Skip to content

ci: apply zizmor recommendations (#293) #1431

ci: apply zizmor recommendations (#293)

ci: apply zizmor recommendations (#293) #1431

Workflow file for this run

name: ci
on:
push:
branches: [master]
release:
types: [created]
pull_request:
branches: [master]
permissions:
contents: read
jobs:
build:
uses: chgl/.github/.github/workflows/standard-build.yaml@a38e8e9126feb23f142243b3ffa761d88e4ce23a # v1.10.0
permissions:
contents: write
id-token: write
packages: write
pull-requests: write
actions: read
security-events: write
with:
enable-build-test-layer: true
enable-upload-test-image: false
platforms: |
linux/amd64
linux/arm64
secrets:
github-token: ${{ secrets.GITHUB_TOKEN }}
lint:
uses: chgl/.github/.github/workflows/standard-lint.yaml@a38e8e9126feb23f142243b3ffa761d88e4ce23a # v1.10.0
permissions:
contents: read
pull-requests: write
issues: write
security-events: write
actions: read
with:
codeql-languages: '["csharp"]'
enable-codeql: true
enable-verify-base-image-signature: false
enable-validate-gradle-wrapper: false
dotnet-version: 9.0.x
secrets:
github-token: ${{ secrets.GITHUB_TOKEN }}
test:
name: test
needs:
- build
runs-on: ubuntu-24.04
permissions:
contents: read
steps:
# <https://docs.docker.com/storage/containerd/>
# via <https://github.com/docker/setup-buildx-action/issues/257>
- name: Set up containerd image store
shell: bash
run: |
[ -f /etc/docker/daemon.json ] || echo "{}" | sudo tee /etc/docker/daemon.json
jq '. | .+{"features": {"containerd-snapshotter": true}}' /etc/docker/daemon.json > /tmp/docker-daemon-with-containerd.json
sudo mv /tmp/docker-daemon-with-containerd.json /etc/docker/daemon.json
cat /etc/docker/daemon.json
sudo systemctl restart docker
docker info -f '{{ .DriverStatus }}'
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Download image
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
if: ${{ github.event_name == 'pull_request' }}
with:
name: ${{ needs.build.outputs.image-slug }}
path: /tmp
- name: load image
if: ${{ github.event_name == 'pull_request' }}
run: |
docker load --input /tmp/image.tar
- name: Install .NET
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: "9.x"
- name: Run E2E tests with newly built container image
env:
FHIR_SERVER_EXPORTER_E2E_TEST_IMAGE: ${{ fromJson(needs.build.outputs.image-meta-json).tags[0] }}
run: |
dotnet restore --locked-mode src/FhirServerExporter.Tests.E2E/
dotnet test src/FhirServerExporter.Tests.E2E/
release:
uses: chgl/.github/.github/workflows/standard-release.yaml@a38e8e9126feb23f142243b3ffa761d88e4ce23a # v1.10.0
needs:
- build
- test
permissions:
contents: write
pull-requests: write
issues: write
secrets:
semantic-release-token: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
copy-image-to-dockerhub:
name: copy ghcr.io image to DockerHub
if: ${{ github.event_name != 'pull_request' }}
runs-on: ubuntu-24.04
needs:
- build
steps:
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- name: Login to DockerHub
env:
DOCKERHUB_TOKEN: "${{ secrets.DOCKERHUB_TOKEN }}"
run: |
echo "${DOCKERHUB_TOKEN}" | crane auth login docker.io --username chgl --password-stdin
- name: Copy all tags
env:
TAGS: ${{ needs.build.outputs.image-tags }}
run: |
echo "${TAGS}" | while read -r tag; do crane copy "$tag" "${tag/ghcr.io/docker.io}"; done