.github/workflows/build.yml

name: build

on:
  push:
    branches: [ main, release/* ]
    tags: [ '*' ]
  pull_request:
    branches: [ main, release/* ]
  workflow_dispatch:

env:
  DOTNET_CLI_TELEMETRY_OPTOUT: true
  DOTNET_GENERATE_ASPNET_CERTIFICATE: false
  DOTNET_NOLOGO: true
  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
  DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: 1
  NUGET_XMLDOC_MODE: skip
  TERM: xterm

permissions:
  contents: read

jobs:
  build:
    name: ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    timeout-minutes: 60

    env:
      # HACK Running on Windows instead of Linux due to https://github.com/stryker-mutator/stryker-net/issues/2741
      RUN_MUTATION_TESTS: ${{ matrix.os_name == 'windows' && !startsWith(github.ref, 'refs/tags/') && 'true' || 'false' }}

    outputs:
      dotnet-sdk-version: ${{ steps.setup-dotnet.outputs.dotnet-version }}
      dotnet-sign-version: ${{ steps.get-dotnet-tools-versions.outputs.dotnet-sign-version }}
      dotnet-validate-version: ${{ steps.get-dotnet-tools-versions.outputs.dotnet-validate-version }}
      package-names: ${{ steps.build.outputs.package-names }}
      package-version: ${{ steps.build.outputs.package-version }}

    strategy:
      fail-fast: false
      matrix:
        os: [ windows-latest ]
        include:
          - os: macos-latest
            os_name: macos
          - os: ubuntu-latest
            os_name: linux
          - os: windows-latest
            os_name: windows

    steps:

    - name: Checkout code
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        fetch-depth: 0

    - name: Setup .NET SDKs
      uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
      with:
        dotnet-version: |
          6.0.x

    - name: Setup .NET SDK
      uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
      id: setup-dotnet

    - name: Setup NuGet cache
      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
      with:
        path: ~/.nuget/packages
        key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/*.props') }}
        restore-keys: ${{ runner.os }}-nuget-

    - name: Build, Test and Package
      id: build
      shell: pwsh
      run: ./build.ps1

    - name: Upload Coverage Reports
      if: always()
      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
      with:
        name: coverage-${{ matrix.os_name }}
        path: ./artifacts/coverage-reports
        if-no-files-found: ignore

    - name: Upload coverage to Codecov
      if: always() && github.event.repository.fork == false
      uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
      with:
        files: ./artifacts/coverage-reports/Polly.Core.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Specs/Cobertura.xml,./artifacts/coverage-reports/Polly.RateLimiting.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Extensions.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Testing.Tests/Cobertura.xml,
        flags: ${{ matrix.os_name }}
        token: ${{ secrets.CODECOV_TOKEN }}

    - name: Upload Mutation Report
      if: always() && env.RUN_MUTATION_TESTS == 'true'
      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
      with:
        name: mutation-report
        path: ./artifacts/mutation-report

    - name: Publish NuGet packages
      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
      with:
        name: packages-${{ matrix.os_name }}
        path: ./artifacts/package/release
        if-no-files-found: error

    - name: Upload signing file list
      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
      if: matrix.os_name == 'windows'
      with:
        name: signing-config
        path: eng/signing
        if-no-files-found: error

    - name: Get .NET tools versions
      id: get-dotnet-tools-versions
      shell: pwsh
      run: |
        $manifest = (Get-Content "./.config/dotnet-tools.json" | Out-String | ConvertFrom-Json)
        $dotnetSignVersion = $manifest.tools.sign.version
        $dotnetValidateVersion = $manifest.tools.'dotnet-validate'.version
        "dotnet-sign-version=${dotnetSignVersion}" >> $env:GITHUB_OUTPUT
        "dotnet-validate-version=${dotnetValidateVersion}" >> $env:GITHUB_OUTPUT

  validate-packages:
    needs: build
    runs-on: ubuntu-latest
    steps:

    - name: Download packages
      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: packages-windows

    - name: Setup .NET SDK
      uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
      with:
        dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}

    - name: Validate NuGet packages
      shell: pwsh
      env:
        DOTNET_VALIDATE_VERSION: ${{ needs.build.outputs.dotnet-validate-version }}
      run: |
        dotnet tool install --global dotnet-validate --version ${env:DOTNET_VALIDATE_VERSION}
        $packages = Get-ChildItem -Filter "*.nupkg" | ForEach-Object { $_.FullName }
        $invalidPackages = 0
        foreach ($package in $packages) {
          dotnet validate package local $package
          if ($LASTEXITCODE -ne 0) {
            $invalidPackages++
          }
        }
        if ($invalidPackages -gt 0) {
          Write-Output "::error::$invalidPackages NuGet package(s) failed validation."
          exit 1
        }

  sign:
    needs: [ build, validate-packages ]
    runs-on: windows-latest
    if: |
      github.event.repository.fork == false &&
      startsWith(github.ref, 'refs/tags/')

    steps:

    - name: Download unsigned packages
      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: packages-windows
        path: packages

    - name: Download signing configuration
      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: signing-config
        path: signing-config

    - name: Setup .NET SDK
      uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
      with:
        dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}

    - name: Install Sign CLI tool
      env:
        DOTNET_SIGN_VERSION: ${{ needs.build.outputs.dotnet-sign-version }}
      run: dotnet tool install --tool-path . sign --version ${env:DOTNET_SIGN_VERSION}

    - name: Sign artifacts
      shell: pwsh
      run: >
        ./sign code azure-key-vault
        **/*.nupkg
        --base-directory "${{ github.workspace }}/packages"
        --file-list "${{ github.workspace }}/signing-config/filelist.txt"
        --application-name "Polly"
        --publisher-name "App vNext"
        --description "Polly"
        --description-url "https://github.com/${{ github.repository }}"
        --azure-key-vault-certificate "${{ secrets.SIGN_CLI_CERT_NAME }}"
        --azure-key-vault-client-id "${{ secrets.SIGN_CLI_APPLICATION_ID }}"
        --azure-key-vault-client-secret "${{ secrets.SIGN_CLI_SECRET }}"
        --azure-key-vault-tenant-id "${{ secrets.SIGN_CLI_TENANT_ID }}"
        --azure-key-vault-url "${{ secrets.SIGN_CLI_VAULT_URI }}"
        --verbosity "${{ runner.debug == '1' && 'Debug' || 'Warning' }}"

    - name: Upload signed packages
      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
      with:
        name: signed-packages
        path: packages
        if-no-files-found: error

  validate-signed-packages:
    needs: [ build, sign ]
    runs-on: windows-latest
    steps:

    - name: Download packages
      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: signed-packages

    - name: Setup .NET SDK
      uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
      with:
        dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}

    - name: Validate NuGet packages
      shell: pwsh
      env:
        DOTNET_VALIDATE_VERSION: ${{ needs.build.outputs.dotnet-validate-version }}
      run: |
        dotnet tool install --global dotnet-validate --version ${env:DOTNET_VALIDATE_VERSION}
        $packages = Get-ChildItem -Filter "*.nupkg" | ForEach-Object { $_.FullName }
        $invalidPackages = 0
        foreach ($package in $packages) {
          dotnet validate package local $package
          if ($LASTEXITCODE -ne 0) {
            $invalidPackages++
          }
        }
        if ($invalidPackages -gt 0) {
          Write-Output "::error::$invalidPackages NuGet package(s) failed validation."
          exit 1
        }

    - name: Checkout vcsjones/AuthenticodeLint
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        path: AuthenticodeLint
        ref: ae44826fdcebaa671b06591ea0b3b47fc946b79c
        repository: martincostello/AuthenticodeLint
        submodules: recursive

    - name: Setup .NET SDK
      uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
      with:
        global-json-file: AuthenticodeLint/global.json

    - name: Validate signatures
      shell: pwsh
      run: |
        $authlintSource = Join-Path "." "AuthenticodeLint"
        $authLintProject = Join-Path $authlintSource "AuthenticodeLint" "AuthenticodeLint.csproj"
        $artifacts = Join-Path $authlintSource "artifacts"
        $authlint = Join-Path $artifacts "authlint.exe"

        dotnet publish $authLintProject `
          --configuration Release `
          --output $artifacts `
          --runtime win-x64 `
          --self-contained false `
          /p:NoWarn=NU1902

        if ($LASTEXITCODE -ne 0) {
          throw "Failed to publish AuthenticodeLint."
        }

        $packages = Get-ChildItem -Filter "*.nupkg" | ForEach-Object { $_.FullName }

        if ($packages.Length -eq 0) {
          throw "Failed to publish AuthenticodeLint."
        }

        $invalidPackages = 0
        foreach ($package in $packages) {
          $packageName = Split-Path $package -Leaf
          $extractedNupkg = Join-Path "." "extracted" $packageName
          Expand-Archive -Path $package -DestinationPath $extractedNupkg -Force

          $dlls = Get-ChildItem -Path $extractedNupkg -Filter "*.dll" -Recurse | ForEach-Object { $_.FullName }

          $invalidDlls = 0
          foreach ($dll in $dlls) {
            $authlintProcess = Start-Process -FilePath $authlint -ArgumentList @("-in", $dll, "-verbose") -PassThru
            $authlintProcess.WaitForExit()

            if ($authlintProcess.ExitCode -ne 0) {
              Write-Output "::warning::$dll in NuGet package $package failed signature validation."
              $invalidDlls++
            } else {
              Write-Output "$dll in NuGet package $package has a valid signature."
            }
          }

          if ($invalidDlls -gt 0) {
            $invalidPackages++
          } else {
            Write-Output "All $($dlls.Length) DLLs in NuGet package $package have valid signatures."
          }

          dotnet nuget verify $package

          if ($LASTEXITCODE -ne 0) {
            Write-Output "::warning::$package failed signature validation."
            $invalidPackages++
          } else {
            Write-Output "$package has a valid signature."
          }
        }
        if ($invalidPackages -gt 0) {
          Write-Output "::error::$invalidPackages NuGet package(s) failed signature validation."
          throw "One or more NuGet packages failed signature validation."
        } else {
          Write-Output "All $($packages.Length) NuGet packages have valid signatures."
        }

  publish-nuget:
    needs: [ build, validate-signed-packages ]
    runs-on: ubuntu-latest
    steps:

    - name: Download signed packages
      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: signed-packages

    - name: Setup .NET SDK
      uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
      with:
        dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}

    - name: Push signed NuGet packages to NuGet.org
      run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.NUGET_TOKEN }} --skip-duplicate --source https://api.nuget.org/v3/index.json

    - name: Generate GitHub application token
      id: generate-application-token
      uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3 # v3.0.0
      with:
        application_id: ${{ secrets.POLLY_UPDATER_BOT_APP_ID }}
        application_private_key: ${{ secrets.POLLY_UPDATER_BOT_KEY }}
        permissions: 'contents:write'

    - name: Publish nuget_packages_published
      uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
      with:
        event-type: nuget_packages_published
        token: ${{ steps.generate-application-token.outputs.token }}
        client-payload: |-
          {
            "packages": "${{ needs.build.outputs.package-names }}",
            "version": "${{ needs.build.outputs.package-version }}"
          }