chore: Bump dependencies' versions #323
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
# Ensure only one job per branch. | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
on: | |
push: | |
branches: [master] | |
tags: ["*"] | |
pull_request: | |
branches: [master] | |
types: [opened, synchronize] | |
jobs: | |
test: | |
name: Test | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.22" | |
check-latest: true | |
- name: Setup cache | |
uses: actions/cache@v4 | |
id: cache-go | |
with: | |
path: ~/go/pkg/mod | |
# yamllint disable-line rule:line-length | |
key: ${{ runner.os }}-${{ hashFiles('**/go.sum') }} | |
- name: Install and configure dependencies | |
run: | | |
make dev | |
- name: Run tests | |
run: | | |
make test-cov-xml | |
- name: Upload test report | |
if: always() | |
uses: mikepenz/action-junit-report@v4 | |
with: | |
check_name: Test report | |
report_paths: '**/.junit.xml' | |
- name: Upload coverage | |
uses: paambaati/[email protected] | |
env: | |
CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }} | |
with: | |
coverageLocations: | | |
${{ github.workspace }}/.coverage.xml:cobertura | |
lint: | |
name: Lint | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.22" | |
check-latest: true | |
- name: Run linter | |
uses: golangci/golangci-lint-action@v4 | |
with: | |
version: v1.54.2 | |
args: --timeout=2m | |
scan-ast: | |
name: Scan AST security | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Run gosec | |
uses: securego/gosec@master | |
with: | |
args: '-no-fail -fmt sarif -out results.sarif ./...' | |
scan-deps: | |
name: Scan dependencies | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.22" | |
check-latest: true | |
- name: Export dependencies | |
run: go list -json -deps ./... > go.list | |
- name: Run nancy | |
uses: sonatype-nexus-community/nancy-github-action@main | |
with: | |
nancyVersion: "v1.0.41" | |
pub-image: | |
name: Publish Docker image | |
runs-on: ubuntu-latest | |
needs: [lint, test, scan-ast, scan-deps] | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
# Ensure all git history is cloned, so we can infer the correct version in Docker. | |
fetch-depth: 0 | |
- name: Setup docker buildx | |
if: github.event_name != 'pull_request' | |
uses: docker/setup-buildx-action@v3 | |
- name: Extract metadata for image | |
if: github.event_name != 'pull_request' | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
ghcr.io/${{ github.repository }} | |
tags: | | |
type=semver,pattern={{version}} | |
type=raw,value=latest,enable={{is_default_branch}} | |
flavor: | | |
latest=true | |
- name: Get current time | |
run: | | |
echo "BUILD_TIME=$(date -u '+%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV | |
- name: Login to container registry | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and publish image | |
if: github.event_name != 'pull_request' | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
push: ${{ github.event_name != 'pull_request' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
build-args: | | |
REVISION=${{ github.sha }} | |
BUILD_TIME=${{ env.BUILD_TIME }} |