Releases: peacefulstudio/github-actions
Release list
v2.3.1 — fix csharp-ci shard-result upload for non-root working-directory callers
Fixed
- Fix
csharp-ci.yamlfailing theUpload shard resultstep for callers that pass a non-rootworking-directory(e.g.working-directory: csharp). TheRecord shard resultstep inherited the job'sdefaults.run.working-directoryand wroteci-result/<name>.txtunder that subdirectory, butactions/upload-artifactignoresdefaults.run.working-directoryand resolves itspath:relative to the repo root, so the upload failed withNo files were found with the provided path: ci-result/<name>.txt(if-no-files-found: error). TheRecord shard resultstep is now pinned toworking-directory: ${{ github.workspace }}so it writes at the repo root, matching whereupload-artifactreads — mirroring how the adjacent coverage steps are already pinned. Reported bypeacefulstudio/canton-localnet-internal.
See #28. Full changelog: https://github.com/peacefulstudio/github-actions/blob/v2.3.1/CHANGELOG.md
v2.3.0 — cheap CI matrix mode (matrix-mode input + CI_MATRIX_MODE)
Added
- New
matrix-modeinput oncsharp-ci.yamlandscala-ci.yaml, plus a supported org/repo Actions variableCI_MATRIX_MODE, for cheap CI matrix routing.cheap(private/internal repos only): collapses the build/test matrix to a single free self-hosted Hetzner shard (["self-hosted","hetzner"], coverage on), overriding anyos-list/build-matrix.full: forces the normal matrix.- empty: defers to
CI_MATRIX_MODE. - Precedence: input > variable > normal matrix.
- Safety:
cheapis ignored (with a warning) on public repositories — self-hosted runners must not run untrusted public/fork-PR workloads.
See #27. Full changelog: https://github.com/peacefulstudio/github-actions/blob/v2.3.0/CHANGELOG.md
v2.2.0 — live README status badges (coverage, CI matrix, releases)
Adds an opt-in update-badges.yaml reusable workflow that writes shields.io endpoint JSON to an orphan badges branch of the caller repo (built-in GITHUB_TOKEN, no gist/PAT), plus coverage and matrix-status outputs on csharp-ci.yaml/scala-ci.yaml so a consumer README can show live coverage and per-platform CI badges. Also adds an artifact-prefix input so two languages can run in one caller workflow without colliding on artifact names. Input/secret contracts are otherwise unchanged — a safe minor bump from v2.1.0.
Closes #22.
v2.1.0 — coverage table sort fix, cobertura union-merge, caller-resolved dotnet-coverage
Fixed
- Fix the coverage-table sort being a silent no-op for C# coverage comments —
irongut/CodeCoverageSummaryformat: markdownemits tables without leading pipes, which thesort-coverage-tableaction did not recognize as tables; it now detects a header line followed by a---separator line with or without leading pipes, and emits a::warning::when no table is found at all. (#18, #19) - Fix diluted C# coverage numbers when multiple test projects cover the same assemblies:
csharp-ci.yamlagain union-merges the per-project cobertura files (matched bytests-glob) into one report via thedotnet-coverageglobal tool (version resolved from the caller'sDirectory.Packages.propspin ofMicrosoft.Testing.Extensions.CodeCoverage, nested files underworking-directoryincluded — no input; a missing, non-literal, or conflicting pin fails loud) beforeirongut/CodeCoverageSummaryruns, instead of letting irongut concatenate them with duplicated, partial package rows. The input/secret contract is unchanged. (#19)
Full changelog: v2.0.0...v2.1.0
v2.0.0 — global.json SDK resolution, no dotnet-coverage merge, exact-version helpers
Migration: reference workflows and actions at @v2 (e.g. peacefulstudio/github-actions/.github/workflows/csharp-ci.yaml@v2). The floating v1 tag is frozen at the v1.5.x state and will no longer advance.
Changed
- All reusable workflows now check out their helper scripts (
normalize-ci-matrix.sh,resolve-runner.sh,push-nuget.sh) and thesort-coverage-tableaction atjob.workflow_sha— the exact commit of the called workflow — instead of the floatingv1tag. Callers pinning a SHA or an exact version tag now get the helpers matching that exact version, and cutting a release no longer risks breaking consumers at runtime by forgetting to advance a floating tag. (#17) - BREAKING.
csharp-ci.yamldotnet-versioninput default changed from'10.0.x'to empty. When empty, the .NET SDK is resolved from the caller repo'sglobal.jsonunderworking-directory— the file must exist or setup fails loud. Pass an explicitdotnet-versionto keep overriding. Callers relying on the old default must add aglobal.json(a future SDK bump is then a caller-side change only). (#17)
Removed
- BREAKING.
dotnet-coverage-versioninput oncsharp-ci.yaml— thedotnet-coverageglobal tool install and the cobertura merge step are gone;irongut/CodeCoverageSummarynow aggregates the per-project*.cobertura.xmlfiles (matched bytests-glob) itself. A tool-free guard still fails the job loud when the glob matches no files. No known caller passes this input; any caller that does must drop it before moving to this version. (#17)
Fixed
- Fix
csharp-ci.yaml,go-ci.yamlandscala-ci.yamlfailing in every consumer repo that runs the coverage step with "Can't find 'action.yml' … under '.github/actions/sort-coverage-table'" — the coverage-sort step referenced the action by local path, which resolves against the caller's checkout, not this repo. The step now referencespeacefulstudio/github-actions/.github/actions/sort-coverage-table@v1. (#16)
v1.5.0 — csharp-publish composite action, NuGet trusted publishing
Added
.github/actions/csharp-publishcomposite action — builds, tests, packs and pushes .NET NuGet packages to nuget.org, enabling NuGet Trusted Publishing (OIDC) for consumer repos. The caller checks out its own code and mints the short-lived API key viaNuGet/loginin its own job, then invokes the action withsteps: - uses: peacefulstudio/github-actions/.github/actions/csharp-publish@v1, passingapi-key. Because the action runs inline as steps in the caller's job,job_workflow_refstays the caller's publish workflow, so a per-repo nuget Trusted Publishing policy anchored on the consumer repo matches. Inputs:api-key(required),version_override,include_symbols(defaulttrue),working-directory(default.),test-filter(default empty).working-directory(default.) andtest-filter(default empty) inputs oncsharp-publish-public.yaml, matching the names used bycsharp-ci.yaml.working-directoryruns the restore/build/test/pack steps from a sub-path (the pack output stays at$GITHUB_WORKSPACE/output/nugetso the root-level push step is unaffected), letting repos whose solution lives below the root — e.g.canton-localnet'scsharp/— use the reusable workflow.test-filterpasses adotnet test --filterexpression (e.g.Category!=Integration) to exclude tests that need live infrastructure. Both default to the previous behaviour, so existing callers are bit-for-bit unaffected.
Changed
- BREAKING.
csharp-publish-public.yamlnow publishes to nuget.org via NuGet Trusted Publishing (short-lived OIDC token exchanged for a temporary API key throughNuGet/login) instead of long-lived API keys. The fourNUGET_API_KEY_*secrets (NUGET_API_KEY_CANTON,NUGET_API_KEY_DAML,NUGET_API_KEY_SPLICE,NUGET_API_KEY_PEACEFUL) are removed. Callers must instead provide an organization secretNUGET_USER(the nuget.org profile name), grantpermissions: id-token: write, and register a nuget.org Trusted Publishing policy (Workflow File =csharp-publish-public.yaml— the reusable file, not the caller; Environment =nuget-publish).scripts/route-nuget-push.shis renamed toscripts/push-nuget.sh; per-owner key routing is removed since one user/key now pushes every package. - Coverage PR comment tables (Scala, Go, C#) now list packages alphabetically by name.
- Remove the Complexity column from the Scala coverage PR comment —
sbtalways emits 0 for this field.
Deprecated
- BREAKING for trusted publishing.
csharp-publish-public.yamlreusable workflow is deprecated. As a reusable workflow it runs the OIDC job inpeacefulstudio/github-actions, so thejob_workflow_refclaim is always stamped withgithub-actionsand never the caller — a per-repo nuget Trusted Publishing policy anchored on the consumer repo can therefore never match (confirmed by a live HTTP 401). Consumers must switch to the.github/actions/csharp-publishcomposite action and mint the OIDC key (NuGet/login) in their own job.
v1.4.0 — visibility-based default runners, build-matrix, snupkg symbols
Added
build-matrixinput oncsharp-ci.yamlandscala-ci.yaml— optional JSON array of{ name, runner, coverage }shards that fully replacesos-listwhen set. Lets a caller mix self-hosted and hosted runners, pass array-valuedruns-onlabels (e.g.["self-hosted", "hetzner"]), and pick the single shard that carries the coverage report / sticky PR comment / job summary. Backed by a new tested helper,scripts/normalize-ci-matrix.sh, run in anormalizejob; it fails loud on a malformed matrix. Omittingbuild-matrixkeepsos-listbehaviour bit-for-bit.runs-oninput onbuild-and-test.yaml— honoured onworkflow_call; accepts a plain label or a JSON array string.include_symbolsinput (defaulttrue) oncsharp-publish-public.yaml— generates and publishes.snupkgsymbol packages to the nuget.org symbol server alongside the main packages. Set tofalseto publish.nupkgonly. (#7)
Changed
- Default runner now follows repository visibility. When a caller passes no
runs-on(go-ci,terraform-ci,build-and-test) or noos-list/build-matrix(csharp-ci,scala-ci), the runner is selected by agh apivisibility lookup: public repos get GitHub-hosted runners, private and internal repos get the self-hosted Hetzner pool (["self-hosted", "hetzner"]). The lookup fails loud on error or unexpected visibility. Any explicitruns-on/os-list/build-matrixoverrides this. Runner resolution forgo-ci/terraform-ci/build-and-testis backed by a new tested helper,scripts/resolve-runner.sh. runs-onongo-ci.yamlandterraform-ci.yamlnow accepts a JSON array string (e.g.'["self-hosted", "hetzner"]') in addition to a plain label.csharp-publish-public.yamlnow builds withContinuousIntegrationBuild=truefor deterministic, path-normalized Release builds. (#7)
Full changelog: v1.2.0...v1.4.0
v1.2.0 — nuget.org publish reusable workflow
Added
csharp-publish-public.yaml— reusable workflow to publish NuGet packages to nuget.org, with per-owner push routing via a new testedscripts/route-nuget-push.sh. (#6)
Full changelog: v1.1.0...v1.2.0
v1.1.0 — Scala CI, coverage titles, C# on xUnit v3
Four feature PRs land in one release. All four reusable workflows now share the same coverage-title knob, and the C# workflow moves to the modern xUnit v3 + Microsoft.Testing.Platform stack.
New: Scala CI workflow
scala-ci.yaml brings the same shape as csharp-ci.yaml to sbt projects — build, test, coverage, sticky PR comment, job summary, and an artifact upload. No pack: step (that's still C#-only for now). (#2)
New: coverage-title input across all four workflows
Every reusable workflow now accepts a coverage-title input that prepends a markdown H2 to the rendered coverage / test-summary file before the sticky PR comment goes up. If you run multiple of these workflows on the same repo, the sticky comments are no longer ambiguous at a glance.
| Workflow | Default coverage-title |
|---|---|
csharp-ci.yaml |
C# coverage |
scala-ci.yaml |
Scala coverage |
go-ci.yaml |
Go coverage |
terraform-ci.yaml |
Terraform coverage |
Override per-call:
jobs:
ci:
uses: peacefulstudio/github-actions/.github/workflows/csharp-ci.yaml@v1
with:
coverage-title: 'Backend API coverage'Loud-fails (rather than silently skipping) if the target coverage / test-summary file is missing — so a broken upstream step shows up immediately instead of producing a silently empty sticky comment. (#1, #2, #3, #4)
Changed: csharp-ci.yaml on xUnit v3 + Microsoft.Testing.Platform
csharp-ci.yaml no longer uses dotnet test --collect "XPlat Code Coverage" + ReportGenerator. It now runs through Microsoft.Testing.Platform with Microsoft.Testing.Extensions.CodeCoverage collecting in-process, then dotnet-coverage merge + irongut/CodeCoverageSummary@v1.3.0 for the report — matching the go-ci / terraform-ci output style.
Caller requirements if you use csharp-ci.yaml:
xunit.v33.2.2 or newerMicrosoft.Testing.Extensions.CodeCoveragepinned at18.0.6(override-able via the newdotnet-coverage-versioninput)- A
tests/Directory.Build.propsopting tests into MTP - A
coverage.settings.xmlfor the coverage collector
New optional inputs (defaults match what the migration assumed):
dotnet-coverage-version— default18.0.6tests-glob— defaulttests/**/*.cobertura.xml
All previously exposed inputs and secrets are preserved verbatim. (#1)
Floating tag
v1 now points at this release. Callers on @v1 get this automatically.