Bump Microsoft.Build.Utilities.Core from 17.14.8 to 17.14.28 #150
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow builds, scans, and publishes .NET NuGet packages | |
| # using secure best practices: pinned actions, minimal permissions, | |
| # SBOM + hash-based supply chain attestations. | |
| name: Continuous | |
| on: | |
| push: | |
| branches: | |
| - main # Only run on pushes to main | |
| pull_request: | |
| branches: | |
| - main # Only run on PRs targeting main | |
| release: | |
| types: [created] # Run when a release is created | |
| # Least privilege permissions for the workflow by default | |
| permissions: | |
| contents: read | |
| packages: none | |
| id-token: none | |
| attestations: none | |
| jobs: | |
| build: | |
| name: Build & Push | |
| runs-on: ubuntu-24.04 # Use a modern, stable Ubuntu runner | |
| # This job needs to publish, attest, and sign—so grant only here | |
| permissions: | |
| contents: read # Allow only reading repo content | |
| packages: write # Allow publishing to GitHub Packages | |
| id-token: write # For OIDC-based signing/provenance | |
| attestations: write # For attest-sbom (SBOM attestation) | |
| steps: | |
| # Pin every action by SHA for supply chain security! | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| fetch-depth: 0 # Fetch full history, so GitVersion and clean git state work | |
| # Cache Nuke temp + NuGet global packages for faster builds and repeatable environments | |
| - name: 'Cache: .nuke/temp, ~/.nuget/packages' | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 | |
| with: | |
| path: | | |
| .nuke/temp | |
| ~/.nuget/packages | |
| key: ${{ runner.os }}-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props') }} | |
| # Cache the Trivy vulnerability DB for much faster scanning | |
| - name: Cache Trivy DB | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 | |
| with: | |
| path: .trivy-cache | |
| key: ${{ runner.os }}-trivy-cache | |
| # Run your hardened Nuke pipeline, which does: build, test, SBOM, hash, scan, etc. | |
| - name: 'Run: Push' | |
| run: ./build.cmd Push | |
| env: | |
| FeedGitHubToken: ${{ secrets.GITHUB_TOKEN }} | |
| NuGetApiKey: ${{ secrets.NUGET_API_KEY }} | |
| # Report test coverage to Coveralls | |
| - name: Report Coveralls | |
| uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b | |
| # Upload all build artifacts (NuGet packages, hash files, etc.) for inspection or later release | |
| - name: 'Publish: Artifacts' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: Artifacts | |
| path: Artifacts | |
| # Upload the Software Bill of Materials (SBOM) for this build, to enable downstream trust/analysis | |
| - name: Upload SBOM | |
| if: > | |
| (github.event_name == 'release') || | |
| (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'dendrodocs/dotnet-shared-lib') | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: SBOM | |
| path: Sbom/_manifest/spdx_2.2/manifest.spdx.json | |
| # Use GitHub's attest-sbom action to cryptographically tie the SBOM to the artifacts + their checksums | |
| # (SLSA provenance proof, can be verified by downstream consumers) | |
| - name: Attest SBOM | |
| if: > | |
| (github.event_name == 'release') || | |
| (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'dendrodocs/dotnet-shared-lib') | |
| uses: actions/attest-sbom@bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b | |
| with: | |
| sbom-path: Sbom/_manifest/spdx_2.2/manifest.spdx.json | |
| subject-checksums: Artifacts/SHA256SUMS |