diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml new file mode 100644 index 00000000..f1d50446 --- /dev/null +++ b/.github/workflows/pipeline.yml @@ -0,0 +1,83 @@ +# Copyright 2023 The Archivista Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout +name: pipeline +on: + push: + tags: + - v* + branches: + - main + pull_request: +jobs: + test: + strategy: + matrix: + go-version: [ 1.21.x ] + os: [ ubuntu-latest ] + runs-on: ${{ matrix.os }} + steps: + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go-version }} + + - name: Checkout code + uses: actions/checkout@v2 + - uses: actions/cache@v2 + with: + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + - name: Format Unix + run: test -z $(go fmt ./...) + - name: Install GoKart + run: go install github.com/praetorian-inc/gokart@latest + + - name: Static Analysis + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: static-analysis + attestations: "github sarif" + command: gokart scan . -o sarif-results.json -s + + - name: Test + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: "test" + attestations: "github" + command: go test -v -coverprofile=profile.cov -covermode=atomic ./... + + - name: E2E Tests + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: "e2e" + attestations: "github" + command: ./test/test.sh + + - name: Send coverage + env: + COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + GO111MODULE=off go get github.com/mattn/goveralls + $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml new file mode 100644 index 00000000..44052689 --- /dev/null +++ b/.github/workflows/witness.yml @@ -0,0 +1,42 @@ +# Copyright 2023 The Archivista Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +on: + workflow_call: + inputs: + pull_request: + required: true + type: boolean + command: + required: true + type: string + step: + required: true + type: string + attestations: + required: true + type: string + +jobs: + witness: + runs-on: ubuntu-latest + steps: + - if: ${{ inputs.pull_request == false }} + uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 + with: + step: ${{ inputs.step }} + attestations: $${ inputs.attestations }} + command: /bin/sh -c "$${ inputs.command }}" + - if: ${{ inputs.pull_request == true }} + run: ${{ inputs.command }}