From 2b95c8fe83ce638ec648f846cbf4bc472dbccfa2 Mon Sep 17 00:00:00 2001 From: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Date: Fri, 21 Nov 2025 10:50:09 -0800 Subject: [PATCH 1/3] ci(workflows): pin actions to full sha Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> --- .github/dependabot.yml | 18 +++ .github/workflows/build.yml | 132 +++++++++++----------- .github/workflows/close-stale-prs.yml | 24 ++-- .github/workflows/radius-build.yml | 112 +++++++++++------- .github/workflows/update-baselines.yml | 12 +- .github/workflows/update-dependencies.yml | 14 ++- .github/workflows/update-notices.yml | 24 ++-- 7 files changed, 197 insertions(+), 139 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..9a7d4acb6 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +# yaml-language-server: $schema=https://www.schemastore.org/dependabot-2.0.json +# See GitHub's documentation for more information on this file: +# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference +--- +version: 2 + +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + commit-message: + prefix: ci + include: scope + groups: + all: + patterns: + - "*" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3d26bfbff..37982c4ac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json +--- name: Build on: @@ -39,13 +41,13 @@ jobs: - rid: osx-arm64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Build Bicep.sln run: dotnet build --configuration release @@ -54,14 +56,14 @@ jobs: run: dotnet publish --configuration release --self-contained true -p:PublishTrimmed=true -p:PublishSingleFile=true -p:TrimmerDefaultAction=copyused -p:SuppressTrimAnalysisWarnings=true -r ${{ matrix.rid }} ./src/Bicep.Cli/Bicep.Cli.csproj - name: Upload Bicep - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: bicep-release-${{ matrix.rid }} path: ./src/Bicep.Cli/bin/release/net6.0/${{ matrix.rid }}/publish/* if-no-files-found: error - + - name: Upload Bicep project assets file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: bicep-project-assets-${{ matrix.rid }} path: ./src/Bicep.Cli/obj/project.assets.json @@ -72,19 +74,19 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Pack run: dotnet pack --configuration release - name: Upload Packages - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: bicep-nupkg-any path: out/* @@ -95,27 +97,27 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Publish Language Server run: dotnet publish --configuration release ./src/Bicep.LangServer/Bicep.LangServer.csproj - name: Upload Language Server - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: Bicep.LangServer path: ./src/Bicep.LangServer/bin/release/net6.0/publish/* if-no-files-found: error - + # needed to generate notice file - name: Upload Language Server project assets file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: Bicep.LangServer.ProjAssets path: ./src/Bicep.LangServer/obj/project.assets.json @@ -135,18 +137,18 @@ jobs: - macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 16 - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: npm ci run: npm ci @@ -170,23 +172,23 @@ jobs: working-directory: ./src/vscode-bicep - name: Download Language Server - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: Bicep.LangServer path: ./src/vscode-bicep/bicepLanguageServer - + - name: Download Language Server project assets file if: runner.os == 'Linux' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: Bicep.LangServer.ProjAssets path: ./src/vscode-bicep-notice/inputs - + - name: npm list -a --json if: runner.os == 'Linux' run: npm list -a --json > ../vscode-bicep-notice/inputs/npm-list.json working-directory: ./src/vscode-bicep - + - name: Generate VSIX notice if: runner.os == 'Linux' run: dotnet build --configuration Release ./src/vscode-bicep-notice/vscode-bicep-notice.proj @@ -216,7 +218,7 @@ jobs: working-directory: ./src/vscode-bicep - name: Upload Code Coverage - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: flags: typescript directory: ./src/vscode-bicep/coverage @@ -227,7 +229,7 @@ jobs: working-directory: ./src/vscode-bicep - name: Upload VSIX - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: runner.os == 'Linux' with: name: vscode-bicep.vsix @@ -239,23 +241,23 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true # needed by the GenerateNotice package - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Add msbuild to PATH - uses: microsoft/setup-msbuild@v2 + uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2 - name: Build Bicep.sln run: msbuild Bicep.sln /restore -property:Configuration=Release /v:m /bl:./src/binlog/bicep_build.binlog - name: Upload Bicep.sln build binlog - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: build-binlog-files path: ./src/binlog/bicep_build.binlog @@ -265,21 +267,21 @@ jobs: run: msbuild src/vs-bicep/BicepInVisualStudio.sln /restore -property:Configuration=Release /v:m /bl:./src/binlog/bicep_in_visual_studio_build.binlog - name: Upload Bicep.sln build binlog - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: build-binlog-files path: ./src/binlog/bicep_in_visual_studio_build.binlog if-no-files-found: error - name: Upload BicepLanguageServerClient VSIX - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: Bicep.VSLanguageServerClient.Vsix.vsix path: ./src/vs-bicep/Bicep.VSLanguageServerClient.Vsix/bin/Release/vs-bicep.vsix if-no-files-found: error - name: Run bicep in visual studio unit tests - uses: microsoft/vstest-action@v1.0.0 + uses: microsoft/vstest-action@6ef4755ea07a3144e3da36f10d76187086eee5e6 # v1.0.0 with: testAssembly: src/vs-bicep/Bicep.VSLanguageServerClient.UnitTests/bin/Release/net472/Bicep.VSLanguageServerClient.UnitTests.dll runInParallel: true @@ -291,7 +293,7 @@ jobs: run: ./src/vs-bicep/Install.cmd - name: Run bicep in visual studio integration tests - uses: microsoft/vstest-action@v1.0.0 + uses: microsoft/vstest-action@6ef4755ea07a3144e3da36f10d76187086eee5e6 # v1.0.0 with: testAssembly: src/vs-bicep/Bicep.VSLanguageServerClient.IntegrationTests/bin/Release/net472/Bicep.VSLanguageServerClient.IntegrationTests.dll runInParallel: false @@ -305,22 +307,22 @@ jobs: needs: build-cli steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Download Bicep CLI - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: bicep-release-win-x64 path: ./src/installer-win/bicep - + - name: Download Bicep CLI project assets file - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: bicep-project-assets-win-x64 path: ./src/installer-win/bicep @@ -329,7 +331,7 @@ jobs: run: dotnet build --configuration release ./src/installer-win/installer.proj - name: Upload Windows Installer - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: bicep-setup-win-x64 path: ./src/installer-win/bin/release/net6.0/bicep-setup-win-x64.exe @@ -368,16 +370,16 @@ jobs: runTests: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 16 @@ -397,19 +399,19 @@ jobs: working-directory: ./src/Bicep.MSBuild.E2eTests - name: Download Bicep CLI - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: bicep-release-${{ matrix.rid }} path: ./src/Bicep.Cli.Nuget/tools - + - name: Download Bicep CLI project assets file - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: bicep-project-assets-${{ matrix.rid }} path: ./src/Bicep.Cli.Nuget/tools - name: Download .Net Packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: bicep-nupkg-any path: ./src/Bicep.MSBuild.E2eTests/examples/local-packages @@ -418,7 +420,7 @@ jobs: run: dotnet build --configuration release /p:RuntimeSuffix=${{ matrix.rid }} ./src/Bicep.Cli.Nuget/nuget.proj - name: Upload CLI Package - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: bicep-nupkg-${{ matrix.rid }} path: ./src/Bicep.Cli.Nuget/*.nupkg @@ -426,7 +428,7 @@ jobs: - name: Download CLI Package if: matrix.runTests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: bicep-nupkg-${{ matrix.rid }} path: ./src/Bicep.MSBuild.E2eTests/examples/local-packages @@ -441,16 +443,16 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 14 @@ -467,7 +469,7 @@ jobs: working-directory: ./src/playground - name: Upload - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: playground path: ./src/playground/dist/* @@ -478,16 +480,16 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 16 @@ -534,19 +536,19 @@ jobs: rid: osx-x64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Test run: dotnet test --configuration release --logger trx --blame --collect:"XPlat Code Coverage" --settings ./.github/workflows/codecov.runsettings --results-directory ./TestResults/ - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: always() with: name: Bicep.TestResults.${{ matrix.rid }} @@ -554,7 +556,7 @@ jobs: if-no-files-found: error - name: Download Bicep CLI - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: bicep-release-${{ matrix.rid }} path: ./src/Bicep.Cli.E2eTests/src/temp/bicep-cli @@ -580,7 +582,7 @@ jobs: BICEP_CLI_EXECUTABLE: ../../../Bicep.Cli.E2eTests/src/temp/bicep-cli/bicep - name: Upload Code Coverage - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: flags: dotnet @@ -619,15 +621,15 @@ jobs: BICEP_SPN_PASSWORD_FF: ${{ secrets.BICEP_SPN_PASSWORD_FF }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 16 - name: Download Bicep CLI - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: bicep-release-${{ matrix.runtime.rid }} path: ./src/Bicep.Cli.E2eTests/src/temp/bicep-cli @@ -637,7 +639,7 @@ jobs: run: chmod +x ./src/Bicep.Cli.E2eTests/src/temp/bicep-cli/bicep - name: Az CLI login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 if: matrix.environment == 'prod' with: client-id: ${{ secrets.LIVE_TEST_CLIENT_ID_PROD }} @@ -669,14 +671,14 @@ jobs: BICEP_SPN_PASSWORD_FF: ${{ secrets.BICEP_SPN_PASSWORD_FF }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 # Cannot use actions/setup-node@v4 for linux-musl-x64 - name: Setup Node.js run: apk add --update nodejs npm - name: Download Bicep CLI - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: bicep-release-linux-musl-x64 path: ./src/Bicep.Cli.E2eTests/src/temp/bicep-cli @@ -685,7 +687,7 @@ jobs: run: chmod +x ./src/Bicep.Cli.E2eTests/src/temp/bicep-cli/bicep - name: Az CLI login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 if: matrix.environment == 'prod' with: client-id: ${{ secrets.LIVE_TEST_CLIENT_ID_PROD }} diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml index 68fa579ad..714e85792 100644 --- a/.github/workflows/close-stale-prs.yml +++ b/.github/workflows/close-stale-prs.yml @@ -2,26 +2,28 @@ # # For more information, see: # https://github.com/actions/stale +# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json +--- name: Close stale pull requests on: schedule: - - cron: '0 18 * * *' # Run the workflow every day at 6PM UTC (10AM PST). + - cron: "0 18 * * *" # Run the workflow every day at 6PM UTC (10AM PST). jobs: stale: - runs-on: ubuntu-latest permissions: pull-requests: write steps: - - uses: actions/stale@v9 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-pr-message: 'This pull request has been automatically marked as stale because it has been inactive for 90 days. Remove stale label or comment or this PR will be closed in 7 days.' - stale-pr-label: 'stale' - days-before-pr-stale: 90 # 3 months - days-before-pr-close: 7 - days-before-issue-stale: -1 - days-before-issue-close: -1 \ No newline at end of file + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-pr-message: | + This pull request has been automatically marked as stale because it has been inactive for 90 days. Remove stale label or comment or this PR will be closed in 7 days. + stale-pr-label: stale + days-before-pr-stale: 90 # 3 months + days-before-pr-close: 7 + days-before-issue-stale: -1 + days-before-issue-close: -1 diff --git a/.github/workflows/radius-build.yml b/.github/workflows/radius-build.yml index bb95da686..994b05386 100644 --- a/.github/workflows/radius-build.yml +++ b/.github/workflows/radius-build.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json +--- name: Radius Build on: @@ -19,7 +21,7 @@ env: # ORAS (OCI Registry As Storage) CLI version ORAS_VERSION: 1.1.0 # Container registry url for GitHub container registry. - CONTAINER_REGISTRY: 'ghcr.io/radius-project/radius' + CONTAINER_REGISTRY: ghcr.io/radius-project/radius # URL to get source code for building the image IMAGE_SRC: https://github.com/radius-project/bicep @@ -36,34 +38,34 @@ jobs: - os: windows-latest rid: win-x64 name: windows-x64 - ext: '.exe' + ext: ".exe" - os: windows-latest rid: win-arm64 name: windows-arm64 - ext: '.exe' + ext: ".exe" - os: ubuntu-latest rid: linux-x64 name: linux-x64 - ext: '' + ext: "" - os: ubuntu-latest rid: linux-arm name: linux-arm - ext: '' + ext: "" - os: ubuntu-latest rid: linux-arm64 name: linux-arm64 - ext: '' + ext: "" - os: macos-latest rid: osx-x64 name: macos-x64 - ext: '' + ext: "" - os: macos-latest rid: osx-arm64 name: macos-arm64 - ext: '' + ext: "" steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true @@ -71,9 +73,9 @@ jobs: run: python ./.github/scripts/get_release_version.py - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.nuget/packages # Look to see if there is a cache hit for the corresponding requirements file @@ -83,13 +85,13 @@ jobs: - name: Publish Bicep ${{ matrix.name }} run: > - dotnet publish ./src/Bicep.Cli/Bicep.Cli.csproj - --configuration Release - --self-contained true - -p:PublishTrimmed=true - -p:PublishSingleFile=true - -p:TrimmerDefaultAction=copyused - -p:SuppressTrimAnalysisWarnings=true + dotnet publish ./src/Bicep.Cli/Bicep.Cli.csproj + --configuration Release + --self-contained true + -p:PublishTrimmed=true + -p:PublishSingleFile=true + -p:TrimmerDefaultAction=copyused + -p:SuppressTrimAnalysisWarnings=true -r ${{ matrix.rid }} -o ./artifacts/bicep/${{ matrix.name }} @@ -99,12 +101,12 @@ jobs: - name: Upload Test Results if: ${{ matrix.name == 'linux-x64' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: Bicep.TestResults path: ./TestResults/**/*.trx - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: artifacts-${{ matrix.name }} path: ./artifacts @@ -117,7 +119,7 @@ jobs: env: release_file: rad-bicep-${{ matrix.name }}${{ matrix.ext }} - name: Upload rad-bicep - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: release-${{ matrix.name }} path: ${{ env.RELEASE_PATH }} @@ -128,65 +130,80 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true + - name: Parse release version and set environment variables run: python ./.github/scripts/get_release_version.py + - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 16 - - uses: actions/cache@v4 + + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.nuget/packages # Look to see if there is a cache hit for the corresponding requirements file key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} restore-keys: | ${{ runner.os }}-nuget + - name: Publish Language Server run: > - dotnet publish --configuration release - ./src/Bicep.LangServer/Bicep.LangServer.csproj + dotnet publish --configuration release + ./src/Bicep.LangServer/Bicep.LangServer.csproj -o "./src/vscode-bicep/bicepLanguageServer" + - name: npm ci run: npm ci working-directory: ./src/vscode-bicep + - name: Enable params run: npm run params working-directory: ./src/vscode-bicep + - name: Run lint run: npm run lint working-directory: ./src/vscode-bicep + - name: Run unit tests run: npm run test:unit working-directory: ./src/vscode-bicep + - name: Run snapshot tests run: npm run test:snapshot working-directory: ./src/vscode-bicep + - name: Build prod run: npm run build:prod working-directory: ./src/vscode-bicep + - name: Create VSIX run: npm run package working-directory: ./src/vscode-bicep + - name: Copy VSIX run: > - mkdir -p ./artifacts/vscode && - cp ./src/vscode-bicep/rad-vscode-bicep.vsix ./artifacts/vscode/rad-vscode-bicep.vsix + mkdir -p ./artifacts/vscode && + cp ./src/vscode-bicep/rad-vscode-bicep.vsix ./artifacts/vscode/rad-vscode-bicep.vsix + - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: artifacts path: ./artifacts if-no-files-found: error + - name: Copy VSIX to release run: > - mkdir -p ${{ env.RELEASE_PATH }}/vscode && - cp ./src/vscode-bicep/rad-vscode-bicep.vsix ${{ env.RELEASE_PATH }}/rad-vscode-bicep.vsix + mkdir -p ${{ env.RELEASE_PATH }}/vscode && + cp ./src/vscode-bicep/rad-vscode-bicep.vsix ${{ env.RELEASE_PATH }}/rad-vscode-bicep.vsix + - name: Upload VSIX to release - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: release-vscode-ext path: ${{ env.RELEASE_PATH }} @@ -195,27 +212,32 @@ jobs: publish_release: if: startsWith(github.ref, 'refs/tags/v') name: Publish to GitHub Release - needs: ["build", "vscode-bicep-build"] + needs: [build, vscode-bicep-build] runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true + - name: Parse release version and set environment variables run: python ./.github/scripts/get_release_version.py + - name: Download releases - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: pattern: release-* merge-multiple: true path: ${{ env.RELEASE_PATH }} + - name: generate checksum files run: cd ${{ env.RELEASE_PATH }} && for i in *; do sha256sum -b $i > "$i.sha256"; done && cd - + - name: Display release run: ls -R working-directory: ./release + - name: Pre-release if: ${{ contains(env.REL_VERSION, '-rc') }} run: | @@ -227,6 +249,7 @@ jobs: --title "Radius Bicep v${{ env.REL_VERSION }}" env: GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }} + - name: Official release if: ${{ !contains(env.REL_VERSION, '-rc') }} run: | @@ -241,7 +264,7 @@ jobs: publish: if: ${{ github.event_name == 'push' }} name: Publish to GHCR - needs: ["build", "vscode-bicep-build"] + needs: [build, vscode-bicep-build] runs-on: ubuntu-latest permissions: contents: read @@ -267,33 +290,40 @@ jobs: id: osx-arm64 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. submodules: true + - name: Parse release version and set environment variables run: python ./.github/scripts/get_release_version.py + - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: artifacts-${{ matrix.runtime.name }} path: artifacts + - name: Display artifacts run: ls -R working-directory: ./artifacts + - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: oras-project/setup-oras@main + + - uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4 with: version: ${{ env.ORAS_VERSION }} + - run: oras version + - name: Push rad bicep binaries to GHCR (${{ matrix.runtime.name }}) run: | cd ./artifacts/bicep/${{ matrix.runtime.name }} && oras push --annotation "org.opencontainers.image.source=${{ env.IMAGE_SRC }}" ${{ env.CONTAINER_REGISTRY }}/bicep/rad-bicep/${{ matrix.runtime.name }}:${{ env.UPDATE_RELEASE == 'true' && env.REL_CHANNEL || 'latest' }} ./rad-bicep${{ matrix.runtime.extension }} + - name: Check uploaded run: curl --fail ${{ env.CONTAINER_REGISTRY }}/bicep/rad-bicep/${{ matrix.runtime.name }}:latest -v > out - diff --git a/.github/workflows/update-baselines.yml b/.github/workflows/update-baselines.yml index 1512c68bf..6b143b305 100644 --- a/.github/workflows/update-baselines.yml +++ b/.github/workflows/update-baselines.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json +--- name: Update Baselines # This action can be run on-demand against a branch. # It attempts to update the baseline files, and commits and pushes changes if there are any. @@ -18,17 +20,17 @@ jobs: DOTNET_CLI_TELEMETRY_OPTOUT: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. - name: Setup .NET Core - uses: actions/setup-dotnet@v4 - + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 + - name: Test continue-on-error: true run: dotnet test --filter "TestCategory=Baseline" -- 'TestRunParameters.Parameter(name="SetBaseLine", value="true")' - + - name: Commit baselines run: | git config --global user.email "bicep@noreply.github.com" @@ -39,4 +41,4 @@ jobs: if ! git diff-index --quiet HEAD --; then git commit -m "Update test baselines" git push - fi \ No newline at end of file + fi diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 40bf68760..1ee51b74d 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json +--- name: Update Dependencies # This action can be run on-demand against a branch. # It attempts to update dotnet & npm dependencies, and commits and pushes changes if there are any. @@ -15,27 +17,27 @@ jobs: DOTNET_CLI_TELEMETRY_OPTOUT: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 - name: Install Tools run: | npm install -g npm-check-updates dotnet tool install -g dotnet-outdated-tool - + - name: Update Dependencies continue-on-error: true run: ./scripts/update_dependencies.sh - + - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: committer: GitHub author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> diff --git a/.github/workflows/update-notices.yml b/.github/workflows/update-notices.yml index 2ab6a32be..ff0943023 100644 --- a/.github/workflows/update-notices.yml +++ b/.github/workflows/update-notices.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json +--- name: Update Local Notice Files # This action can be run on-demand against a branch or scheduled every day. # It updates the checked-in TPN files and creates a PR with the changes. @@ -18,20 +20,20 @@ jobs: GenerateNoticeUpdateLocalFile: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 # avoid shallow clone so nbgv can do its work. - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 16 - name: Add msbuild to PATH - uses: microsoft/setup-msbuild@v2 + uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2 - name: Build Bicep.sln run: dotnet build --configuration Release @@ -41,22 +43,22 @@ jobs: - name: Publish Language Server run: dotnet publish --configuration Release ./src/Bicep.LangServer/Bicep.LangServer.csproj - + # this command is not correct for releasing the binaries but is sufficient for the purposes of this job - name: Windows Installer prerequisites run: mkdir ./src/installer-win/bicep && copy ./src/Bicep.Cli/obj/project.assets.json ./src/installer-win/bicep/ && copy ./src/Bicep.Cli/bin/Release/net6.0/bicep.* ./src/installer-win/bicep/ - name: Build Windows Installer run: dotnet build --configuration Release ./src/installer-win/installer.proj - + - name: CLI Package prerequisites - run: mkdir ./src/Bicep.Cli.Nuget/tools && copy ./src/Bicep.Cli/obj/project.assets.json ./src/Bicep.Cli.Nuget/tools/ && copy ./src/Bicep.Cli/bin/Release/net6.0/bicep.* ./src/Bicep.Cli.Nuget/tools/ + run: mkdir ./src/Bicep.Cli.Nuget/tools && copy ./src/Bicep.Cli/obj/project.assets.json ./src/Bicep.Cli.Nuget/tools/ && copy ./src/Bicep.Cli/bin/Release/net6.0/bicep.* ./src/Bicep.Cli.Nuget/tools/ - name: Build CLI Package run: dotnet build --configuration Release /p:RuntimeSuffix=win-x64 ./src/Bicep.Cli.Nuget/nuget.proj - name: VSIX Notice prerequisites - run: mkdir ./src/vscode-bicep-notice/inputs && copy ./src/Bicep.LangServer/obj/project.assets.json ./src/vscode-bicep-notice/inputs/ + run: mkdir ./src/vscode-bicep-notice/inputs && copy ./src/Bicep.LangServer/obj/project.assets.json ./src/vscode-bicep-notice/inputs/ - name: npm ci run: npm ci @@ -71,14 +73,14 @@ jobs: - name: Build BicepInVisualStudio.sln run: msbuild src/vs-bicep/BicepInVisualStudio.sln /restore -property:Configuration=Release /v:m - + - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: committer: GitHub author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> signoff: false - add-paths: '**/local-tpn.txt' + add-paths: "**/local-tpn.txt" branch: update-local-tpn-files delete-branch: true title: | From 991fae4a8746607e197877f669f537996fed3c95 Mon Sep 17 00:00:00 2001 From: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Date: Fri, 21 Nov 2025 11:45:32 -0800 Subject: [PATCH 2/3] ci(workflows): add setup step for .NET 6.0.400 Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> --- .github/workflows/radius-build.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/radius-build.yml b/.github/workflows/radius-build.yml index 994b05386..262492a81 100644 --- a/.github/workflows/radius-build.yml +++ b/.github/workflows/radius-build.yml @@ -143,6 +143,12 @@ jobs: with: node-version: 16 + - name: Setup .NET + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 + with: + dotnet-version: | + 6.0.400 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.nuget/packages From 4404d946a68cb39dc013e1d2dd769e7fbe3ec39d Mon Sep 17 00:00:00 2001 From: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Date: Mon, 24 Nov 2025 10:51:45 -0800 Subject: [PATCH 3/3] ci(workflows): update create-pull-request action Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> --- .github/workflows/update-dependencies.yml | 2 +- .github/workflows/update-notices.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 1ee51b74d..62b4e1706 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -37,7 +37,7 @@ jobs: run: ./scripts/update_dependencies.sh - name: Create Pull Request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 with: committer: GitHub author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> diff --git a/.github/workflows/update-notices.yml b/.github/workflows/update-notices.yml index ff0943023..8a0c4ada6 100644 --- a/.github/workflows/update-notices.yml +++ b/.github/workflows/update-notices.yml @@ -75,7 +75,7 @@ jobs: run: msbuild src/vs-bicep/BicepInVisualStudio.sln /restore -property:Configuration=Release /v:m - name: Create Pull Request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 with: committer: GitHub author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>