reset build program to main

Author: Erwinvandervalk

.github/workflow-gen/Program.cs

@@ -1,4 +1,4 @@
-// Copyright (c) Duende Software. All rights reserved.
+// Copyright (c) Duende Software. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using Logicality.GitHub.Actions.Workflow;
@@ -33,9 +33,12 @@
     GenerateReleaseWorkflow(component);
 }
 
+GenerateUploadTestResultsWorkflow();
+
+
 void GenerateCiWorkflow(Component component)
 {
-    var workflow = new Workflow($"{component.Name}/ci");
+    var workflow = new Workflow(component.CiWorkflowName);
     var paths    = new[]
     {
         $".github/workflows/{component.Name}-**", 
@@ -49,7 +52,7 @@ void GenerateCiWorkflow(Component component)
         .Push()
         .Paths(paths);
     workflow.On
-        .PullRequestTarget()
+        .PullRequest()
         .Paths(paths);
 
     workflow.EnvDefaults();
@@ -76,10 +79,10 @@ void GenerateCiWorkflow(Component component)
 
     foreach (var testProject in component.Tests)
     {
-        job.StepTestAndReport(component.Name, testProject);
+        job.StepTest(component.Name, testProject);
     }
 
-    job.StepInstallCACerts();
+    job.StepUploadTestResultsAsArtifact(component);
 
     job.StepToolRestore();
 
@@ -90,8 +93,6 @@ void GenerateCiWorkflow(Component component)
 
     job.StepSign();
 
-    job.StepPush("MyGet", "https://www.myget.org/F/duende_identityserver/api/v2/package", "MYGET");
-
     job.StepPush("GitHub", "https://nuget.pkg.github.com/DuendeSoftware/index.json", "GITHUB_TOKEN")
         .Env(("GITHUB_TOKEN", contexts.Secrets.GitHubToken),
             ("NUGET_AUTH_TOKEN", contexts.Secrets.GitHubToken));
@@ -104,7 +105,7 @@ void GenerateCiWorkflow(Component component)
 
 void GenerateReleaseWorkflow(Component component)
 {
-    var workflow = new Workflow($"{component.Name}/release");
+    var workflow = new Workflow(component.ReleaseWorkflowName);
 
     workflow.On
         .WorkflowDispatch()
@@ -138,16 +139,14 @@ git config --global user.name ""Duende Software GitHub Bot""
 git tag -a {component.TagPrefix}-{contexts.Event.Input.Version} -m ""Release v{contexts.Event.Input.Version}""
 git push origin {component.TagPrefix}-{contexts.Event.Input.Version}");
 
-    tagJob.StepInstallCACerts();
-
     foreach (var project in component.Projects)
     {
         tagJob.StepPack(project);
     }
 
     tagJob.StepToolRestore();
 
-    tagJob.StepSign();
+    tagJob.StepSign(true);
 
     tagJob.StepPush("MyGet", "https://www.myget.org/F/duende_identityserver/api/v2/package", "MYGET");
 
@@ -160,8 +159,7 @@ git tag -a {component.TagPrefix}-{contexts.Event.Input.Version} -m ""Release v{c
     var publishJob = workflow.Job("publish")
         .Name("Publish to nuget.org")
         .RunsOn(GitHubHostedRunners.UbuntuLatest)
-        .Needs("tag")
-        .Environment("nuget.org", "");
+        .Needs("tag");
 
     publishJob.Step()
         .Uses("actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16") // 4.1.8
@@ -180,20 +178,55 @@ git tag -a {component.TagPrefix}-{contexts.Event.Input.Version} -m ""Release v{c
     WriteWorkflow(workflow, fileName);
 }
 
+void GenerateUploadTestResultsWorkflow()
+{
+    var workflow = new Workflow("generate-test-reports");
+    workflow.On
+        .WorkflowRun()
+        .Workflows(components.Select(x => x.CiWorkflowName).ToArray())
+        .Types("completed");
+
+    var job = workflow
+        .Job("report")
+        .Name("report")
+        .RunsOn(GitHubHostedRunners.UbuntuLatest);
+        
+    job.Permissions(
+        actions: Permission.Read,
+        contents: Permission.Read,
+        checks: Permission.Write,
+        packages: Permission.Write);
+
+    foreach (var component in components)
+    {
+        foreach (var testProject in component.Tests)
+        {
+            job.StepGenerateReportFromTestArtifact(component, testProject);
+        }
+    }
+
+    var fileName = $"generate-test-reports";
+    WriteWorkflow(workflow, fileName);
+}
+
 void WriteWorkflow(Workflow workflow, string fileName)
 {
     var filePath = $"../workflows/{fileName}.yml";
     workflow.WriteYaml(filePath);
     Console.WriteLine($"Wrote workflow to {filePath}");
 }
 
-record Component(string Name, string[] Projects, string[] Tests, string TagPrefix);
+record Component(string Name, string[] Projects, string[] Tests, string TagPrefix)
+{
+    public string CiWorkflowName => $"{Name}/ci";
+    public string ReleaseWorkflowName => $"{Name}/release";
+}
 
 public static class StepExtensions
 {
     public static void EnvDefaults(this Workflow workflow)
         => workflow.Env(
-            ("DOTNETT_NOLOGO", "true"),
+            ("DOTNET_NOLOGO", "true"),
             ("DOTNET_CLI_TELEMETRY_OPTOUT", "true"));
 
     public static void StepSetupDotNet(this Job job)
@@ -204,41 +237,48 @@ public static void StepSetupDotNet(this Job job)
     public static Step IfRefMain(this Step step) 
         => step.If("github.ref == 'refs/heads/main'");
 
-    public static void StepTestAndReport(this Job job, string componentName, string testProject)
+    public static void StepTest(this Job job, string componentName, string testProject)
     {
         var path        = $"test/{testProject}";
-        var logFileName = "Tests.trx";
+        var logFileName = $"{testProject}.trx";
         var flags = $"--logger \"console;verbosity=normal\" "      +
                     $"--logger \"trx;LogFileName={logFileName}\" " +
                     $"--collect:\"XPlat Code Coverage\"";
         job.Step()
             .Name($"Test - {testProject}")
             .Run($"dotnet test -c Release {path} {flags}");
 
+    }
+
+    internal static void StepUploadTestResultsAsArtifact(this Job job, Component component)
+    {
         job.Step()
-            .Name($"Test report - {testProject}")
-            .Uses("dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5") // v1.9.1
+            .Name($"Test report")
             .If("success() || failure()")
+            .Uses("actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882") // 4.4.3
+            .With(
+                ("name", "test-results"),
+                ("path", string.Join(Environment.NewLine, component.Tests
+                    .Select(testProject => $"{component.Name}/test/{testProject}/TestResults/{testProject}.trx"))),
+                ("retention-days", "5"));
+    }
+
+    internal static void StepGenerateReportFromTestArtifact(this Job job, Component component, string testProject)
+    {
+        var path = $"test/{testProject}";
+        job.Step()
+            .Name($"Test report - {component.Name} - {testProject}")
+            .Uses("dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5") // v1.9.1
+            .If($"github.event.workflow.name == '{component.CiWorkflowName}'")
             .With(
+                ("artifact", "test-results"),
                 ("name", $"Test Report - {testProject}"),
-                ("path", $"{componentName}/{path}/TestResults/{logFileName}"),
+                ("path", $"{testProject}.trx"),
                 ("reporter", "dotnet-trx"),
                 ("fail-on-error", "true"),
                 ("fail-on-empty", "true"));
     }
 
-    // These intermediate certificates are required for signing and are not installed on the GitHub runners by default.
-    public static void StepInstallCACerts(this Job job)
-        => job.Step()
-            .Name("Install Sectigo CodeSiging CA certificates") 
-            .WorkingDirectory(".github/workflows")
-            .Run("""
-                 sudo apt-get update
-                 sudo apt-get install -y ca-certificates
-                 sudo cp SectigoPublicCodeSigningRootCrossAAA.crt /usr/local/share/ca-certificates/
-                 sudo update-ca-certificates
-                 """);
-
     public static void StepToolRestore(this Job job)
         => job.Step()
             .Name("Tool restore")
@@ -252,23 +292,33 @@ public static void StepPack(this Job job, string project)
             .Run($"dotnet pack -c Release {path} -o artifacts");
     }
 
-    public static void StepSign(this Job job)
+    public static void StepSign(this Job job, bool always = false)
     {
-        var flags = "--file-digest sha256 "                                             +
-                    "--timestamp-rfc3161 http://timestamp.digicert.com "                +
-                    "--azure-key-vault-url https://duendecodesigning.vault.azure.net/ " +
-                    "--azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 " +
-                    "--azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 " +
-                    "--azure-key-vault-client-secret ${{ secrets.SignClientSecret }} "  +
-                    "--azure-key-vault-certificate CodeSigning";
-        job.Step()
-            .Name("Sign packages")
-            .Run($"""
-                 for file in artifacts/*.nupkg; do
-                    dotnet NuGetKeyVaultSignTool sign "$file" {flags}
-                 done
-                 """);
+        var flags = "--file-digest sha256 "                                                +
+                    "--timestamp-rfc3161 http://timestamp.digicert.com "                   +
+                    "--azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ " +
+                    "--azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 "    +
+                    "--azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 "    +
+                    "--azure-key-vault-client-secret ${{ secrets.SignClientSecret }} "     +
+                    "--azure-key-vault-certificate NuGetPackageSigning";
+        var step = job.Step()
+            .Name("Sign packages");
+        if (!always)
+        {
+            step = step.IfGithubEventIsPush();
+        }
+        step.Run($"""
+              for file in artifacts/*.nupkg; do
+                 dotnet NuGetKeyVaultSignTool sign "$file" {flags}
+              done
+              """);
     }
+    /// <summary>
+    /// Only run this if the build is triggered on a branch IN the same repo
+    /// this means it's from a trusted contributor.
+    /// </summary>
+    public static Step IfGithubEventIsPush(this Step step)
+        => step.If("github.event_name == 'push'");
 
     public static Step StepPush(this Job job, string destination, string sourceUrl, string secretName)
     {
@@ -284,7 +334,7 @@ public static void StepUploadArtifacts(this Job job, string componentName)
         var path = $"{componentName}/artifacts/*.nupkg";
         job.Step()
             .Name("Upload Artifacts")
-            .IfRefMain()
+            .IfGithubEventIsPush()
             .Uses("actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882") // 4.4.3
             .With(
                 ("name", "artifacts"),
@@ -326,4 +376,4 @@ public class EventsInputContext() : Context("github.event.inputs")
     {
         public string Version => Expression($"{Name}.version");
     }
-}
+}

.github/workflows/access-token-management-ci.yml

@@ -8,13 +8,13 @@ on:
     - .github/workflows/access-token-management-**
     - access-token-management/**
     - Directory.Packages.props
-  pull_request_target:
+  pull_request:
     paths:
     - .github/workflows/access-token-management-**
     - access-token-management/**
     - Directory.Packages.props
 env:
-  DOTNETT_NOLOGO: true
+  DOTNET_NOLOGO: true
   DOTNET_CLI_TELEMETRY_OPTOUT: true
 jobs:
   build:
@@ -43,45 +43,34 @@ jobs:
           8.0.x
           9.0.x
     - name: Test - AccessTokenManagement.Tests
-      run: dotnet test -c Release test/AccessTokenManagement.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=Tests.trx" --collect:"XPlat Code Coverage"
-    - name: Test report - AccessTokenManagement.Tests
+      run: dotnet test -c Release test/AccessTokenManagement.Tests --logger "console;verbosity=normal" --logger "trx;LogFileName=AccessTokenManagement.Tests.trx" --collect:"XPlat Code Coverage"
+    - name: Test report
       if: success() || failure()
-      uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
       with:
-        name: Test Report - AccessTokenManagement.Tests
-        path: access-token-management/test/AccessTokenManagement.Tests/TestResults/Tests.trx
-        reporter: dotnet-trx
-        fail-on-error: true
-        fail-on-empty: true
-    - name: Install Sectigo CodeSiging CA certificates
-      run: |-
-        sudo apt-get update
-        sudo apt-get install -y ca-certificates
-        sudo cp SectigoPublicCodeSigningRootCrossAAA.crt /usr/local/share/ca-certificates/
-        sudo update-ca-certificates
-      working-directory: .github/workflows
+        name: test-results
+        path: access-token-management/test/AccessTokenManagement.Tests/TestResults/AccessTokenManagement.Tests.trx
+        retention-days: 5
     - name: Tool restore
       run: dotnet tool restore
     - name: Pack AccessTokenManagement
       run: dotnet pack -c Release src/AccessTokenManagement -o artifacts
     - name: Pack AccessTokenManagement.OpenIdConnect
       run: dotnet pack -c Release src/AccessTokenManagement.OpenIdConnect -o artifacts
     - name: Sign packages
+      if: github.event_name == 'push'
       run: |-
         for file in artifacts/*.nupkg; do
-           dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigning.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate CodeSigning
+           dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
         done
-    - name: Push packages to MyGet
-      if: github.ref == 'refs/heads/main'
-      run: dotnet nuget push artifacts/*.nupkg --source https://www.myget.org/F/duende_identityserver/api/v2/package --api-key ${{ secrets.MYGET }} --skip-duplicate
     - name: Push packages to GitHub
       if: github.ref == 'refs/heads/main'
       run: dotnet nuget push artifacts/*.nupkg --source https://nuget.pkg.github.com/DuendeSoftware/index.json --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload Artifacts
-      if: github.ref == 'refs/heads/main'
+      if: github.event_name == 'push'
       uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
       with:
         name: artifacts

.github/workflows/access-token-management-release.yml

@@ -15,7 +15,7 @@ on:
         required: false
         default: 'main'
 env:
-  DOTNETT_NOLOGO: true
+  DOTNET_NOLOGO: true
   DOTNET_CLI_TELEMETRY_OPTOUT: true
 jobs:
   tag:
@@ -49,13 +49,6 @@ jobs:
         git config --global user.name "Duende Software GitHub Bot"
         git tag -a atm-${{ github.event.inputs.version }} -m "Release v${{ github.event.inputs.version }}"
         git push origin atm-${{ github.event.inputs.version }}
-    - name: Install Sectigo CodeSiging CA certificates
-      run: |-
-        sudo apt-get update
-        sudo apt-get install -y ca-certificates
-        sudo cp SectigoPublicCodeSigningRootCrossAAA.crt /usr/local/share/ca-certificates/
-        sudo update-ca-certificates
-      working-directory: .github/workflows
     - name: Pack AccessTokenManagement
       run: dotnet pack -c Release src/AccessTokenManagement -o artifacts
     - name: Pack AccessTokenManagement.OpenIdConnect
@@ -65,7 +58,7 @@ jobs:
     - name: Sign packages
       run: |-
         for file in artifacts/*.nupkg; do
-           dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigning.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate CodeSigning
+           dotnet NuGetKeyVaultSignTool sign "$file" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-url https://duendecodesigninghsm.vault.azure.net/ --azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 --azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 --azure-key-vault-client-secret ${{ secrets.SignClientSecret }} --azure-key-vault-certificate NuGetPackageSigning
         done
     - name: Push packages to MyGet
       if: github.ref == 'refs/heads/main'
@@ -77,7 +70,7 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload Artifacts
-      if: github.ref == 'refs/heads/main'
+      if: github.event_name == 'push'
       uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
       with:
         name: artifacts
@@ -89,8 +82,6 @@ jobs:
     needs:
     - tag
     runs-on: ubuntu-latest
-    environment:
-      name: nuget.org
     steps:
     - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
       with: