[StepSecurity] ci: Harden GitHub Actions #2980
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Validate | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
permissions: | |
contents: read | |
jobs: | |
validate: | |
name: validate - ${{ matrix.name }} | |
runs-on: ${{ matrix.runner }} | |
container: ghcr.io/kedacore/keda-tools:1.23.3 | |
strategy: | |
matrix: | |
include: | |
- runner: ARM64 | |
name: arm64 | |
- runner: ubuntu-latest | |
name: amd64 | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
- name: Register workspace path | |
run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Check go version | |
run: go version | |
- name: Set Go paths | |
id: go-paths | |
run: | | |
echo ::set-output name=mod_cache::$(go env GOMODCACHE) | |
echo ::set-output name=build_cache::$(go env GOCACHE) | |
- name: Go modules cache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: ${{ steps.go-paths.outputs.mod_cache }} | |
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Go build cache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: ${{ steps.go-paths.outputs.build_cache }} | |
key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }} | |
- name: Download Go Modules | |
run: go mod download | |
- name: Codegen | |
run: make verify-codegen | |
- name: Manifests | |
run: make verify-manifests | |
- name: Mockgen | |
run: make verify-mockgen | |
- name: Build | |
run: ARCH=${{ matrix.name }} make build | |
- name: Test | |
run: ARCH=${{ matrix.name }} make test | |
statics: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests | |
name: Static Checks | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version: "1.23" | |
- uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 | |
with: | |
version: v1.60 |