run ID. Tag pushes (`v*`) get the tag's version
# verbatim and additionally create a GitHub Release with the assets attached.
# This is the interim distribution path described in
# docs/specs/022-packaging-and-distribution.md §3 (Phase P0) while the
# internal Microsoft NuGet feed is being plumbed through.
#
# Both x64 and arm64 mur binaries are produced on every run so reviewers can
# install either against a feature branch.
on:
pull_request:
paths-ignore:
- 'docs/guide/**' # auto-generated; see CLAUDE.md memory note
push:
# No paths-ignore on push: tag pushes must always run regardless of what
# changed in the tagged commit, and main pushes are infrequent enough
# that running on doc-only changes isn't a real cost.
branches: [main]
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: 'Version to pack (e.g. 0.1.0-preview.1). When dispatched manually, no Release is created.'
required: true
type: string
permissions:
contents: write # required for creating Releases
# ─── Version strategy ───────────────────────────────────────────────────────
# Versions come from MinVer (commit-height past the latest `v*` tag). Pattern:
#
# - Past tag `v0.1.0-experimental.1` by N commits → `0.1.0-experimental.1.N+<sha7>`
# - Exactly at a tag → that tag's version
# - No tags yet → `0.1.0-experimental.0.<height>+<sha7>` (defaults below)
#
# Bootstrap once: `git tag v0.1.0-experimental.0 && git push --tags`. After
# that, every commit gets a unique, ordered version with zero coordination —
# height strictly increases as commits land. Bump to a new milestone by
# tagging (e.g. `v0.1.0-experimental.1`); MinVer takes it from there.
#
# Tag pushes (`v*`) produce a clean version and create a GitHub Release.
# Pushes to main and PR builds get the same MinVer-computed version (they
# differ by sha → unique workflow artifacts; the .nupkg filename may collide
# across PR pushes from the same merge base, which is acceptable for the
# experimental channel).
jobs:
package:
name: Pack (x64 + arm64)
runs-on: windows-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # MinVer needs full history to find the latest v* tag
- name: Setup .NET
uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
with:
dotnet-version: 10.0.x
- name: Install minver-cli
run: dotnet tool install --global minver-cli --version 5.0.0
- name: Install BinSkim
# BinSkim ships as a regular NuGet package containing BinSkim.exe,
# not as a dotnet global tool. Download the package and resolve the
# exe path into an env var for the analyze step.
shell: pwsh
run: |
nuget install Microsoft.CodeAnalysis.BinSkim -OutputDirectory binskim-pkg -ExcludeVersion
$exe = Get-ChildItem binskim-pkg -Filter BinSkim.exe -Recurse |
Where-Object { $_.FullName -like '*win-x64*' } |
Select-Object -First 1 -ExpandProperty FullName
if (-not $exe) { throw 'BinSkim.exe not found in package' }
"BINSKIM_EXE=$exe" >> $env:GITHUB_ENV
Write-Host "BinSkim: $exe"
- name: Resolve version
id: version
shell: pwsh
run: |
$eventName = '${{ github.event_name }}'
if ($eventName -eq 'workflow_dispatch') {
$version = '${{ inputs.version }}'
} else {
# MinVer flags:
# -t v tag prefix
# -p experimental.0 default prerelease identifiers — flags pre-P1 builds as experimental
# -m 0.1 minimum major.minor when no tag (so untagged → 0.1.x)
$version = (& minver -t v -p experimental.0 -m 0.1).Trim()
}
if (-not $version) { throw "Could not resolve version" }
"version=$version" >> $env:GITHUB_OUTPUT
$isTag = '${{ github.ref }}'.StartsWith('refs/tags/v')
"is_tag=$($isTag.ToString().ToLower())" >> $env:GITHUB_OUTPUT
Write-Host "Version: $version (event=$eventName, isTag=$isTag)"
- name: Restore
run: dotnet restore Reactor.slnx
- name: Build framework + analyzers
run: dotnet build Reactor.slnx --no-restore --configuration Release
- name: Pack framework NuGet
run: >
dotnet pack src/Reactor/Reactor.csproj
--no-build --configuration Release
-p:Version=${{ steps.version.outputs.version }}
-o artifacts/nupkg
- name: Pack Templates
run: >
dotnet pack tools\Templates\Microsoft.UI.Reactor.Templates.csproj
--no-build --configuration Release
-p:Version=${{ steps.version.outputs.version }}
-p:Platform=AnyCPU
-o artifacts/nupkg
# Framework-dependent: the consumer's machine supplies the .NET 10
# runtime — saves ~70 MB per RID. install-skill-kit.ps1 checks for it
# and errors out with an install hint if it's missing. See spec 022 §6.
- name: Publish mur (win-x64)
run: >
dotnet publish src/Reactor.Cli/Reactor.Cli.csproj
--configuration Release
--runtime win-x64
--self-contained false
-p:Version=${{ steps.version.outputs.version }}
-o artifacts/mur/x64
- name: Publish mur (win-arm64)
run: >
dotnet publish src/Reactor.Cli/Reactor.Cli.csproj
--configuration Release
--runtime win-arm64
--self-contained false
-p:Version=${{ steps.version.outputs.version }}
-o artifacts/mur/arm64
# Managed-only repo: most native PE-hardening rules no-op against MSIL
# assemblies. The run produces a SARIF for SDL compliance attestation
# (ADO 62373198). Scope is now Reactor-managed outputs only — the
# `runtimes/<rid>/native/` subtree (e.g., `copilot.exe` shipped by
# transitive `GitHub.Copilot.SDK`) is excluded since those binaries are
# not Reactor-authored. SARIF is uploaded unconditionally so reviewers
# can attach it to the work item.
- name: Run BinSkim
shell: pwsh
run: |
New-Item -ItemType Directory -Force -Path artifacts/binskim | Out-Null
# Enumerate managed assemblies explicitly and filter out
# `runtimes/` — BinSkim has no path-exclude flag, so passing a
# pre-filtered file list is the cleanest way to scope the scan.
$managed = @()
foreach ($dir in 'artifacts/mur/x64', 'artifacts/mur/arm64') {
$managed += Get-ChildItem $dir -Recurse -File -Include '*.dll', '*.exe' |
Where-Object { $_.FullName -notmatch '[\\/]runtimes[\\/]' } |
Select-Object -ExpandProperty FullName
}
$packages = Get-ChildItem artifacts/nupkg -Filter *.nupkg -File |
Select-Object -ExpandProperty FullName
$targets = @($packages) + @($managed)
Write-Host "BinSkim targets: $($packages.Count) nupkg, $($managed.Count) managed binaries"
& $env:BINSKIM_EXE analyze @targets --output artifacts/binskim/binskim.sarif
if ($LASTEXITCODE -ne 0) {
throw "BinSkim reported policy violations (exit $LASTEXITCODE). See SARIF artifact."
}
- name: Upload BinSkim SARIF
if: always()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: binskim-${{ steps.version.outputs.version }}
path: artifacts/binskim/binskim.sarif
retention-days: 30
- name: Assemble skill kit
shell: pwsh
run: |
$version = '${{ steps.version.outputs.version }}'
$stage = 'artifacts/kit-stage/reactor'
New-Item -ItemType Directory -Force -Path $stage | Out-Null
New-Item -ItemType Directory -Force -Path "$stage/bin/x64" | Out-Null
New-Item -ItemType Directory -Force -Path "$stage/bin/arm64" | Out-Null
Copy-Item SKILL.md $stage
Copy-Item -Recurse skills $stage
Copy-Item artifacts/mur/x64/* "$stage/bin/x64/" -Recurse
Copy-Item artifacts/mur/arm64/* "$stage/bin/arm64/" -Recurse
Copy-Item tools/install-skill-kit.ps1 "$stage/install-skill-kit.ps1"
New-Item -ItemType Directory -Force -Path artifacts/kit | Out-Null
$zip = "artifacts/kit/reactor-skill-kit-$version.zip"
# Archive the `reactor` folder itself (not its contents) so the zip
# contains a single top-level `reactor/` folder. Extracting the zip
# gives the directory layout install-skill-kit.ps1 expects.
Compress-Archive -Path artifacts/kit-stage/reactor -DestinationPath $zip -Force
Write-Host "Kit: $zip"
- name: Upload artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: release-${{ steps.version.outputs.version }}
path: |
artifacts/nupkg/*
artifacts/kit/*.zip
retention-days: 30
- name: Create GitHub Release
if: steps.version.outputs.is_tag == 'true'
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
with:
name: Reactor ${{ steps.version.outputs.version }}
tag_name: ${{ github.ref_name }}
draft: false
prerelease: ${{ contains(steps.version.outputs.version, '-') }}
generate_release_notes: true
files: |
artifacts/nupkg/*.nupkg
artifacts/nupkg/*.snupkg
artifacts/kit/*.zip
body: |
**Reactor ${{ steps.version.outputs.version }}**
> Interim distribution — see [spec 022](https://github.com/microsoft/microsoft-ui-reactor/blob/main/docs/specs/022-packaging-and-distribution.md) for the rollout plan.
## Two assets
### `Microsoft.UI.Reactor.${{ steps.version.outputs.version }}.nupkg` — the framework
Drop into a folder and add a NuGet source pointing at it:
```xml
<!-- nuget.config -->
<configuration>
<packageSources>
<add key="reactor-local" value="C:\path\to\folder\with\nupkg" />
</packageSources>
</configuration>
```
Then in your `.csproj`:
```xml
<PackageReference Include="Microsoft.UI.Reactor" Version="${{ steps.version.outputs.version }}" />
```
### `reactor-skill-kit-${{ steps.version.outputs.version }}.zip` — agent skill bundle + `mur` CLI
Extract, then run:
```powershell
cd reactor
.\install-skill-kit.ps1
```
Installs to `~/.claude/skills/reactor/` and adds `bin/<arch>` to your user PATH. After a new shell, `mur --version` should resolve.