chore(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 (#116) #296
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
workflow_dispatch: | |
permissions: | |
actions: read | |
checks: none | |
contents: read | |
deployments: none | |
issues: none | |
packages: write | |
pull-requests: none | |
repository-projects: none | |
security-events: write | |
statuses: none | |
# Cancel in-progress runs for pull requests when developers push | |
# additional changes | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
jobs: | |
lint: | |
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
# Install Go! | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "~1.23" | |
# Check for Go linting errors! | |
- name: Lint Go | |
uses: golangci/[email protected] | |
with: | |
version: v1.62.2 | |
args: "--out-${NO_FUTURE}format colored-line-number" | |
- name: Lint shell scripts | |
uses: ludeeus/[email protected] | |
env: | |
SHELLCHECK_OPTS: --external-sources | |
with: | |
ignore: node_modules | |
- uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: 1.1.9 | |
terraform_wrapper: false | |
- name: Terraform init | |
run: terraform init | |
- name: Terraform validate | |
run: terraform validate | |
fmt: | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
submodules: true | |
- uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: 1.1.9 | |
terraform_wrapper: false | |
- name: Install markdownfmt | |
run: go install github.com/Kunde21/markdownfmt/v3/cmd/markdownfmt@latest | |
- name: make fmt | |
run: | | |
export PATH=${PATH}:$(go env GOPATH)/bin | |
make --output-sync -j -B fmt | |
- name: Check for unstaged files | |
run: ./scripts/check_unstaged.sh | |
unit-tests: | |
runs-on: ubuntu-latest | |
timeout-minutes: 20 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "~1.23" | |
# Sadly the new "set output" syntax (of writing env vars to | |
# $GITHUB_OUTPUT) does not work on both powershell and bash so we use the | |
# deprecated syntax here. | |
- name: Echo Go Cache Paths | |
id: go-cache-paths | |
run: | | |
echo "::set-output name=GOCACHE::$(go env GOCACHE)" | |
echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)" | |
- name: Go Build Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOCACHE }} | |
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }} | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Run unit tests | |
id: test | |
shell: bash | |
run: go test ./... | |
integration-tests: | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 20 | |
steps: | |
- name: Install dependencies | |
run: sudo apt update && sudo apt install -y gcc | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "~1.23" | |
# Sadly the new "set output" syntax (of writing env vars to | |
# $GITHUB_OUTPUT) does not work on both powershell and bash so we use the | |
# deprecated syntax here. | |
- name: Echo Go Cache Paths | |
id: go-cache-paths | |
run: | | |
echo "::set-output name=GOCACHE::$(go env GOCACHE)" | |
echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)" | |
- name: Go Build Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOCACHE }} | |
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }} | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Run integration tests | |
id: test | |
shell: bash | |
run: go test -tags=integration ./... | |
build: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "~1.23" | |
- name: Go Cache Paths | |
id: go-cache-paths | |
run: | | |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Install yq | |
run: go run github.com/mikefarah/yq/[email protected] | |
- name: build image | |
run: make -j build/image/envbox | |
# We don't want to run Trivy on pull requests. | |
- name: Exit if not on main | |
if: github.ref != 'refs/heads/main' | |
run: exit 0 | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: envbox:latest | |
format: sarif | |
output: trivy-results.sarif | |
severity: "CRITICAL,HIGH" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: trivy-results.sarif | |
category: "Trivy" | |
- name: Upload Trivy scan results as an artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trivy | |
path: trivy-results.sarif | |
retention-days: 7 | |
codeql: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Setup Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: "~1.23" | |
- name: Go Cache Paths | |
id: go-cache-paths | |
run: | | |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: go | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
publish: | |
runs-on: ubuntu-20.04 | |
if: github.ref == 'refs/heads/main' | |
steps: | |
- name: Docker Login | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/checkout@v3 | |
with: | |
# Needed to get older tags | |
fetch-depth: 0 | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "~1.23" | |
- name: build image | |
run: make -j build/image/envbox | |
- name: Tag and push envbox-preview | |
run: | | |
VERSION=$(./scripts/version.sh)-dev-$(git rev-parse --short HEAD) | |
BASE=ghcr.io/coder/envbox-preview | |
docker tag envbox "${BASE}:${VERSION}" | |
docker push "${BASE}:${VERSION}" |