[StepSecurity] Apply security best practices #355
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# For documentation on the github environment, see | |
# https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners | |
# | |
# For documentation on the syntax of this file, see | |
# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions | |
name: MSBuild | |
on: pull_request | |
concurrency: | |
# Cancel any builds currently in progress for the same PR. | |
# Allow running concurrently for with any other commits. | |
group: ci-${{ github.event.pull_request.number || github.sha }} | |
cancel-in-progress: true | |
permissions: | |
contents: read | |
jobs: | |
build-vs: | |
timeout-minutes: 15 | |
strategy: | |
matrix: | |
configurations: [Debug, Release] | |
architecture: [x64, ARM64] | |
runs-on: windows-2022 | |
env: | |
# Configuration type to build. | |
# You can convert this to a build matrix if you need coverage of multiple configuration types. | |
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix | |
BUILD_CONFIGURATION: ${{matrix.configurations}} | |
BUILD_PLATFORM: ${{matrix.architecture}} | |
CXPLAT_MEMORY_LEAK_DETECTION: true | |
DUMP_PATH: c:/dumps/x64/${{matrix.configurations}} | |
TEST_TIMEOUT: 900 # 15 minute timeout for tests. | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
submodules: 'recursive' | |
- name: Add MSBuild to PATH | |
uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0 | |
- name: Restore NuGet packages | |
working-directory: ${{env.GITHUB_WORKSPACE}} | |
run: nuget restore ${{env.SOLUTION_FILE_PATH}} | |
- name: Generate Catch2 projects | |
working-directory: ${{env.GITHUB_WORKSPACE}} | |
run: cmake -G "Visual Studio 17 2022" -S external\catch2 -B external\catch2\build -DBUILD_TESTING=OFF -A ${{env.BUILD_PLATFORM}} | |
- name: Build | |
working-directory: ${{env.GITHUB_WORKSPACE}} | |
# Add additional options to the MSBuild command line here (like platform or verbosity level). | |
# See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference | |
run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform=${{env.BUILD_PLATFORM}} /p:RunCodeAnalysis='True' ${{env.SOLUTION_FILE_PATH}} | |
- name: Run cxplat tests without fault injection | |
if: matrix.architecture == 'x64' | |
working-directory: ./${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION }} | |
shell: cmd | |
run: | | |
.\cxplat_test -d yes | |
- name: Run usersim tests without fault injection | |
if: matrix.architecture == 'x64' | |
working-directory: ./${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION }} | |
shell: cmd | |
run: | | |
.\usersim_tests -d yes | |
- name: Run cxplat tests with fault injection | |
if: matrix.configurations == 'Debug' && matrix.architecture == 'x64' | |
working-directory: ./${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION }} | |
shell: cmd | |
run: | | |
powershell ..\..\scripts\Test-FaultInjection.ps1 ${{env.DUMP_PATH}} ${{env.TEST_TIMEOUT}} ".\cxplat_test.exe" 4 | |
- name: Run usersim tests with fault injection | |
if: matrix.configurations == 'Debug' && matrix.architecture == 'x64' | |
working-directory: ./${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION }} | |
shell: cmd | |
run: | | |
powershell ..\..\scripts\Test-FaultInjection.ps1 ${{env.DUMP_PATH}} ${{env.TEST_TIMEOUT}} ".\usersim_tests.exe" 4 | |
build-cmake: | |
timeout-minutes: 15 | |
strategy: | |
matrix: | |
configurations: [Debug, Release] | |
architecture: [x64, ARM64] | |
runs-on: windows-2022 | |
env: | |
# Configuration type to build. | |
# You can convert this to a build matrix if you need coverage of multiple configuration types. | |
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix | |
BUILD_CONFIGURATION: ${{matrix.configurations}} | |
BUILD_PLATFORM: ${{matrix.architecture}} | |
CMAKE_GENERATOR: Visual Studio 17 2022 | |
PLATFORM_TOOLSET: v143 | |
CXPLAT_MEMORY_LEAK_DETECTION: true | |
DUMP_PATH: c:/dumps/x64/${{matrix.configurations}} | |
TEST_TIMEOUT: 900 # 15 minute timeout for tests. | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
submodules: 'recursive' | |
- name: Add MSBuild to PATH | |
uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0 | |
- name: Configure the project | |
working-directory: ${{env.GITHUB_WORKSPACE}} | |
shell: cmd | |
run: | | |
cmake -G "Visual Studio 17 2022" -S external\catch2 -B external\catch2\build -DBUILD_TESTING=OFF -A ${{env.BUILD_PLATFORM}} | |
cmake -S . -B build -G "${{env.CMAKE_GENERATOR}}" -A ${{env.BUILD_PLATFORM}} -T ${{env.PLATFORM_TOOLSET}} | |
- name: Build the project | |
working-directory: ${{env.GITHUB_WORKSPACE}} | |
shell: cmd | |
run: | | |
cmake --build build --config ${{env.BUILD_CONFIGURATION }} | |
- name: Run cxplat tests without fault injection | |
if: matrix.architecture == 'x64' | |
working-directory: ./build/bin/${{env.BUILD_CONFIGURATION}} | |
shell: cmd | |
run: | | |
.\cxplat_test -d yes | |
- name: Run usersim tests without fault injection | |
if: matrix.architecture == 'x64' | |
working-directory: ./build/bin/${{env.BUILD_CONFIGURATION}} | |
shell: cmd | |
run: | | |
.\usersim_tests -d yes | |
- name: Run cxplat tests with fault injection | |
if: matrix.configurations == 'Debug' && matrix.architecture == 'x64' | |
working-directory: ./build/bin/${{env.BUILD_CONFIGURATION}} | |
shell: cmd | |
run: | | |
powershell ..\..\..\scripts\Test-FaultInjection.ps1 ${{env.DUMP_PATH}} ${{env.TEST_TIMEOUT}} ".\cxplat_test.exe" 4 | |
- name: Run usersim tests with fault injection | |
if: matrix.configurations == 'Debug' && matrix.architecture == 'x64' | |
working-directory: ./build/bin/${{env.BUILD_CONFIGURATION}} | |
shell: cmd | |
run: | | |
powershell ..\..\..\scripts\Test-FaultInjection.ps1 ${{env.DUMP_PATH}} ${{env.TEST_TIMEOUT}} ".\usersim_tests.exe" 4 |