Skip to content

Bump github/codeql-action from 3.28.0 to 3.28.1 (#1544) #3222

Bump github/codeql-action from 3.28.0 to 3.28.1 (#1544)

Bump github/codeql-action from 3.28.0 to 3.28.1 (#1544) #3222

Workflow file for this run

name: build
on:
push:
branches: [ main ]
paths-ignore:
- '**/*.md'
- '**/*.gitignore'
- '**/*.gitattributes'
pull_request:
branches:
- main
- dotnet-vnext
- dotnet-nightly
workflow_dispatch:
env:
ARTIFACT_NAME: 'lambda'
AWS_ACCOUNT_ID: ${{ vars.AWS_ACCOUNT_ID }}
AWS_REGION: ${{ vars.AWS_REGION }}
DOTNET_CLI_TELEMETRY_OPTOUT: true
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
DOTNET_NOLOGO: true
DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: 1
LAMBDA_DESCRIPTION: 'Deploy build ${{ github.run_number }} to AWS Lambda via GitHub Actions'
LAMBDA_FUNCTION: 'alexa-london-travel'
LAMBDA_ROLE: ${{ vars.AWS_LAMBDA_ROLE }}
NUGET_XMLDOC_MODE: skip
TERM: xterm
permissions:
contents: read
jobs:
build:
name: ${{ matrix.os }}
runs-on: ${{ matrix.os }}
timeout-minutes: 20
permissions:
attestations: write
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
os: [ macos-latest, ubuntu-latest, windows-latest ]
include:
- os: macos-latest
os_name: macos
- os: ubuntu-latest
os_name: linux
- os: windows-latest
os_name: windows
steps:
- name: Setup arm64 support for native AoT
if: runner.os == 'Linux'
shell: bash
run: |
apt_sources=/etc/apt/sources.list.d/ubuntu.sources
codename=$(lsb_release -c | awk '{print $2}')
sudo dpkg --add-architecture arm64
sudo bash -c "cat > ${apt_sources} <<EOF
Types: deb
URIs: http://archive.ubuntu.com/ubuntu/
Suites: ${codename}
Components: main restricted universe
Architectures: amd64
Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: ${codename}-security
Components: main restricted universe
Architectures: amd64
Types: deb
URIs: http://archive.ubuntu.com/ubuntu/
Suites: ${codename}-updates
Components: main restricted universe
Architectures: amd64
Types: deb
URIs: http://ports.ubuntu.com/ubuntu-ports/
Suites: ${codename}
Components: main restricted multiverse universe
Architectures: arm64
Types: deb
URIs: http://ports.ubuntu.com/ubuntu-ports/
Suites: ${codename}-updates
Components: main restricted multiverse universe
Architectures: arm64
EOF"
sudo sed -i -e 's/deb http/deb [arch=amd64] http/g' "${apt_sources}"
sudo sed -i -e 's/deb mirror/deb [arch=amd64] mirror/g' "${apt_sources}"
sudo apt update
sudo apt install --yes clang llvm binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu linux-libc-dev:arm64 zlib1g-dev:arm64
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup .NET SDK
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
- name: Build, Test and Package
id: build
shell: pwsh
run: ./build.ps1
- name: Upload coverage to Codecov
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
with:
flags: ${{ matrix.os_name }}
token: ${{ secrets.CODECOV_TOKEN }}
- name: Publish artifacts
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: artifacts-${{ matrix.os_name }}
path: ./artifacts
- name: Create Lambda ZIP file
if: runner.os == 'Linux'
shell: bash
run: |
cd "./artifacts/publish/LondonTravel.Skill/release_linux-arm64" || exit
if [ -f "./bootstrap" ]
then
chmod +x ./bootstrap
fi
zip -r "../../../${LAMBDA_FUNCTION}.zip" . || exit 1
- name: Attest artifacts
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
if: |
runner.os == 'Linux' &&
github.event.repository.fork == false &&
github.ref_name == github.event.repository.default_branch
with:
subject-path: ./artifacts/${{ env.LAMBDA_FUNCTION }}.zip
- name: Publish deployment package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
if: runner.os == 'Linux' && success()
with:
name: ${{ env.ARTIFACT_NAME }}
path: ./artifacts/${{ env.LAMBDA_FUNCTION }}.zip
if-no-files-found: error
- name: Upload any crash dumps
shell: pwsh
if: |
!cancelled() &&
steps.build.outcome == 'failure' &&
github.event.repository.fork == false &&
github.event.sender.login != 'dependabot[bot]'
env:
AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.CRASH_DUMPS_STORAGE_CONNECTION_STRING }}
PSCOMPRESSION_VERSION: '2.0.6'
run: |
$dumps = Get-ChildItem -Path ${env:GITHUB_WORKSPACE} -Filter "*.dmp" -Recurse
if ($null -ne $dumps) {
$container = ${env:GITHUB_REPOSITORY}.Replace("/", "-")
az storage container create --name $container --public-access off | Out-Null
Install-Module PSCompression -RequiredVersion ${env:PSCOMPRESSION_VERSION} -AcceptLicense -Force -Scope CurrentUser
$dumps | ForEach-Object {
$zipPath = $_.FullName + ".zip"
$zipName = $_.Name + ".zip"
Write-Output "Compressing crash dump $($_.Name)..."
Compress-ZipArchive -Path $_.FullName -Destination $zipPath
az storage blob upload `
--container-name $container `
--file $zipPath `
--name $zipName `
--metadata "GITHUB_RUN_ATTEMPT=${env:GITHUB_RUN_ATTEMPT}" "GITHUB_WORKFLOW=${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}/actions/runs/${env:GITHUB_RUN_ID}" "RUNNER_OS=${env:RUNNER_OS}" `
--overwrite true
if ($LASTEXITCODE -eq 0) {
Write-Output "::notice::Uploaded crash dump $($_.Name) to Azure Storage."
}
}
}
deploy-dev:
if: |
github.event.repository.fork == false &&
github.ref_name == github.event.repository.default_branch
name: dev
needs: build
concurrency: dev_environment
runs-on: ubuntu-latest
environment:
name: dev
permissions:
id-token: write
steps:
- name: Set function name
shell: bash
run: |
echo "FUNCTION_NAME=${LAMBDA_FUNCTION}-dev" >> "$GITHUB_ENV"
- name: Download artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ env.ARTIFACT_NAME }}
- name: Get Lambda configuration
shell: bash
run: |
LAMBDA_CONFIG="$(unzip -p "${LAMBDA_FUNCTION}.zip" aws-lambda-tools-defaults.json)"
{
echo "LAMBDA_ARCHITECTURES=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-architecture"')"
echo "LAMBDA_HANDLER=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-handler"')"
echo "LAMBDA_MEMORY=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-memory-size"')"
echo "LAMBDA_RUNTIME=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-runtime"')"
echo "LAMBDA_TIMEOUT=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-timeout"')"
} >> "$GITHUB_ENV"
- name: Get Lambda environment variables
env:
SKILL_API_URL: ${{ vars.SKILL_API_URL }}
SKILL_ID: ${{ secrets.SKILL_ID }}
TFL_APPLICATION_ID: ${{ secrets.TFL_APPLICATION_ID }}
TFL_APPLICATION_KEY: ${{ secrets.TFL_APPLICATION_KEY }}
VERIFY_SKILL_ID: "true"
shell: bash
run: |
lambda_vars="{\
\"Variables\": {\
\"Skill__SkillApiUrl\": \"${SKILL_API_URL}\",\
\"Skill__SkillId\": \"${SKILL_ID}\",\
\"Skill__TflApplicationId\": \"${TFL_APPLICATION_ID}\",\
\"Skill__TflApplicationKey\": \"${TFL_APPLICATION_KEY}\",\
\"Skill__VerifySkillId\": \"${VERIFY_SKILL_ID}\"\
}\
}"
echo "LAMBDA_ENVIRONMENT_VARIABLES=${lambda_vars}" >> "$GITHUB_ENV"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-deploy
role-session-name: ${{ github.event.repository.name }}-${{ github.run_id }}-deploy-dev
aws-region: ${{ env.AWS_REGION }}
- name: Update function code
shell: bash
run: |
aws lambda update-function-code \
--function-name "${FUNCTION_NAME}" \
--architectures "${LAMBDA_ARCHITECTURES}" \
--zip-file "fileb://./${LAMBDA_FUNCTION}.zip"
- name: Wait for function code update
shell: bash
run: |
aws lambda wait function-updated-v2 \
--function-name "${FUNCTION_NAME}"
- name: Update function configuration
shell: bash
env:
LAMBDA_LAYERS: ${{ vars.AWS_LAMBDA_LAYERS }}
LAMBDA_LOGGING_CONFIG: ${{ vars.AWS_LAMBDA_LOGGING_CONFIG }}
LAMBDA_TRACING_MODE: ${{ vars.AWS_TRACING_MODE }}
run: |
aws lambda update-function-configuration \
--function-name "${FUNCTION_NAME}" \
--description "${LAMBDA_DESCRIPTION}" \
--environment "${LAMBDA_ENVIRONMENT_VARIABLES}" \
--handler "${LAMBDA_HANDLER}" \
--layers "${LAMBDA_LAYERS}" \
--logging-config "${LAMBDA_LOGGING_CONFIG}" \
--memory-size "${LAMBDA_MEMORY}" \
--role "${LAMBDA_ROLE}" \
--runtime "${LAMBDA_RUNTIME}" \
--timeout "${LAMBDA_TIMEOUT}" \
--tracing-config "Mode=${LAMBDA_TRACING_MODE}"
- name: Wait for function configuration update
shell: bash
run: |
aws lambda wait function-updated-v2 \
--function-name "${FUNCTION_NAME}"
tests-dev:
name: tests-dev
needs: deploy-dev
runs-on: ubuntu-latest
concurrency: dev_environment
permissions:
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup .NET SDK
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-test
role-session-name: ${{ github.event.repository.name }}-${{ github.run_id }}-tests-dev
aws-region: ${{ env.AWS_REGION }}
- name: Run end-to-end tests
shell: pwsh
run: dotnet test ./test/LondonTravel.Skill.EndToEndTests --configuration Release --logger "GitHubActions;report-warnings=false"
env:
LAMBDA_FUNCTION_NAME: ${{ env.LAMBDA_FUNCTION }}-dev
LWA_CLIENT_ID: ${{ secrets.LWA_CLIENT_ID }}
LWA_CLIENT_SECRET: ${{ secrets.LWA_CLIENT_SECRET }}
LWA_REFRESH_TOKEN: ${{ secrets.LWA_REFRESH_TOKEN }}
SKILL_ID: ${{ secrets.SKILL_ID }}
SKILL_STAGE: development
deploy-prod:
name: production
needs: tests-dev
runs-on: ubuntu-latest
concurrency: production_environment
environment:
name: production
permissions:
id-token: write
steps:
- name: Set function name
shell: bash
run: |
echo "FUNCTION_NAME=${LAMBDA_FUNCTION}" >> "$GITHUB_ENV"
- name: Download artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ env.ARTIFACT_NAME }}
- name: Get Lambda configuration
shell: bash
run: |
LAMBDA_CONFIG="$(unzip -p "${LAMBDA_FUNCTION}.zip" aws-lambda-tools-defaults.json)"
{
echo "LAMBDA_ARCHITECTURES=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-architecture"')"
echo "LAMBDA_HANDLER=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-handler"')"
echo "LAMBDA_MEMORY=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-memory-size"')"
echo "LAMBDA_RUNTIME=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-runtime"')"
echo "LAMBDA_TIMEOUT=$(echo "${LAMBDA_CONFIG}" | jq -r '."function-timeout"')"
} >> "$GITHUB_ENV"
- name: Get Lambda environment variables
env:
SKILL_API_URL: ${{ vars.SKILL_API_URL }}
SKILL_ID: ${{ secrets.SKILL_ID }}
TFL_APPLICATION_ID: ${{ secrets.TFL_APPLICATION_ID }}
TFL_APPLICATION_KEY: ${{ secrets.TFL_APPLICATION_KEY }}
VERIFY_SKILL_ID: "true"
shell: bash
run: |
lambda_vars="{\
\"Variables\": {\
\"Skill__SkillApiUrl\": \"${SKILL_API_URL}\",\
\"Skill__SkillId\": \"${SKILL_ID}\",\
\"Skill__TflApplicationId\": \"${TFL_APPLICATION_ID}\",\
\"Skill__TflApplicationKey\": \"${TFL_APPLICATION_KEY}\",\
\"Skill__VerifySkillId\": \"${VERIFY_SKILL_ID}\"\
}\
}"
echo "LAMBDA_ENVIRONMENT_VARIABLES=${lambda_vars}" >> "$GITHUB_ENV"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-deploy
role-session-name: ${{ github.event.repository.name }}-${{ github.run_id }}-deploy-production
aws-region: ${{ env.AWS_REGION }}
- name: Update function code
shell: bash
run: |
aws lambda update-function-code \
--function-name "${FUNCTION_NAME}" \
--architectures "${LAMBDA_ARCHITECTURES}" \
--zip-file "fileb://./${LAMBDA_FUNCTION}.zip"
- name: Wait for function code update
shell: bash
run: |
aws lambda wait function-updated-v2 \
--function-name "${FUNCTION_NAME}"
- name: Update function configuration
shell: bash
env:
LAMBDA_LAYERS: ${{ vars.AWS_LAMBDA_LAYERS }}
LAMBDA_LOGGING_CONFIG: ${{ vars.AWS_LAMBDA_LOGGING_CONFIG }}
LAMBDA_TRACING_MODE: ${{ vars.AWS_TRACING_MODE }}
run: |
aws lambda update-function-configuration \
--function-name "${FUNCTION_NAME}" \
--description "${LAMBDA_DESCRIPTION}" \
--environment "${LAMBDA_ENVIRONMENT_VARIABLES}" \
--handler "${LAMBDA_HANDLER}" \
--layers "${LAMBDA_LAYERS}" \
--logging-config "${LAMBDA_LOGGING_CONFIG}" \
--memory-size "${LAMBDA_MEMORY}" \
--role "${LAMBDA_ROLE}" \
--runtime "${LAMBDA_RUNTIME}" \
--timeout "${LAMBDA_TIMEOUT}" \
--tracing-config "Mode=${LAMBDA_TRACING_MODE}"
- name: Wait for function configuration update
shell: bash
run: |
aws lambda wait function-updated-v2 \
--function-name "${FUNCTION_NAME}"
tests-prod:
needs: deploy-prod
runs-on: ubuntu-latest
concurrency: production_environment
permissions:
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup .NET SDK
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-test
role-session-name: ${{ github.event.repository.name }}-${{ github.run_id }}-tests-production
aws-region: ${{ env.AWS_REGION }}
- name: Run end-to-end tests
shell: pwsh
run: dotnet test ./test/LondonTravel.Skill.EndToEndTests --configuration Release --logger "GitHubActions;report-warnings=false"
env:
LAMBDA_FUNCTION_NAME: ${{ env.LAMBDA_FUNCTION }}
LWA_CLIENT_ID: ${{ secrets.LWA_CLIENT_ID }}
LWA_CLIENT_SECRET: ${{ secrets.LWA_CLIENT_SECRET }}
LWA_REFRESH_TOKEN: ${{ secrets.LWA_REFRESH_TOKEN }}
SKILL_ID: ${{ secrets.SKILL_ID }}
SKILL_STAGE: live