Svetlin Krastanov
DevOps Team Lead and Senior .NET Developer
Article: https://dev.bg/digest/vsg-bulgaria-devops-automation-dc03/
Welcome to our article on free end-to-end DevOps automation for .NET projects. Today, we will show you how to build an automated process to develop, test, publish and scan the security of your project using free technologies like GitHub Actions, Azure Static App, and GitHub Pages. By following the steps in this article, you will be able to achieve much faster and more efficient construction and delivery of your .NET project.
Without wasting time, let's get started!
In this article, we will show you how to use the free .NET and GitHub Actions tools to create a complete DevOps process. We will focus on the five main steps:
- Creating a project and preparing for a release (GitFlow)
- Compilation of the project and creation of artifacts - Continuous Integration (CI)
- Automation testing (Unit, Selenium) - Continuous Testing (CT)
- Publishing the project in a web server - Continuous Delivery (CD)
- Automatic vulnerability scanning - Continuous Security (CS)
All described steps are developed on a sample project on GitHub at this link 🔗 and free. The project will develop with the publication of the next 2 articles, which will include:
Article 2:
- Manage versions in projects
- Docker images
- Nuget and NPM Packet Registers
- + bonus themes
Article 3:
- Kubernetes
- Chatbots for automation and integration (Skype, Microsoft Teams, etc.)
- Relays and automatic publishing of changelog
- + bonus topics naturally
See readme.md here, which will develop with each article!
Step 1: Create a project and prepare for the release
- Create GitHub Repositors: Open GitHub, create a new account (if necessary), and create repositories for your project by setting a name and visibility settings. For .gitignore template you can use the already ready template for Visual Studio.
- Create a Blazor project with Visual Studio: Install and open Visual Studio, create a new project, select the "Blazor WebAssembly Application" template, specify a project name and storage location.
- Upload the project to GitHub: Open the project in Visual Studio, check the code and architecture, use the integrated Git client to commit and save changes to the GitHub repository.
Step 2: Build the project and create artifacts (Continuous Integration)
Once we have created our project and are ready to release it into production, the next step is to compile our code and create artifacts that will be used to distribute our application.
For this, you will need to create a workflow file in the repository. The file must have the name "dotnet-core.yml" and be in the ".github/workflows" folder. Inside the file, the following steps will need to be added:
- Install .NET Core SDK (Software Development Kits)
- Compilation of the application
- Creation of artifact
This workflow will run every time a new commit is released in our main branch. It will complete all the necessary steps to compile the project, including:
- Checkout on code from GitHub repositories
- Install the required .NET version
- Install all external packages (nuget/npm packages)
- Compilation of the project in Release configuration
- Upload created artifacts to GitHub
Once this workflow is completed successfully, we have ready artifacts that can be used to distribute our application.
Link to the automated process (GitHub action)!
Step 3: Continuous Testing
In this step, we will use GitHub Actions to run the automatic tests of the project when new code is added, or we make changes.
- Creating a test environment: We create a test environment that we will use to run the tests. It can be based on Docker or use virtual machines. In our case, we will use Docker.
- Writing tests: We write automated tests to check if the project functionalities are working properly. In .NET we have many different testing frameworks, such as NUnit, MSTest, xUnit and others.
- Configuring GitHub Actions: We add a configuration file to GitHub to tell GitHub Actions
how to run the tests. In this file, we define what test environment to use, what tests to run, and how to report the results.
GitHub Actions allows each commit to run a complete set of tests to ensure that the new code does not spoil already working functionality. This gives us confidence that the code is in good condition and can be released in a production environment without causing problems.
Link to the automated process with Selenium tests (GitHub Action)!
Link to the automated process with Unit tests (GitHub Action)!
Step 4: Publish the project to a web server (Continuous Delivery)
GitHub offers many integrations with various web services that allow automated application publishing. In this case, we will use GitHub Actions to publish the application to Azure Static App and Github Pages.
Azure Static App is a web service that allows publishing static web applications to the Microsoft Azure cloud. Github Pages, on the other hand, is a static website posting service that GitHub provides.
To publish the app to Azure Static App, we need to do the following steps:
- Create a new Azure Static App instance in Azure Portal.
- Set up your instance by specifying the path to the folder that contains the compiled application files.
- Create and configure a .yml file for GitHub Actions. In this file, we will add instructions for compiling the app, uploading the files to the Azure Static App, and posting a successful posting message to a Slack channel.
Link to the automated publishing process in Azure Static Web App (GitHub Action)!
Link to the automated process for posting on GitHub Pages (GitHub Action)!
Step 5: Automatic Vulnerability Scan (Continuous Security)
Once the project has been successfully tested and published, it is time to check it for potential security vulnerabilities. For this purpose, we can use OWASP ZAP and the CodeQL tools available in GitHub Actions.
OWASP ZAP is a free web application testing tool that can perform several types of vulnerability scanning, including scanning for Cross-Site Scripting (XSS), SQL injection and others. To use OWASP ZAP in GitHub Actions, we can use the official action called "ZAP Scan". It allows us to configure the scan and get a report with the relevant results.
CodeQL is a tool that can help in detecting potential security issues in the code. It can analyze code for vulnerabilities, including SQL injection and others. To use CodeQL in GitHub Actions, we can use the official action called "CodeQL Analysis". It allows us to configure the code analysis and get a report with the results.
Once the security tools are configured, we can run automatic scans of our code to make sure we do not have any potential security vulnerabilities. If such problems are found, they should be corrected as soon as possible.
Link to the automated process with OWASP ZAP (GitHub Action)!
Link to the automated process with CodeQL (GitHub Action)!
Conclusion
In conclusion, the DevOps practices and tools that were used in this article are only a small part of the opportunities that this software development and delivery methodology offers. DevOps' end-to-end approach allows teams to develop and deliver software faster and more efficiently, while providing higher application quality and security.
With the integration of automatic testing, web server publishing, and automatic security scans, teams can work faster and focus on developing new features and application improvements, rather than wasting time on manual testing and publishing processes.
Finally, it is important to note that this article demonstrates how we can use free tools and services to achieve successful DevOps practice. The freedom and flexibility of these tools make DevOps accessible to any team, regardless of the size or financial means at their disposal.
Follow me on LinkedIn or follow dev.bg for the next articles.
Thank you for reading and may the force be with you!
Disclaimer: The article, projects and code used bots and tools: ChatGPT (writing), GitHub Copilot (code), Resharper (code), Dependabot (dependency updates)