mirror of
https://github.com/GeWuYou/GFramework.git
synced 2026-03-22 10:34:30 +08:00
ed51722746
- 添加Feluda许可证扫描工作流步骤,设置Apache-2.0项目许可证 - 配置许可证合规性检查参数,启用限制性和不兼容许可证失败机制 - 实现SBOM文件自动生成,支持SPDX和CycloneDX两种格式 - 集成SBOM文件验证步骤并生成验证结果报告 - 添加许可证合规相关工件文件上传功能 - 在README中添加Feluda扫描徽章标识
187 lines
6.1 KiB
YAML
187 lines
6.1 KiB
YAML
# CI/CD工作流配置:构建和测试.NET项目
|
||
# 该工作流在push到main/master分支或创建pull request时触发
|
||
name: CI - Build & Test
|
||
|
||
on:
|
||
push:
|
||
branches: [ main, master ]
|
||
pull_request:
|
||
branches: [ main, master ]
|
||
|
||
permissions:
|
||
contents: read
|
||
security-events: write
|
||
|
||
jobs:
|
||
test:
|
||
name: Build and Test
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
# 检出源代码,设置fetch-depth为0以获取完整的git历史
|
||
- name: Checkout code
|
||
uses: actions/checkout@v6
|
||
with:
|
||
fetch-depth: 0
|
||
# MegaLinter扫描步骤
|
||
# 执行代码质量检查和安全扫描,生成SARIF格式报告
|
||
- name: MegaLinter
|
||
uses: oxsecurity/megalinter@v9.3.0
|
||
continue-on-error: true
|
||
env:
|
||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
FAIL_ON_ERROR: ${{ github.ref == 'refs/heads/main' }}
|
||
# 上传SARIF格式的安全和代码质量问题报告到GitHub安全中心
|
||
- name: Upload SARIF
|
||
uses: github/codeql-action/upload-sarif@v3
|
||
with:
|
||
sarif_file: megalinter-reports/sarif
|
||
|
||
# TruffleHog OSS 扫描步骤
|
||
# 使用 TruffleHog 工具扫描代码库中的敏感信息泄露,如API密钥、密码等
|
||
# 该步骤会比较基础分支和当前提交之间的差异,检测新增内容中是否包含敏感数据
|
||
- name: TruffleHog OSS
|
||
uses: trufflesecurity/trufflehog@v3.92.5
|
||
with:
|
||
# 扫描路径,. 表示扫描整个仓库
|
||
path: .
|
||
# 基础提交哈希,用于与当前提交进行比较
|
||
base: ${{ github.event.before }}
|
||
# 当前提交哈希,作为扫描的目标版本
|
||
head: ${{ github.sha }}
|
||
|
||
# 安装和配置.NET SDK版本
|
||
- name: Setup .NET 8
|
||
uses: actions/setup-dotnet@v5
|
||
with:
|
||
dotnet-version: 8.0.x
|
||
|
||
- name: Setup .NET 9
|
||
uses: actions/setup-dotnet@v5
|
||
with:
|
||
dotnet-version: 9.0.x
|
||
|
||
- name: Setup .NET 10
|
||
uses: actions/setup-dotnet@v5
|
||
with:
|
||
dotnet-version: 10.0.x
|
||
|
||
# 配置NuGet包缓存以加速后续构建
|
||
- name: Cache NuGet packages
|
||
uses: actions/cache@v5
|
||
with:
|
||
path: ~/.nuget/packages
|
||
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
|
||
|
||
# 执行NuGet包恢复操作
|
||
- name: Restore
|
||
run: dotnet restore
|
||
# 恢复.NET本地工具
|
||
- name: Restore .NET tools
|
||
run: dotnet tool restore
|
||
|
||
# 使用Feluda许可证扫描器检查项目依赖的许可证合规性
|
||
# 配置参数:
|
||
# - project-license: 设置项目许可证为Apache-2.0
|
||
# - fail-on-restrictive: 发现限制性许可证时失败
|
||
# - fail-on-incompatible: 发现不兼容许可证时失败
|
||
# - update-badge: 自动更新许可证徽章
|
||
- name: Feluda License Scanner
|
||
uses: anistark/feluda@v1.11.1
|
||
with:
|
||
project-license: 'Apache-2.0'
|
||
fail-on-restrictive: true
|
||
fail-on-incompatible: true
|
||
update-badge: true
|
||
|
||
# 生成合规性文件,执行两次feluda generate命令
|
||
- name: Generate compliance files
|
||
run: |
|
||
echo "1" | feluda generate
|
||
echo "2" | feluda generate
|
||
|
||
# 生成软件物料清单(SBOM)文件,输出SPDX和CycloneDX两种格式
|
||
- name: Generate SBOM
|
||
run: |
|
||
feluda sbom spdx --output sbom.spdx.json
|
||
feluda sbom cyclonedx --output sbom.cyclonedx.json
|
||
|
||
# 验证生成的SBOM文件的有效性,并输出验证结果到文本文件
|
||
- name: Validate SBOM files
|
||
run: |
|
||
feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
|
||
feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
|
||
|
||
# 上传许可证合规相关的工件文件,包括通知文件、第三方许可证、SBOM文件及验证结果
|
||
- name: Upload compliance artifacts
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: license-compliance
|
||
path: |
|
||
NOTICE
|
||
THIRD_PARTY_LICENSES.md
|
||
sbom.spdx.json
|
||
sbom.cyclonedx.json
|
||
sbom-spdx-validation.txt
|
||
sbom-cyclonedx-validation.txt
|
||
|
||
# 构建项目,使用Release配置且跳过恢复步骤
|
||
- name: Build
|
||
run: dotnet build -c Release --no-restore
|
||
|
||
# 运行单元测试,输出TRX格式结果到TestResults目录
|
||
- name: Test - Core
|
||
run: |
|
||
dotnet test GFramework.Core.Tests \
|
||
-c Release \
|
||
--no-build \
|
||
--logger "trx;LogFileName=core-$RANDOM.trx" \
|
||
--results-directory TestResults
|
||
|
||
- name: Test - SourceGenerators
|
||
run: |
|
||
dotnet test GFramework.SourceGenerators.Tests \
|
||
-c Release \
|
||
--no-build \
|
||
--logger "trx;LogFileName=sg-$RANDOM.trx" \
|
||
--results-directory TestResults
|
||
- name: Generate CTRF report
|
||
run: |
|
||
mkdir -p ctrf
|
||
|
||
for trx in TestResults/*.trx; do
|
||
name=$(basename "$trx" .trx)
|
||
echo "Processing $trx -> ctrf/$name.json"
|
||
|
||
dotnet tool run DotnetCtrfJsonReporter \
|
||
-p "$trx" \
|
||
-t nunit \
|
||
-d ctrf \
|
||
-f "$name.json"
|
||
done
|
||
|
||
|
||
# 生成并发布测试报告,无论测试成功或失败都会执行
|
||
- name: Test Report
|
||
uses: dorny/test-reporter@v2
|
||
if: always()
|
||
with:
|
||
name: .NET Test Results
|
||
path: TestResults/*.trx
|
||
reporter: dotnet-trx
|
||
- name: Publish Test Report
|
||
uses: ctrf-io/github-test-reporter@v1
|
||
with:
|
||
report-path: './ctrf/*.json'
|
||
github-report: true
|
||
pull-request-report: true
|
||
summary-delta-report: true
|
||
insights-report: true
|
||
flaky-rate-report: true
|
||
fail-rate-report: true
|
||
slowest-report: true
|
||
upload-artifact: true
|
||
fetch-previous-results: true
|
||
env:
|
||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
if: always() |