👷 Merge docker build + push step / [Yannig] is testing from current repo 🚀 #107
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pull request | |
| run-name: "${{ github.event.pull_request.title }} / [${{ github.actor }}] is testing${{ github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name && format(' from fork [{0}]', github.event.pull_request.head.repo.full_name) || format(' from current repo') }} 🚀" | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - master | |
| paths-ignore: | |
| - ".github/**/*.yml" | |
| - "**/*.md" | |
| - "README.md" | |
| permissions: | |
| contents: write | |
| packages: write | |
| security-events: write | |
| pull-requests: write | |
| concurrency: | |
| group: ${{ github.event.pull_request.head.repo.full_name }}-${{ github.head_ref }}/${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} | |
| PULL_REQUEST_BRANCH: ${{ github.head_ref }} | |
| PULL_REQUEST_HEAD: ${{ github.event.pull_request.head.sha }} | |
| CONCURRENCY_GROUP: ${{ github.event.pull_request.head.repo.full_name }}-${{ github.head_ref }}/${{ github.ref }} | |
| BRANCH: ${{ github.event.pull_request.head.ref }} | |
| REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }} | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: "ghcr.io/${{ github.repository }}" | |
| RELEASE: false | |
| FORKED: ${{ github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name }} | |
| jobs: | |
| config: | |
| if: github.triggering_actor != 'dependabot[bot]' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| go-version: ${{ fromJson(steps.config.outputs.config).go-version }} | |
| deploy-pull-request: ${{ fromJson(steps.config.outputs.config).deploy.pull-request }} | |
| deploy-sign-docker-image: ${{ fromJson(steps.config.outputs.config).deploy.sign-docker-image }} | |
| deploy-pre-release-matrix: ${{ steps.pre-release-matrix.outputs.matrix }} | |
| deploy-release-matrix: ${{ steps.release-matrix.outputs.matrix }} | |
| is-forked: ${{ github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ env.PULL_REQUEST_HEAD }} | |
| - name: Read config | |
| id: config | |
| run: echo "config=$(jq -M -c '.' ./.github/workflow-config.json)" >> $GITHUB_OUTPUT | |
| - name: List Pre-release profiles | |
| id: deploy-pr-images-profiles | |
| run: echo "profiles=$(jq -c -M '.deploy."pull-request-images"' .github/workflow-config.json)" >> $GITHUB_OUTPUT | |
| - name: Deploy pre-release matrix | |
| id: pre-release-matrix | |
| run: echo 'matrix={"include":${{ steps.deploy-pr-images-profiles.outputs.profiles }} }' >> $GITHUB_OUTPUT | |
| - name: List release profiles | |
| id: deploy-images-profiles | |
| run: echo "profiles=$(jq -c -M '.deploy."release-images"' .github/workflow-config.json)" >> $GITHUB_OUTPUT | |
| - name: Deploy release matrix | |
| id: release-matrix | |
| run: echo 'matrix={"include":${{ steps.deploy-images-profiles.outputs.profiles }} }' >> $GITHUB_OUTPUT | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - config | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ env.PULL_REQUEST_HEAD }} | |
| - name: Setup Golang | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: ${{ needs.config.outputs.go-version }} | |
| - name: Get makefile versions | |
| id: version | |
| run: | | |
| version=$(make version) | |
| echo "version=$version" >> $GITHUB_OUTPUT | |
| - name: Setup Golang cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/go/pkg/mod | |
| ~/.cache/go-build | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Build artifact | |
| run: make go-build | |
| - name: Run test | |
| run: make go-test | |
| - name: Go lint | |
| continue-on-error: true | |
| uses: golangci/golangci-lint-action@v3 | |
| with: | |
| args: --issues-exit-code=0 | |
| skip-pkg-cache: true | |
| skip-build-cache: true | |
| - name: Package artifact | |
| run: | | |
| mv dist/*.tar.gz application.tar.gz | |
| - name: Upload build output | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: application | |
| path: "./application.tar.gz" | |
| - name: Upload test coverage | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: test-coverage | |
| path: "./test-coverage.out" | |
| release: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - config | |
| - build | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ env.PULL_REQUEST_HEAD }} | |
| - name: Set alpha version | |
| id: version | |
| run: echo "version=${{ needs.build.outputs.version }}-rc.pr-${{ env.PULL_REQUEST_NUMBER }}-${{ github.run_number }}" >> $GITHUB_OUTPUT | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: application | |
| path: "." | |
| - name: Rename artifact | |
| run: mv application.tar.gz ${{ github.event.repository.name }}.tar.gz | |
| - name: Create release | |
| if: ${{ env.FORKED == 'false' }} | |
| uses: softprops/action-gh-release@v1 | |
| id: create-release | |
| with: | |
| name: Pre-release ${{ steps.version.outputs.version }} | |
| tag_name: ${{ steps.version.outputs.version }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| body: ${{ steps.changelog.outputs.changelog }} | |
| files: | | |
| ./${{ github.event.repository.name }}.tar.gz | |
| draft: false | |
| prerelease: true | |
| generate_release_notes: true | |
| deploy: | |
| name: deploy-[${{ matrix.name }}] | |
| runs-on: ubuntu-latest | |
| strategy: | |
| max-parallel: 1 | |
| matrix: ${{ fromJson(needs.config.outputs.deploy-pre-release-matrix) }} | |
| if: ${{ !failure() && needs.release.result == 'success' && needs.config.outputs.deploy-pull-request == 'true' }} | |
| needs: | |
| - config | |
| - build | |
| - release | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ env.PULL_REQUEST_HEAD }} | |
| - name: Log in to registry | |
| if: ${{ env.FORKED == 'false' }} | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ${{ env.REGISTRY }} -u $ --password-stdin | |
| - name: Build image | |
| id: docker-meta | |
| env: | |
| VERSION: "${{ needs.release.outputs.version }}" | |
| run: | | |
| make ${{ matrix.name }}-image | |
| TAG_SUFFIX=$(echo "-${{ matrix.name }}" | sed s/-ubuntu//) | |
| echo "image-id=$IMAGE_NAME" >> $GITHUB_OUTPUT | |
| echo "image-version=${VERSION}${TAG_SUFFIX}" >> $GITHUB_OUTPUT | |
| make push-${{ matrix.name }}-image | |
| - name: Format current time | |
| if: ${{ env.FORKED == 'false' }} | |
| id: time_now | |
| run: echo "time_now_formatted=$(date +'%Y-%m-%d %H:%M:%S')" >> "$GITHUB_OUTPUT" | |
| - name: Find releases comment | |
| if: ${{ env.FORKED == 'false' }} | |
| uses: peter-evans/find-comment@v2 | |
| id: find_comment | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-author: "github-actions[bot]" | |
| body-includes: "Following docker image(s) have been created for this PR." | |
| - name: Create releases comment | |
| uses: peter-evans/create-or-update-comment@v2 | |
| if: ${{ steps.find_comment.outputs.comment-id == '' && env.FORKED == 'false' }} | |
| with: | |
| comment-id: ${{ steps.find_comment.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| edit-mode: replace | |
| body: | | |
| ## Pull Request information | |
| Following docker image(s) have been created for this PR. | |
| | Time | Tag | | |
| | --- | --- | | |
| | ${{ steps.time_now.outputs.time_now_formatted }} | **${{ steps.docker-meta.outputs.image-version }}** | | |
| - name: Append releases comment | |
| uses: peter-evans/create-or-update-comment@v2 | |
| if: ${{ steps.find_comment.outputs.comment-id != '' && env.FORKED == 'false' }} | |
| with: | |
| comment-id: ${{ steps.find_comment.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| edit-mode: append | |
| body: | | |
| | ${{ steps.time_now.outputs.time_now_formatted }} | **${{ steps.docker-meta.outputs.image-version }}** | | |
| - name: Setup cosign | |
| if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' && env.FORKED == 'false' }} | |
| uses: sigstore/cosign-installer@main | |
| - name: Write signing key to disk (only needed for `cosign sign --key`) | |
| if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' && env.FORKED == 'false' }} | |
| continue-on-error: true | |
| run: echo "${{ secrets.SIGNING_SECRET }}" > cosign.key | |
| - name: Sign the published Docker image | |
| if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' && env.FORKED == 'false' }} | |
| continue-on-error: true | |
| env: | |
| COSIGN_PASSWORD: "" | |
| VERSION: "${{ needs.release.outputs.version }}" | |
| run: make sign-${{ matrix.name }}-image | |
| - name: Container scan | |
| uses: aquasecurity/[email protected] | |
| env: | |
| image-ref: "${{ steps.docker-meta.outputs.image-id }}:${{ steps.docker-meta.outputs.image-version }}" | |
| with: | |
| image-ref: "${{ env.image-ref }}" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| category: trivy-${{ matrix.name }} | |
| comments: | |
| runs-on: ubuntu-latest | |
| if: ${{ needs.config.outputs.is-forked == 'false' }} | |
| needs: | |
| - config | |
| - release | |
| steps: | |
| - name: Format current time | |
| id: time_now | |
| run: echo "time_now_formatted=$(date +'%Y-%m-%d %H:%M:%S')" >> "$GITHUB_OUTPUT" | |
| - name: Find releases comment | |
| uses: peter-evans/find-comment@v2 | |
| id: find_comment | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-author: "github-actions[bot]" | |
| body-includes: "Following release(s) have been created for this PR." | |
| - name: Create releases comment | |
| uses: peter-evans/create-or-update-comment@v2 | |
| if: ${{ steps.find_comment.outputs.comment-id == '' }} | |
| with: | |
| comment-id: ${{ steps.find_comment.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| edit-mode: replace | |
| body: | | |
| ## Pull Request information | |
| Following release(s) have been created for this PR. | |
| | Time | Release | | |
| | --- | --- | | |
| | ${{ steps.time_now.outputs.time_now_formatted }} | **${{ needs.release.outputs.version }}** | | |
| - name: Append releases comment | |
| uses: peter-evans/create-or-update-comment@v2 | |
| if: ${{ steps.find_comment.outputs.comment-id != '' }} | |
| with: | |
| comment-id: ${{ steps.find_comment.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| edit-mode: append | |
| body: | | |
| | ${{ steps.time_now.outputs.time_now_formatted }} | **${{ needs.release.outputs.version }}** | |