Test signing artifacts ; build and publish in same step on releases #343
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tests and Build | |
| on: | |
| push: | |
| branches: [main] | |
| tags: [v*] | |
| pull_request: | |
| branches: [main] | |
| env: | |
| ALPINE_IMAGE_NAME: ghcr.io/webmeshproj/node | |
| DISTROLESS_IMAGE_NAME: ghcr.io/webmeshproj/node-distroless | |
| GO_VERSION: ^1.20 | |
| NODE_VERSION: 18 | |
| GOLANGCI_LINT_VERSION: v1.53.2 | |
| DOCKER_PLATFORMS: linux/amd64,linux/arm64,linux/arm,linux/386,linux/ppc64le,linux/s390x | |
| jobs: | |
| lint: | |
| name: Static Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: "read" | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| - name: Setup Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| check-latest: true | |
| cache-dependency-path: go.sum | |
| - name: Download Go Modules | |
| shell: bash | |
| run: go mod download -x | |
| - name: Run Linting | |
| uses: golangci/golangci-lint-action@v3 | |
| with: | |
| version: ${{ env.GOLANGCI_LINT_VERSION }} | |
| args: --timeout 10m | |
| skip-pkg-cache: true | |
| tests: | |
| name: Unit Tests | |
| needs: [lint] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, windows-latest, macos-latest] | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: "read" | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| - name: Setup Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| check-latest: true | |
| cache-dependency-path: go.sum | |
| - name: Download Go Modules | |
| shell: bash | |
| run: go mod download -x | |
| - name: Run Unit Tests | |
| shell: bash | |
| run: make test | |
| build: | |
| name: Build Artifacts | |
| runs-on: ubuntu-latest | |
| needs: [tests] | |
| permissions: | |
| contents: "write" | |
| id-token: "write" | |
| packages: "write" | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node | |
| uses: actions/setup-node@v2 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Cache Node Modules | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| web/dashboard/.yarn/cache | |
| web/dashboard/node_modules | |
| key: ${{ runner.os }}-node-${{ hashFiles('web/dashboard/yarn.lock') }} | |
| - name: Setup Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| check-latest: true | |
| cache-dependency-path: go.sum | |
| - name: Setup Cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Setup Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Get Release Args | |
| shell: bash | |
| id: release-args | |
| run: | | |
| if [[ ${{ github.ref }} =~ ^refs/tags/v.* ]] ; then | |
| ARGS="--clean --fail-fast" | |
| else | |
| ARGS="--snapshot --clean --fail-fast" | |
| fi | |
| echo "args=${ARGS}" >> "${GITHUB_OUTPUT}" | |
| - name: Build Binaries | |
| uses: goreleaser/goreleaser-action@v4 | |
| with: | |
| version: latest | |
| args: release ${{ steps.release-args.outputs.args }} | |
| - name: Login to GHCR | |
| uses: docker/login-action@v2 | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| registry: "ghcr.io" | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: Get Image Tags | |
| shell: bash | |
| id: tags | |
| run: | | |
| ALPINE_IMAGES="${ALPINE_IMAGE_NAME}:latest,${ALPINE_IMAGE_NAME}:${{ github.sha }}" | |
| DISTROLESS_IMAGES="${DISTROLESS_IMAGE_NAME}:latest,${DISTROLESS_IMAGE_NAME}:${{ github.sha }}" | |
| if [[ ${{ github.ref }} =~ ^refs/tags/v.* ]] ; then | |
| ALPINE_IMAGES+=",${ALPINE_IMAGE_NAME}:${{ github.ref_name }}" | |
| DISTROLESS_IMAGES+=",${DISTROLESS_IMAGE_NAME}:${{ github.ref_name }}" | |
| fi | |
| echo "alpine-images=${ALPINE_IMAGES}" >> "${GITHUB_OUTPUT}" | |
| echo "distroless-images=${DISTROLESS_IMAGES}" >> "${GITHUB_OUTPUT}" | |
| - name: Build Alpine Container Images | |
| uses: docker/build-push-action@v4 | |
| id: alpine-build | |
| with: | |
| context: . | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.tags.outputs.alpine-images }} | |
| platforms: ${{ env.DOCKER_PLATFORMS }} | |
| - name: Build Distroless Container Images | |
| uses: docker/build-push-action@v4 | |
| id: distroless-build | |
| with: | |
| context: . | |
| file: Dockerfile.distroless | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.tags.outputs.distroless-images }} | |
| platforms: ${{ env.DOCKER_PLATFORMS }} | |
| - name: Sign Container Images | |
| shell: bash | |
| if: ${{ github.event_name != 'pull_request' }} | |
| env: | |
| COSIGN_EXPERIMENTAL: "1" | |
| run: | | |
| cosign sign --yes --recursive ${ALPINE_IMAGE_NAME}@${{ steps.alpine-build.outputs.digest }} | |
| cosign sign --yes --recursive ${DISTROLESS_IMAGE_NAME}@${{ steps.distroless-build.outputs.digest }} |