ThreadPilot/.github/workflows/ci-devsecops.yml at main · PrimeBuild-pc/ThreadPilot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: CI DevSecOps

on:
  push:
    branches: ["main", "master"]
  pull_request:
  workflow_dispatch:

permissions:
  contents: read
  actions: read

jobs:
  build-test-scan:
    runs-on: windows-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "8.0.x"

      - name: Restore
        run: dotnet restore "ThreadPilot_1.sln"

      - name: Verify formatting
        continue-on-error: true
        run: dotnet format "ThreadPilot_1.sln" --verify-no-changes --verbosity diagnostic --report dotnet-format-report.json

      - name: Build Debug
        run: dotnet build "ThreadPilot_1.sln" --configuration Debug --no-restore

      - name: Build Release
        run: dotnet build "ThreadPilot_1.sln" --configuration Release --no-restore

      - name: Run tests
        run: dotnet test "Tests/ThreadPilot.Core.Tests/ThreadPilot.Core.Tests.csproj" --configuration Release --no-restore --verbosity normal --collect:"XPlat Code Coverage" --settings "Tests/ThreadPilot.Core.Tests/coverlet.runsettings" --results-directory TestResults

      - name: Enforce coverage gate
        shell: pwsh
        run: |
          $ErrorActionPreference = "Stop"
          $coveragePath = Get-ChildItem -Path "TestResults" -Recurse -Filter "coverage.cobertura.xml" |
            Sort-Object LastWriteTimeUtc -Descending |
            Select-Object -First 1 -ExpandProperty FullName

          if ([string]::IsNullOrWhiteSpace($coveragePath))
          {
            throw "Coverage file not found under TestResults."
          }

          [xml]$coverage = Get-Content $coveragePath
          $lineRate = [double]$coverage.coverage.'line-rate' * 100
          $branchRate = [double]$coverage.coverage.'branch-rate' * 100
          # Temporary floor until the service-hardening coverage tasks land.
          $minimumLineRate = 1.5

          $summary = @(
            "## Coverage Gate",
            "- file: $coveragePath",
            "- line coverage: $([math]::Round($lineRate, 2))%",
            "- branch coverage: $([math]::Round($branchRate, 2))%",
            "- minimum line coverage: $minimumLineRate%"
          )

          $summary | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Encoding utf8 -Append
          $summary | ForEach-Object { Write-Host $_ }

          if ($lineRate -lt $minimumLineRate)
          {
            throw "Coverage gate failed. Expected >= $minimumLineRate, actual: $([math]::Round($lineRate, 2))"
          }

      - name: Upload coverage
        uses: codecov/codecov-action@v4
        with:
          files: '**/coverage.cobertura.xml'
          fail_ci_if_error: false

      - name: Dependency vulnerability audit
        shell: pwsh
        run: |
          $ErrorActionPreference = "Stop"
          $audit = dotnet list "ThreadPilot.csproj" package --vulnerable --include-transitive
          $audit | Out-String | Write-Host

          if ($LASTEXITCODE -ne 0) {
            throw "dotnet list package --vulnerable failed."
          }

          if ($audit -match "has the following vulnerable packages") {
            throw "Vulnerable packages detected."
          }

      - name: Secret scan (Gitleaks)
        shell: pwsh
        run: |
          $ErrorActionPreference = "Stop"
          $version = "8.24.3"
          $baseUrl = "https://github.com/gitleaks/gitleaks/releases/download/v$version"
          $zipAsset = "gitleaks_${version}_windows_x64.zip"
          $tarAsset = "gitleaks_${version}_windows_x64.tar.gz"
          $toolDir = Join-Path $env:RUNNER_TEMP "gitleaks-bin"

          if (Test-Path $toolDir) {
            Remove-Item -Path $toolDir -Recurse -Force
          }

          try {
            Invoke-WebRequest -Uri "$baseUrl/$zipAsset" -OutFile "gitleaks.zip"
            Expand-Archive -Path "gitleaks.zip" -DestinationPath $toolDir -Force
          }
          catch {
            Invoke-WebRequest -Uri "$baseUrl/$tarAsset" -OutFile "gitleaks.tar.gz"
            New-Item -ItemType Directory -Force -Path $toolDir | Out-Null
            tar -xzf "gitleaks.tar.gz" -C $toolDir
          }

          # Remove vendored tool docs from scan scope to avoid known upstream sample false positives.
          if (Test-Path ".\\gitleaks-bin") {
            Remove-Item -Path ".\\gitleaks-bin" -Recurse -Force
          }

          $gitleaksExe = Resolve-Path (Join-Path $toolDir "gitleaks.exe")
          & $gitleaksExe detect --source "." --no-git --exit-code 1 --redact --verbose --report-format json --report-path gitleaks-report.json

      - name: Upload security artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-reports
          path: |
            gitleaks-report.json
            dotnet-format-report.json