ci: overhaul GitHub Actions workflows

[nblair2]

Overview

This is a comprehensive update to this project's Github Actions (CI). The benefits are threefold:

• PRs now run builds of all packages to ensure no breaking changes. We can integrate tests here in the future.
• Releases, changelog, and versioning is updated automatically by CI. As updates are made to master, release please will "stack" merges in a release PR. Once that PR is accepted (maintainer discretion), release please will update the changelog, create a new release, and update version numbers across the project (and create a tag). These are based on conventional commits.
• Containers are built and pushed to ghcr.io based on the project's namespace. The main 'upstream' will always be ghcr.io/cmu-sei/ghosts/api:latest. But forks also get updated containers for testing (ex: ghcr.io/nblair2/ghosts/api:fix-something gets created if I push the fix/something branch to my fork)

Requirements

Warning

The following changes are required in the github repository settings:

• create a github PAT, scopped to this repo, and add it to workflow secrets:
  • Go to your GitHub profile → Settings → Developer settings → Personal access tokens → Fine-grained tokens
  • Create a token scoped to the cmu-sei/GHOSTS repo with Contents: Read & Write and Pull requests: Read & Write
  • Add it as a repo secret: Settings → Secrets and variables → Actions → New repository secret, name it RELEASE_TOKEN
• linear commit history (squash merge). See here
• allow workflows create pull requests. See here

Updates

Deleted 4 obsolete workflows:

• create-container-shadows.yml (shadows component removed from repo)
• create_socializer.yml (ghosts.pandora.socializer dir no longer exists)
• docker-image.yml (referenced non-existent Dockerfile-universal-client)
• login.yml (standalone Docker Hub login test with no purpose)

Moved 5 workflows:

• create_api.yml --> api.yml
• create-container-ui.yml --> frontend.yml
• create_pandora.yml --> pandora.yml
• create_client_universal.yml --> client-universal.yml
• mkdocs.yml --> docs.yml

Added 3 workflows

• client-windows.yml
• client-lite.yml
• release.yml

Updated all dependencies to allow each package to build

Current workflows:

• api.yml

  • Docker build on every push/PR to src/Ghosts.Api/**, src/Ghosts.Domain/**, src/Ghosts.Animator/**, src/Dockerfile-api.
  • Pushes ghrc.io/{{username}}/GHOSTS/api with tags for commit/branch/release/latest

• frontend.yml

  • Docker build on every push/PR to src/Ghosts.Frontend/**.
  • Pushes ghrc.io/{{username}}/GHOSTS/frontend with tags for commit/branch/release/latest

• pandora.yml

  • Docker build on every push/PR to src/Ghosts.Pandora/**.
  • Pushes ghrc.io/{{username}}/GHOSTS/pandorda with tags for commit/branch/release/latest

• client-universal.yml (.NET 9)

  • dotnet build CI on push/PR to src/Ghosts.Client.Universal/**, src/Ghosts.Domain/**.
  • On release: matrix publish across all four RIDs (linux-x64, linux-x86, win-x64, win-x86), each zipped and uploaded to the GitHub Release as a separate artifact.

• client-windows.yml (.NET Framework 4.6.2)

  • NuGet restore + MSBuild CI on windows-latest, triggered by changes to src/Ghosts.Client.Windows/**, src/Ghosts.Domain/**.
  • On release: MSBuild path resolved once via vswhere, then built for both x64 and x86 each zipped and uploaded to the GitHub Release.

• client-lite.yml (.NET 8)

  • dotnet build CI on push/PR to src/Ghosts.Client.Lite/**, src/Ghosts.Domain/**.
  • On release: matrix publish across all four RIDs each zipped and uploaded to the GitHub Release as a separate artifact.

• docs.yml

  • mkdocs gh-deploy, triggered only when docs/**, mkdocs.yml changes.

• release.yml

  • Watches conventional commits on master and opens/updates a release PR.
  • When release PR is merged, release-please publishes the GitHub Release and tag, which triggers all Docker pushes and binary uploads above.

Release-please config (release-please-config.json):

Single config file, release-type: node. Root package.json is the primary version file. extra-files keeps all version locations in sync on each release PR:

• CITATION.cff (yaml, also fixed stale 8.0.0 -> 9.0.0)
• src/Ghosts.Frontend/package.json (json)
• *.csproj files: AssemblyVersion/FileVersion/Version/ReleaseVersion updated via generic regex, preserving the .0 fourth part
• src/Ghosts.Client.Windows/Properties/AssemblyInfo.cs

[sei-dupdyke]

This is excellent.

It also unhooks my personal dockerhub to use ghcr.io, which is a good thing.

[nblair2]

Alright, @sei-dupdyke this is ready for your review. As suspected I had to make some tweaks along the way. You can see what this will look like over on my fork.

(ignore the double changelog entries, I was too lazy to turn it to squash merges).

Some choices I made along the way. Happy to switch back on any of these, just had to pick one or the other for now to get it working.

• version numbers: in all of the .csproj files I chopped off the trailing .0. Not sure if that is a .NET thing, but I don't think release-please can accommodate a 4th digit, so we can leave it always as vX.Y.Z.0 but that last digit won't denote anything.
• simultaneous locked versioning: Right now I have the versioning configured to be the same across the entire repo. If you update something over in src/Ghosts.Api, the src/Ghosts.Client.Windows/ version is going to get updated too. We absolutely can configure these to be separate packages, just say the word.
• container names: right now the container names are simple: api, frontend, pandora. We can prepend ghosts- if that makes more sense, but the url is going to be ghcr.io/cmu-sei/ghosts/api, for example, so ghosts is in there.

Highlighted above, there are some changes needed to repository settings to make fit with these workflows:

• a RELEASE_TOKEN variable so that release-please can kick off other jobs
• squash merging, so that Merge commits don't duplicate entries in the changelog.