Debug

Author: eNeRGy164

.github/workflows/continuous.yml

@@ -14,11 +14,18 @@ on:
   release:
     types: [created]   # Run when a release is created
 
+# Least privilege permissions for the workflow by default
+permissions:
+  contents: read
+  packages: none
+  id-token: none
+  attestations: none
+
 jobs:
   build:
     name: Build & Push
     runs-on: ubuntu-24.04 # Use a modern, stable Ubuntu runner
-    
+
     # This job needs to publish, attest, and sign—so grant only here
     permissions:
       contents: read       # Allow only reading repo content
@@ -27,6 +34,7 @@ jobs:
       attestations: write  # For attest-sbom (SBOM attestation)
 
     steps:
+
       # Pin every action by SHA for supply chain security!
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
@@ -47,14 +55,12 @@ jobs:
         with:
           path: .trivy-cache
           key: ${{ runner.os }}-trivy-cache
-          restore-keys: |
-            ${{ runner.os }}-trivy-cache
 
       # Run your hardened Nuke pipeline, which does: build, test, SBOM, hash, scan, etc.
       - name: 'Run: Push'
         run: ./build.cmd Push
         env:
-          FeedGitHubToken: ${{ secrets.FEED_GITHUB_TOKEN }}
+          FeedGitHubToken: ${{ secrets.GITHUB_TOKEN }}
           NuGetApiKey: ${{ secrets.NUGET_API_KEY }}
 
       # Report test coverage to Coveralls

build/Build.cs

@@ -18,22 +18,48 @@
 using Nuke.Common.Tools.ReportGenerator;
 using static Nuke.Common.Tools.Docker.DockerTasks;
 using static Nuke.Common.Tools.DotNet.DotNetTasks;
+using static Nuke.Common.Tools.Git.GitTasks;
 using static Nuke.Common.Tools.ReportGenerator.ReportGeneratorTasks;
 using static Serilog.Log;
 
 [UnsetVisualStudioEnvironmentVariables]
 [DotNetVerbosityMapping]
 class Build : NukeBuild
 {
+    public const string MainBranch = "main";
+    public const string ProjectName = ProductName + ".Shared";
+    public const string ProductName = "DendroDocs";
+    public const string RepositoryOwner = "dendrodocs";
+    public const string RepositoryUrl = "https://github.com/" + RepositoryOwner + "/dotnet-shared-lib";
+    public const string SbomNamespaceBase = "https://sbom.dendrodocs.dev";
+    public const string SbomManifestRelPath = "_manifest/spdx_2.2/manifest.spdx.json";
+    public const string GithubFeedSource = "GitHub - " + RepositoryOwner;
+    public const string NugetSourceUrl = "https://api.nuget.org/v3/index.json";
+    public const string SbomNamespace = "https://sbom.dendrodocs.dev";
+
+    enum BuildFlows
+    {
+        Local,
+        PrRemote, // PR from fork (remote)
+        PrLocal,  // PR from same repo/branch
+        Push,     // Push to main
+        Release   // Tag/release
+    }
+
     // Entrypoint for Nuke CLI
     public static int Main() => Execute<Build>(x => x.Push);
 
     GitHubActions GitHubActions => GitHubActions.Instance;
 
     // Pipeline state
-    string BranchSpec => GitHubActions?.Ref;
+    string GitHubRef => GitHubActions?.Ref;
+    string GitHubEventName => GitHubActions?.EventName;
+    string GitHubRepository => GitHubActions?.Repository;
+    string GitHubHeadRepository => Environment.GetEnvironmentVariable("GITHUB_HEAD_REPOSITORY");
     string BuildNumber => GitHubActions?.RunNumber.ToString();
 
+    BuildFlows BuildFlow => GetBuildFlow();
+
     [Parameter("Configuration to build - Default is 'Debug' (local) or 'Release' (server)")]
     readonly Configuration Configuration = IsLocalBuild ? Configuration.Debug : Configuration.Release;
 
@@ -42,7 +68,7 @@ class Build : NukeBuild
     readonly string NuGetApiKey;
 
     [Parameter]
-    readonly string GitHubUser = GitHubActions.Instance?.RepositoryOwner ?? "DendroDocs";
+    readonly string GitHubUser = GitHubActions.Instance?.RepositoryOwner ?? RepositoryOwner;
 
     [Parameter]
     [Secret]
@@ -72,26 +98,28 @@ class Build : NukeBuild
     string SemVer;
 
     bool IsPullRequest => GitHubActions?.IsPullRequest ?? false;
-    bool IsTag => BranchSpec is not null && BranchSpec.Contains("refs/tags", StringComparison.OrdinalIgnoreCase);
-    bool IsVersionTag => GitVersion?.SemVer is not null && Regex.IsMatch(GitVersion.SemVer, @"^\d+\.\d+\.\d+(-.*)?$");
+    bool IsTag => GitHubRef is not null && GitHubRef.Contains("refs/tags", StringComparison.OrdinalIgnoreCase);
 
     // Clean ensures output dirs are reset, for reproducible builds
     Target Clean => _ => _
         .Executes(() =>
         {
             ArtifactsDirectory.CreateOrCleanDirectory();
             TestResultsDirectory.CreateOrCleanDirectory();
+            SbomDirectory.CreateOrCleanDirectory();
+            TrivyCacheDirectory.CreateDirectory();
         });
 
     // CI safety: only build from a clean git state (prevents accidental, local-only changes from leaking into artifacts)
     Target VerifyCleanGit => _ => _
         .OnlyWhenStatic(() => !IsLocalBuild)
         .Executes(() =>
         {
-            var result = ProcessTasks.StartProcess("git", "status --porcelain");
-            result.AssertZeroExitCode();
-            var output = result.Output.Select(x => x.Text).ToList();
-            if (output.Any())
+            var output = Git("status --porcelain")
+                .Select(x => x.Text)
+                .ToList();
+
+            if (output.Count > 0)
                 throw new Exception("Repository is not clean. Commit or stash changes before running CI.");
         });
 
@@ -103,7 +131,7 @@ class Build : NukeBuild
 
            if (IsPullRequest)
            {
-               Information("Branch spec {BranchSpec} is a pull request. Adding build number {BuildNumber}", BranchSpec, BuildNumber);
+               Information("Branch spec {BranchSpec} is a pull request. Adding build number {BuildNumber}", GitHubRef, BuildNumber);
 
                SemVer = string.Join('.', GitVersion.SemVer.Split('.').Take(3).Union([BuildNumber]));
            }
@@ -155,11 +183,26 @@ class Build : NukeBuild
 
     // Generate an SBOM for all artifacts using Microsoft's sbom-tool
     Target SbomDeliverable => _ => _
+        // Only run SBOM creation for main branch and releases, not PRs
+        .OnlyWhenDynamic(() => BuildFlow == BuildFlows.Push || BuildFlow == BuildFlows.Release)
         .DependsOn(Pack)
         .Executes(() =>
         {
-            SbomDirectory.CreateOrCleanDirectory();
-            Sbom($"generate -b \"{ArtifactsDirectory}\" -bc . -m \"{SbomDirectory}\" -pn DendroDocs.Shared -pv {SemVer} -nsb https://sbom.dendrodocs.dev -ps DendroDocs -li true -pm true");
+            var sbomArgs = new[]
+            {
+                "generate",
+                "-b", $"\"{ArtifactsDirectory}\"",  // Base path for the build output
+                "-bc", ".",                         // Build config root
+                "-m", $"\"{SbomDirectory}\"",       // Output SBOM manifest dir
+                "-pn", ProjectName,                 // Package name",
+                "-pv", SemVer,
+                "-nsb", SbomNamespace,
+                "-ps", RepositoryOwner,
+                "-li", "true",                       // Enable license info
+                "-pm", "true"                        // Enable package manifest
+            };
+
+            Sbom(arguments: string.Join(" ", sbomArgs));
         });
 
     // Run Trivy via Docker, scanning the *source tree* for vulnerabilities, secrets, and misconfigurations
@@ -199,6 +242,7 @@ class Build : NukeBuild
                     "--disable-telemetry",
                     "--no-progress",
                     "--skip-dirs", ".nuke/temp",
+                    "--exit-code", "1",
                     "/src"));
         });
 
@@ -304,7 +348,7 @@ class Build : NukeBuild
     // Push to NuGet.org with precondition checks and integrity verification
     Target PushNuget => _ => _
         .DependsOn(Proof)
-        .OnlyWhenDynamic(() => !IsLocalBuild && IsTag && IsVersionTag)
+        .OnlyWhenDynamic(() => BuildFlow == BuildFlows.Release)
         .ProceedAfterFailure()
         .Executes(() =>
         {
@@ -322,53 +366,78 @@ class Build : NukeBuild
     // Push to GitHub Packages, after all proof steps and only from trusted context
     Target PushGithub => _ => _
         .DependsOn(Proof)
-        .OnlyWhenDynamic(() => !IsLocalBuild && !IsTag && IsPullRequest)
-        .OnlyWhenDynamic(() => GitHubUser == "dendrodocs")
+        .OnlyWhenDynamic(() => BuildFlow == BuildFlows.Push)
+        .OnlyWhenDynamic(() => GitHubUser == RepositoryOwner)
         .ProceedAfterFailure()
         .Executes(() =>
         {
-            try
-            {
-                DotNetNuGetAddSource(_ => _
-                   .SetName($"GitHub - {GitHubUser}")
-                   .SetUsername(GitHubUser)
-                   .SetPassword(FeedGitHubToken)
-                   .EnableStorePasswordInClearText()
-                   .SetSource($"https://nuget.pkg.github.com/{GitHubUser}/index.json")
-                );
-            }
-            catch
-            {
-                Information("Source already added");
-            }
-
             VerifyPackageHashes();
 
             DotNetNuGetPush(_ => _
                 .SetApiKey(FeedGitHubToken)
                 .SetTargetPath(ArtifactsDirectory / "*.nupkg")
                 .EnableSkipDuplicate()
-                .SetSource($"GitHub - {GitHubUser}")
+                .SetSource($"https://nuget.pkg.github.com/{RepositoryOwner}/index.json")
                 .EnableNoSymbols()
             );
         });
 
-    // Always verify artifact hashes before publishing—no accidental or malicious tampering!
+    BuildFlows GetBuildFlow()
+    {
+        if (IsLocalBuild)
+        {
+            return BuildFlows.Local;
+        }
+
+        // PR event
+        if (GitHubEventName?.StartsWith("pull_request") == true)
+        {
+            // Forked repo PRs (external contributors)
+            if (!string.IsNullOrWhiteSpace(GitHubHeadRepository) && !string.Equals(GitHubHeadRepository, GitHubRepository, StringComparison.OrdinalIgnoreCase))
+            {
+                return BuildFlows.PrRemote;
+            }
+
+            // In-repo branch PRs
+            return BuildFlows.PrLocal;
+        }
+
+        // Tag/release
+        if (IsTag || GitHubEventName == "release")
+        {
+            return BuildFlows.Release;
+        }
+
+        // Branch push
+        if (GitHubRef?.StartsWith("refs/heads/") == true)
+        {
+            return BuildFlows.Push;
+        }
+
+        return BuildFlows.Local;
+    }
+
+    // Always verify artifact hashes before publishing—no accidental or malicious tampering
     void VerifyPackageHashes()
     {
         var packages = Directory.GetFiles(ArtifactsDirectory, "*.nupkg");
         foreach (var package in packages)
         {
             var hashFile = package + ".sha256";
 
-            if (!File.Exists(hashFile)) throw new Exception($"Missing SHA256 file for {package}");
+            if (!File.Exists(hashFile))
+            {
+                throw new Exception($"Missing SHA256 file for {package}");
+            }
 
             var computedHash = SHA256.HashData(File.ReadAllBytes(package));
             var expectedHash = File.ReadAllText(hashFile).Trim();
             var actualHash = BitConverter.ToString(computedHash).Replace("-", string.Empty).ToLowerInvariant();
 
             if (!string.Equals(expectedHash, actualHash, StringComparison.OrdinalIgnoreCase))
+            {
                 throw new Exception($"SHA256 mismatch for {package}: expected {expectedHash}, got {actualHash}");
+            }
         }
     }
 }