Taskdeck/.github/workflows/ci-release.yml at main · Chris0Jeky/Taskdeck · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# =============================================================================
# CI Release — release lane for SBOM/provenance generation and container
# build verification. Complements release-security.yml with a lighter-weight
# build-verification pass suitable for tag/release automation.
#
# SBOM/provenance: implemented in OPS-11 (#103) via reusable-sbom-provenance.yml
# Follow-through:
#   - SEC-09 (#106) / OPS-17 (#148): dependency vulnerability policy + automation
# =============================================================================

name: CI Release

on:
  workflow_dispatch:
  push:
    tags:
      - v*
  release:
    types:
      - published

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages

jobs:
  release-build-verification:
    name: Release Build Verification
    runs-on: ubuntu-latest
    timeout-minutes: 20
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Setup .NET
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: 8.0.x
          cache: true
          cache-dependency-path: |
            backend/Taskdeck.sln
            backend/**/*.csproj

      - name: Setup Node
        uses: actions/setup-node@v6
        with:
          node-version: 24.13.1
          cache: npm
          cache-dependency-path: frontend/taskdeck-web/package-lock.json

      - name: Restore backend
        run: dotnet restore backend/Taskdeck.sln

      - name: Build backend (Release)
        run: dotnet build backend/Taskdeck.sln -c Release --no-restore

      - name: Install frontend dependencies
        working-directory: frontend/taskdeck-web
        run: npm ci

      - name: Build frontend (production)
        working-directory: frontend/taskdeck-web
        run: npx vite build

      - name: Write release build summary
        run: |
          cat <<'EOF' >> "$GITHUB_STEP_SUMMARY"
          ## Release Build Verification

          - Backend: restore + build (Release) passed
          - Frontend: npm ci + vite build passed

          SBOM and provenance artifacts are generated in the `sbom-provenance` job.
          EOF

  sbom-provenance:
    name: SBOM and Release Provenance
    uses: ./.github/workflows/reusable-sbom-provenance.yml
    with:
      artifact-name: release-sbom-provenance
      retention-days: 90

  container-images:
    name: Container Image Artifacts
    uses: ./.github/workflows/reusable-container-images.yml