chore(README.md): add note regarding structure of CODER_IMAGE_PULL_SECRET #131
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
workflow_dispatch: | |
permissions: | |
actions: read | |
checks: none | |
contents: read | |
deployments: none | |
issues: none | |
packages: write | |
pull-requests: none | |
repository-projects: none | |
security-events: write | |
statuses: none | |
# Cancel in-progress runs for pull requests when developers push | |
# additional changes | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
jobs: | |
lint: | |
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
# Install Go! | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "~1.20" | |
# Check for Go linting errors! | |
- name: Lint Go | |
uses: golangci/[email protected] | |
with: | |
version: v1.51.0 | |
args: "--out-${NO_FUTURE}format colored-line-number" | |
- name: Lint shell scripts | |
uses: ludeeus/[email protected] | |
env: | |
SHELLCHECK_OPTS: --external-sources | |
with: | |
ignore: node_modules | |
- uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: 1.1.9 | |
terraform_wrapper: false | |
- name: Terraform init | |
run: terraform init | |
- name: Terraform validate | |
run: terraform validate | |
fmt: | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
submodules: true | |
- uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: 1.1.9 | |
terraform_wrapper: false | |
- name: Install markdownfmt | |
run: go install github.com/Kunde21/markdownfmt/v3/cmd/markdownfmt@latest | |
- name: make fmt | |
run: | | |
export PATH=${PATH}:$(go env GOPATH)/bin | |
make --output-sync -j -B fmt | |
- name: Check for unstaged files | |
run: ./scripts/check_unstaged.sh | |
unit-tests: | |
runs-on: ubuntu-latest | |
timeout-minutes: 20 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "~1.20" | |
# Sadly the new "set output" syntax (of writing env vars to | |
# $GITHUB_OUTPUT) does not work on both powershell and bash so we use the | |
# deprecated syntax here. | |
- name: Echo Go Cache Paths | |
id: go-cache-paths | |
run: | | |
echo "::set-output name=GOCACHE::$(go env GOCACHE)" | |
echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)" | |
- name: Go Build Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOCACHE }} | |
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }} | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Run unit tests | |
id: test | |
shell: bash | |
run: go test ./... | |
integration-tests: | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 20 | |
steps: | |
- name: Install dependencies | |
run: sudo apt update && sudo apt install -y gcc | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "1.20.5" | |
# Sadly the new "set output" syntax (of writing env vars to | |
# $GITHUB_OUTPUT) does not work on both powershell and bash so we use the | |
# deprecated syntax here. | |
- name: Echo Go Cache Paths | |
id: go-cache-paths | |
run: | | |
echo "::set-output name=GOCACHE::$(go env GOCACHE)" | |
echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)" | |
- name: Go Build Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOCACHE }} | |
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }} | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Run integration tests | |
id: test | |
shell: bash | |
run: go test -tags=integration ./... | |
build: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "1.20.5" | |
- name: Go Cache Paths | |
id: go-cache-paths | |
run: | | |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Install yq | |
run: go run github.com/mikefarah/yq/[email protected] | |
- name: build image | |
run: make -j build/image/envbox | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252 | |
with: | |
image-ref: envbox:latest | |
format: sarif | |
output: trivy-results.sarif | |
severity: "CRITICAL,HIGH" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: trivy-results.sarif | |
category: "Trivy" | |
- name: Upload Trivy scan results as an artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trivy | |
path: trivy-results.sarif | |
retention-days: 7 | |
codeql: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: go | |
- name: Setup Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: "~1.20" | |
- name: Go Cache Paths | |
id: go-cache-paths | |
run: | | |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
publish: | |
runs-on: ubuntu-20.04 | |
if: github.ref == 'refs/heads/main' | |
steps: | |
- name: Docker Login | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "1.20.5" | |
- name: build image | |
run: make -j build/image/envbox | |
- name: tag image | |
run: docker tag envbox ghcr.io/coder/envbox:latest | |
- name: push image | |
run: docker push ghcr.io/coder/envbox:latest |