chore: address System.Text.Json vulnerabilities #11
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This GitHub Workflow is designed to run automatically after the Release PR, which was created by the `Create Release PR` workflow, is closed. | |
# This workflow has 2 jobs. One will run if the `Release PR` is successfully merged, indicating that a release should go out. | |
# The other will run if the `Release PR` was closed and a release is not intended to go out. | |
name: Sync 'dev' and 'main' | |
# The workflow will automatically be triggered when any PR is closed. | |
on: | |
pull_request: | |
types: [closed] | |
permissions: | |
contents: write | |
id-token: write | |
jobs: | |
# This job will check if the PR was successfully merged, it's source branch is `releases/next-release` and target branch is `dev`. | |
# This indicates that the merged PR was the `Release PR`. | |
# This job will synchronize `dev` and `main`, create a GitHub Release and delete the `releases/next-release` branch. | |
sync-dev-and-main: | |
name: Sync dev and main | |
if: | | |
github.event.pull_request.merged == true && | |
github.event.pull_request.head.ref == 'releases/next-release' && | |
github.event.pull_request.base.ref == 'dev' | |
runs-on: ubuntu-latest | |
steps: | |
# Assume an AWS Role that provides access to the Access Token | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4 | |
with: | |
role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} | |
aws-region: us-west-2 | |
# Retrieve the Access Token from Secrets Manager | |
- name: Retrieve secret from AWS Secrets Manager | |
uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
with: | |
secret-ids: | | |
AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} | |
parse-json-secrets: true | |
# Checkout a full clone of the repo | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
ref: dev | |
fetch-depth: 0 | |
token: ${{ env.AWS_SECRET_TOKEN }} | |
# Install .NET8 which is needed for AutoVer | |
- name: Setup .NET 8.0 | |
uses: actions/setup-dotnet@v4 | |
with: | |
dotnet-version: 8.0.x | |
# Install AutoVer which is needed to retrieve information about the current release. | |
- name: Install AutoVer | |
run: dotnet tool install --global AutoVer --version 0.0.22 | |
# Set up a git user to be able to run git commands later on | |
- name: Setup Git User | |
run: | | |
git config --global user.email "[email protected]" | |
git config --global user.name "aws-sdk-dotnet-automation" | |
# Retrieve the release name which is needed for the GitHub Release | |
- name: Read Release Name | |
id: read-release-name | |
run: | | |
version=$(autover changelog --release-name) | |
echo "VERSION=$version" >> $GITHUB_OUTPUT | |
# Retrieve the tag name which is needed for the GitHub Release | |
- name: Read Tag Name | |
id: read-tag-name | |
run: | | |
tag=$(autover changelog --tag-name) | |
echo "TAG=$tag" >> $GITHUB_OUTPUT | |
# Retrieve the changelog which is needed for the GitHub Release | |
- name: Read Changelog | |
id: read-changelog | |
run: | | |
changelog=$(autover changelog --output-to-console) | |
echo "CHANGELOG<<EOF"$'\n'"$changelog"$'\n'EOF >> "$GITHUB_OUTPUT" | |
# Merge dev into main in order to synchronize the 2 branches | |
- name: Merge dev to main | |
run: | | |
git fetch origin | |
git checkout main | |
git merge dev | |
git push origin main | |
# Create the GitHub Release | |
- name: Create GitHub Release | |
env: | |
GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }} | |
run: | | |
gh release create "${{ steps.read-tag-name.outputs.TAG }}" --title "${{ steps.read-release-name.outputs.VERSION }}" --notes "${{ steps.read-changelog.outputs.CHANGELOG }}" | |
# Delete the `releases/next-release` branch | |
- name: Clean up | |
run: | | |
git fetch origin | |
git push origin --delete releases/next-release | |
# This job will check if the PR was closed, it's source branch is `releases/next-release` and target branch is `dev`. | |
# This indicates that the closed PR was the `Release PR`. | |
# This job will delete the tag created by AutoVer and the release branch. | |
clean-up-closed-release: | |
name: Clean up closed release | |
if: | | |
github.event.pull_request.merged == false && | |
github.event.pull_request.head.ref == 'releases/next-release' && | |
github.event.pull_request.base.ref == 'dev' | |
runs-on: ubuntu-latest | |
steps: | |
# Checkout a full clone of the repo | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
ref: releases/next-release | |
fetch-depth: 0 | |
# Install .NET8 which is needed for AutoVer | |
- name: Setup .NET 8.0 | |
uses: actions/setup-dotnet@v4 | |
with: | |
dotnet-version: 8.0.x | |
# Install AutoVer which is needed to retrieve information about the current release. | |
- name: Install AutoVer | |
run: dotnet tool install --global AutoVer --version 0.0.22 | |
# Set up a git user to be able to run git commands later on | |
- name: Setup Git User | |
run: | | |
git config --global user.email "[email protected]" | |
git config --global user.name "aws-sdk-dotnet-automation" | |
# Retrieve the tag name to be deleted | |
- name: Read Tag Name | |
id: read-tag-name | |
run: | | |
tag=$(autover changelog --tag-name) | |
echo "TAG=$tag" >> $GITHUB_OUTPUT | |
# Delete the tag created by AutoVer and the release branch | |
- name: Clean up | |
run: | | |
git fetch origin | |
git push --delete origin ${{ steps.read-tag-name.outputs.TAG }} | |
git push origin --delete releases/next-release |