github-action: use ephemeral tokens with the required permissions #10532
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | |
on: | |
push: | |
branches: | |
- main | |
- 7.1* | |
- 8.* | |
paths-ignore: # When updating the list of expressions also update ci-docs.yml | |
- '**.md' | |
- '**.asciidoc' | |
- '**.png' | |
- '**.svg' | |
pull_request: | |
paths-ignore: # When updating the list of expressions also update ci-docs.yml | |
- '**.md' | |
- '**.asciidoc' | |
- '**.png' | |
- '**.svg' | |
merge_group: | |
# limit the access of the generated GITHUB_TOKEN | |
permissions: | |
contents: read | |
jobs: | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
cache: true | |
cache-dependency-path: | | |
go.sum | |
tools/go.sum | |
- run: make check-full | |
- name: Ensure .go-version is up to date | |
run: make update-go-version | |
if: ${{ github.ref == 'main' }} | |
test: | |
strategy: | |
matrix: | |
os: ['macos-latest', 'ubuntu-latest', 'windows-latest'] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
cache: true | |
- env: | |
CGO_ENABLED: "0" | |
run: go test -v ./... | |
system-test: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: systemtest/go.mod | |
cache: true | |
- run: docker compose up -d | |
- env: | |
GOTESTFLAGS: "-v -json" | |
OUTPUT_JSON_FILE: "build/TEST-go-system_tests.out.json" | |
OUTPUT_JUNIT_FILE: "build/TEST-go-system_tests.xml" | |
GH_TOKEN: ${{ github.token }} | |
run: | | |
go run -modfile=tools/go.mod gotest.tools/gotestsum \ | |
--no-color -f standard-quiet --jsonfile "$OUTPUT_JSON_FILE" --junitfile "$OUTPUT_JUNIT_FILE" \ | |
--raw-command -- make system-test | |
- uses: actions/upload-artifact@v4 # upload test results | |
if: ${{ always() }} # run this step even if previous step failed | |
with: | |
name: test-results | |
path: 'build/*.xml' | |
test-package: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
cache: false | |
- run: make package-snapshot | |
env: | |
GH_TOKEN: ${{ github.token }} | |
test-package-and-push: | |
runs-on: ubuntu-latest | |
# If no PR event or if a PR event that's caused by a non-fork and non dependabot actor | |
if: github.event_name != 'pull_request' || ( github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false && github.actor != 'dependabot[bot]' ) | |
env: | |
GENERATE_WOLFI_IMAGES: true | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
cache: false | |
- name: Log in to the Elastic Container registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ secrets.ELASTIC_DOCKER_REGISTRY }} | |
username: ${{ secrets.ELASTIC_DOCKER_USERNAME }} | |
password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }} | |
- run: make package-snapshot | |
env: | |
GH_TOKEN: ${{ github.token }} | |
- run: make publish-docker-images | |
# Only for forked PRs, when changing the .go-version, then we need to note that the wolfi docker image needs to be | |
# validated | |
validate-wolfi-docker-image: | |
runs-on: ubuntu-latest | |
if: ( github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true ) || github.actor == 'dependabot[bot]' | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get changed files | |
id: changed-files | |
uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45.0.1 | |
with: | |
files: .go-version | |
- name: If .go-version changed validate docker image is available. | |
if: steps.changed-files.outputs.any_changed == 'true' | |
run: | | |
echo "If you change the .go-version please use a branch in the upstream repository to validate the wolfi images with test-package-and-push." | |
echo "Otherwise, this validation will run and fail the CI build." | |
echo "Please validate the wolfi image is available by running the following command:" | |
echo "::notice::docker pull docker.elastic.co/wolfi/go:$(cat .go-version)" | |
echo "If they are available you could skip this validation." | |
echo "However, we recommend to use an upstream branch to run the CI specialised steps for the packaging system." | |
exit 1 |