Bump github/codeql-action from 2.1.6 to 3.27.4 #621
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # mod dependency updated, golangci-lint, gofmt updated, go vet, use internal lock pkg | |
| # code quality check, like codeql and gokart | |
| # build binary | |
| # unitest and upload coverage | |
| name: Lint Golang And Unitest | |
| # Any change in triggers needs to be reflected in the concurrency group. | |
| on: | |
| pull_request: {} | |
| push: | |
| branches: | |
| - main | |
| - release-* | |
| workflow_dispatch: | |
| inputs: | |
| ref: | |
| description: 'branch, sha, tag' | |
| required: true | |
| default: main | |
| workflow_call: | |
| inputs: | |
| ref: | |
| required: true | |
| type: string | |
| permissions: write-all | |
| # for each pr, queue all workflows | |
| # if not , pull_request_target and push will trigger 2 at the same time | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} | |
| cancel-in-progress: true | |
| jobs: | |
| # filter changes base filt path , so step analyze can do less thing | |
| filter_changes: | |
| name: Deduce required tests from code changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| check: ${{ steps.result.outputs.check }} | |
| ref: ${{ steps.result.outputs.ref }} | |
| steps: | |
| - name: Check Go Code Changes | |
| uses: dorny/[email protected] | |
| if: ${{ github.event_name == 'pull_request' }} | |
| id: filter_pr | |
| with: | |
| base: ${{ github.event.pull_request.base.sha }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| filters: | | |
| src: | |
| - .github/workflows/lint-golang.yaml | |
| - '**/*.go' | |
| - 'go.mod' | |
| - 'go.sum' | |
| - name: Result | |
| id: result | |
| run: | | |
| if ${{ github.event_name == 'push' }} ; then | |
| echo "trigger by push" | |
| echo "::set-output name=check::true" | |
| echo "::set-output name=ref::${{ github.sha }}" | |
| elif ${{ github.event_name == 'pull_request' }} ; then | |
| echo "trigger by pull_request" | |
| flag=${{ steps.filter_pr.outputs.src }} | |
| echo "::set-output name=check::${flag}" | |
| ref=${{ github.event.pull_request.head.sha }} | |
| echo "::set-output name=ref::${ref}" | |
| elif ${{ inputs.ref != '' }} ; then | |
| echo "trigger by workflow_call" | |
| echo "::set-output name=check::true" | |
| echo "::set-output name=ref::${{ inputs.ref }}" | |
| elif ${{ github.event_name == 'workflow_dispatch' }} ; then | |
| echo "trigger by workflow_dispatch" | |
| echo "::set-output name=check::true" | |
| echo "::set-output name=ref::${{ github.event.inputs.ref }}" | |
| else | |
| echo "error, unexpected event " | |
| exit 1 | |
| fi | |
| lint-golang: | |
| needs: filter_changes | |
| if: ${{ needs.filter_changes.outputs.check == 'true' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v2 | |
| with: | |
| go-version: 1.17.8 | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ needs.filter_changes.outputs.ref }} | |
| - name: Check module vendoring | |
| run: | | |
| go mod tidy | |
| go mod vendor | |
| if ! test -z "$(git status --porcelain)"; then | |
| echo "please run 'go mod tidy && go mod vendor', and submit your changes" | |
| exit 1 | |
| fi | |
| # ================ lint | |
| - name: Run golangci-lint | |
| id: golangci_lint | |
| continue-on-error: true | |
| uses: golangci/golangci-lint-action@v3 | |
| with: | |
| version: latest | |
| - name: Check Make lint-golang | |
| id: other | |
| continue-on-error: true | |
| run: | | |
| make lint-golang | |
| - name: Result | |
| run: | | |
| result=${{ steps.golangci_lint.outcome }} | |
| [ "${result}"x == "failure"x ] && echo "step golangci_lint failed" && exit 1 | |
| result=${{ steps.other.outcome }} | |
| [ "${result}"x == "failure"x ] && echo "step gokart failed" && exit 3 | |
| echo "all succeed" | |
| exit 0 | |
| quality: | |
| needs: filter_changes | |
| if: ${{ needs.filter_changes.outputs.check == 'true' }} | |
| runs-on: ubuntu-latest | |
| # required by codeQL | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v2 | |
| with: | |
| go-version: 1.17.8 | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ needs.filter_changes.outputs.ref }} | |
| fetch-depth: 0 | |
| # ================= quality | |
| # https://github.com/github/codeql-action | |
| # GitHub's industry-leading semantic code analysis engine, CodeQL, against a repository's source code to find security vulnerabilities | |
| - name: CodeQL Initialize | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| languages: go | |
| - name: CodeQL Analysis | |
| uses: github/codeql-action/[email protected] | |
| # https://github.com/praetorian-inc/gokart | |
| # static analysis tool for Go that finds vulnerabilities using the SSA | |
| - name: gokart | |
| id: gokart | |
| run: | | |
| go install github.com/praetorian-inc/gokart@latest | |
| gokart scan --globalsTainted | |
| lint_build: | |
| needs: filter_changes | |
| if: ${{ needs.filter_changes.outputs.check == 'true' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v2 | |
| with: | |
| go-version: 1.17.8 | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ needs.filter_changes.outputs.ref }} | |
| - name: Build Lint | |
| run: | | |
| make build-bin | |
| unitest: | |
| needs: filter_changes | |
| if: ${{ needs.filter_changes.outputs.check == 'true' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v2 | |
| with: | |
| go-version: 1.17.8 | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ needs.filter_changes.outputs.ref }} | |
| # ================= unitest | |
| - name: Run unitest | |
| id: unitest | |
| continue-on-error: true | |
| run: | | |
| make unitest-tests | |
| - name: Upload Coverage Artifact | |
| if: ${{ steps.unitest.outcome == 'failure' }} | |
| uses: actions/[email protected] | |
| with: | |
| name: coverage.out | |
| path: coverage.out | |
| retention-days: 1 | |
| - name: Upload Report Artifact | |
| if: ${{ steps.unitest.outcome == 'failure' }} | |
| uses: actions/[email protected] | |
| with: | |
| name: testreport.json | |
| path: testreport.json | |
| retention-days: 1 | |
| # ============= upload coverage report | |
| # Coveralls | |
| # https://github.com/marketplace/actions/actions-goveralls | |
| # https://github.com/mattn/goveralls | |
| - name: Upload to Coveralls | |
| if: ${{ steps.unitest.outcome != 'failure' }} | |
| uses: shogo82148/[email protected] | |
| with: | |
| path-to-profile: coverage.out | |
| # upload coverage report to Codecov | |
| # https://github.com/marketplace/actions/codecov | |
| # for codevcov configuration: /codecov.yml https://docs.codecov.com/docs/common-recipe-list | |
| - name: Upload to Codecov | |
| if: ${{ steps.unitest.outcome != 'failure' }} | |
| uses: codecov/[email protected] | |
| with: | |
| # 虽然官方说 not required for public repos, 但是发现 有时 action 经常 会报错 要求token | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| # Directory to search for coverage reports | |
| directory: './' | |
| files: 'coverage.out' | |
| flags: unittests # optional | |
| # optional, Custom defined name for the upload | |
| name: my-codecov-umbrella | |
| # optional (default = false) | |
| fail_ci_if_error: true | |
| # optional (default = false) | |
| verbose: true | |
| - name: Result | |
| if: ${{ steps.unitest.outcome == 'failure' }} | |
| run: | | |
| echo "unitest failed" | |
| exit 1 |