This document describes the continuous integration and continuous deployment (CI/CD) infrastructure for the Auth0.NET SDK. The pipeline automates building, testing, security scanning, package publishing, and documentation deployment through GitHub Actions workflows.
For information about local testing setup and fixtures, see 5.1 Test Infrastructure and Patterns For details on build configuration and MSBuild settings, see 5.4 Build Configuration
The CI/CD system consists of four primary workflow categories: continuous integration (build and test), security scanning, release orchestration, and documentation deployment. The workflows are defined in .github/workflows/ and use reusable actions from .github/actions/.
| Workflow | Trigger Events | Frequency | Purpose |
|---|---|---|---|
build.yml | Push/PR to master | Continuous | Build, test, code coverage |
snyk.yml | Push to master, PR, Schedule | Bi-weekly (1st & 15th) | Vulnerability scanning |
release.yml | PR merged to release/*, Manual | On-demand | Orchestrates security scans and releases |
rl-secure.yml | Called by release.yml | On release | Reversing Labs security scanning |
nuget-release.yml | Called by release.yml | On release | NuGet package publishing |
The following diagram illustrates the relationship between triggers, security scans, and deployment jobs.
CI/CD Workflow Orchestration
Sources: .github/workflows/build.yml1-7 .github/workflows/release.yml1-8 .github/workflows/snyk.yml1-13
The build.yml workflow implements a four-stage pipeline with sequential job execution to prevent rate limiting issues when testing against live Auth0 APIs. Each stage caches build artifacts to avoid redundant compilation.
Sources: .github/workflows/build.yml29-127
The workflow uses GitHub Actions cache to store build artifacts between jobs, keyed by a combination of ref, run ID, and attempt .github/workflows/build.yml27:
This ensures:
build job .github/workflows/build.yml43-47Each test job executes with code coverage collection using Coverlet .github/workflows/build.yml64:
Coverage reports are uploaded to Codecov with distinct flags to differentiate between unit and integration tests .github/workflows/build.yml66-74 .github/workflows/build.yml93-100 .github/workflows/build.yml119-126:
| Job | Project | Codecov Flag |
|---|---|---|
test_core | tests/Auth0.Core.UnitTests/Auth0.Core.UnitTests.csproj | unittests |
test_auth | tests/Auth0.AuthenticationApi.IntegrationTests/Auth0.AuthenticationApi.IntegrationTests.csproj | authIntTests |
test_management | tests/Auth0.ManagementApi.IntegrationTests/Auth0.ManagementApi.IntegrationTests.csproj | mgmtIntTests |
The workflow configures test execution through environment variables mapped from repository variables and secrets .github/workflows/build.yml9-26:
| Variable | Type | Purpose |
|---|---|---|
AUTH0_AUTHENTICATION_API_URL | Variable | Auth0 domain for authentication tests |
AUTH0_CLIENT_ID | Variable | Test client ID |
AUTH0_CLIENT_SECRET | Secret | Test client secret |
AUTH0_MANAGEMENT_API_URL | Variable | Management API v2 endpoint |
AUTH0_MANAGEMENT_API_CLIENT_ID | Variable | M2M client for Management API |
AUTH0_MANAGEMENT_API_CLIENT_SECRET | Secret | M2M client secret |
BRUCKE_* | Mixed | Alternative test tenant configuration |
Sources: .github/workflows/build.yml9-27 .github/workflows/build.yml30-127
The SDK implements multiple security scanning strategies to detect vulnerabilities and supply chain risks.
The snyk.yml workflow runs on every push to master, pull requests, and a bi-weekly schedule .github/workflows/snyk.yml3-13 It targets the solution file with a medium severity threshold .github/workflows/snyk.yml45-50:
The workflow includes optimization for Dependabot PRs by skipping the scan and flagging success to satisfy branch protection .github/workflows/snyk.yml30-31
The rl-secure.yml workflow is a reusable workflow called during releases .github/workflows/rl-secure.yml4-25 It scans each package independently by packing them into .nupkg files and then wrapping them in a .tgz for the scanner .github/workflows/rl-secure.yml46-59
Reversing Labs Scan Logic
The release workflow invokes three parallel scanner jobs for Auth0.Core, Auth0.AuthenticationApi, and Auth0.ManagementApi .github/workflows/release.yml18-55 The rl-scanner action uses a Python-based wrapper to interact with Reversing Labs tools via AWS credentials .github/actions/rl-scanner/action.yml11-74
Sources: .github/workflows/snyk.yml .github/workflows/rl-secure.yml .github/actions/rl-scanner/action.yml
The release.yml workflow orchestrates the entire release process, triggered by a PR merge to a release/ branch or manual dispatch .github/workflows/release.yml3-7
The release workflow handles independent versioning for the Management API package through the tag-prefix parameter and distinct working directories .github/workflows/release.yml57-81:
| Job | Packages | Working Directory | Tag Prefix |
|---|---|---|---|
auth | Auth0.Core, Auth0.AuthenticationApi | ./ | (empty) |
management | Auth0.ManagementApi | src/Auth0.ManagementApi | mgmt- |
The version is extracted from the .version file located in the respective working directory via the get-version action .github/actions/get-version/action.yml21-27
Sources: .github/workflows/release.yml57-81 .github/actions/get-version/action.yml21-27
The nuget-release.yml reusable workflow handles package creation, publishing, and GitHub release creation .github/workflows/nuget-release.yml25-84
The nuget-publish action .github/actions/nuget-publish/action.yml15-44 performs the actual package operations:
Package Creation .github/actions/nuget-publish/action.yml31-34:
Package Publishing .github/actions/nuget-publish/action.yml41-44:
The process includes automated extraction of release notes from the PR body .github/actions/get-release-notes/action.yml26-37 and detection of pre-release versions based on the version string suffix (e.g., "alpha" or "beta") .github/actions/get-prerelease/action.yml21-28
Sources: .github/workflows/nuget-release.yml43-55 .github/actions/nuget-publish/action.yml15-44 .github/actions/get-release-notes/action.yml26-37 .github/actions/get-prerelease/action.yml21-28
The release workflow includes automated API documentation generation using DocFX .github/workflows/release.yml83-109
The documentation is generated from the docs-source/docfx.json configuration .github/workflows/release.yml104 and deployed to GitHub Pages using the github-pages environment .github/workflows/release.yml120-128 This job only runs on successful release branch merges or manual dispatch .github/workflows/release.yml86
Sources: .github/workflows/release.yml83-128
The CI/CD pipeline requires several categories of secrets for authentication and service integration.
| Secret | Used By | Purpose |
|---|---|---|
CODECOV_TOKEN | build.yml | Code coverage reporting |
NUGET_APIKEY | release.yml | Publishing to NuGet.org |
GITHUB_TOKEN | release.yml | Creating GitHub releases/tags |
SNYK_TOKEN | snyk.yml | Snyk API authentication |
RLSECURE_* | rl-secure.yml | Reversing Labs scanning credentials |
PRODSEC_* | rl-secure.yml | JFrog Artifactory and AWS credentials |
Workflows require id-token: write permissions for OIDC-based authentication (e.g., for Reversing Labs scanner to assume AWS roles) and contents: write for creating tags and releases .github/workflows/release.yml9-11 .github/workflows/release.yml116-118
Sources: .github/workflows/release.yml9-11 .github/workflows/release.yml116-118 .github/workflows/build.yml10-26
Refresh this wiki