From ad49d5dffa112a90be3d58c0e099257eaae5926e Mon Sep 17 00:00:00 2001 From: John Kjell Date: Thu, 26 Oct 2023 22:51:17 -0500 Subject: [PATCH 1/3] Update pipeline to use reusable witness workflow Signed-off-by: John Kjell --- .github/workflows/pipeline.yml | 58 +++++++++++++++ .github/workflows/release.yml | 127 --------------------------------- .github/workflows/witness.yml | 47 ++++++++++++ 3 files changed, 105 insertions(+), 127 deletions(-) create mode 100644 .github/workflows/pipeline.yml delete mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/witness.yml diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml new file mode 100644 index 00000000..306f6cc1 --- /dev/null +++ b/.github/workflows/pipeline.yml @@ -0,0 +1,58 @@ +# Copyright 2023 The Archivista Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout +name: pipeline +on: + push: + tags: + - v* + branches: + - main + pull_request: +jobs: + fmt: + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: static-analysis + attestations: "github" + command: go fmt ./... + + static_analysis: + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: static-analysis + attestations: "github" + command: go vet ./... + + test: + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: "test" + attestations: "github" + command: go test -v -coverprofile=profile.cov -covermode=atomic ./... + + e2e-tests: + needs: test + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: "e2e" + attestations: "github" + command: ./test/test.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index b002b9a1..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,127 +0,0 @@ -# Copyright 2023 The Archivista Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout -name: release -on: - push: - tags: - - v* - branches: - - main - pull_request: -jobs: - test: - strategy: - matrix: - go-version: [ 1.19.x ] - os: [ ubuntu-latest ] - runs-on: ${{ matrix.os }} - steps: - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version: ${{ matrix.go-version }} - - name: Checkout code - uses: actions/checkout@v4 - - uses: actions/cache@v3 - with: - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - name: Format Unix - run: test -z $(go fmt ./...) - - name: Install GoKart - run: go install github.com/praetorian-inc/gokart@latest - - - name: Static Analysis - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: static-analysis - attestations: "github sarif" - command: gokart scan . -o sarif-results.json -s - - - name: Test - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: "test" - attestations: "github" - command: go test -v -coverprofile=profile.cov -covermode=atomic ./... - - - name: E2E Tests - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: "e2e" - attestations: "github" - command: ./test/test.sh - - - name: Send coverage - env: - COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - GO111MODULE=off go get github.com/mattn/goveralls - $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github - - release: - permissions: - id-token: write - contents: write - packages: write - runs-on: ubuntu-latest - needs: test - if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') - - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Set up Go - uses: actions/setup-go@v4 - with: - go-version: 1.20.x - - uses: actions/cache@v3 - with: - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Download GoReleaser - run: go install github.com/goreleaser/goreleaser@latest - - - name: Run GoReleaser - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} - with: - step: "build" - attestations: "github" - command: goreleaser release --clean diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml new file mode 100644 index 00000000..ab6dcaa2 --- /dev/null +++ b/.github/workflows/witness.yml @@ -0,0 +1,47 @@ +# Copyright 2023 The Archivista Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +on: + workflow_call: + inputs: + pull_request: + required: true + type: boolean + command: + required: true + type: string + step: + required: true + type: string + attestations: + required: true + type: string + +jobs: + witness: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4.1.1 + - uses: actions/setup-go@v4.1.0 + with: + go-version: 1.21.x + + - if: ${{ inputs.pull_request == false }} + uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 + with: + step: ${{ inputs.step }} + attestations: $${ inputs.attestations }} + command: /bin/sh -c "$${ inputs.command }}" + - if: ${{ inputs.pull_request == true }} + run: ${{ inputs.command }} From 0e61bab18591acb0248c577fbdeededd9eaa5ee7 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Thu, 26 Oct 2023 22:55:04 -0500 Subject: [PATCH 2/3] Add release job to pipeline Signed-off-by: John Kjell --- .github/workflows/pipeline.yml | 36 ++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 306f6cc1..305512c2 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -41,6 +41,7 @@ jobs: command: go vet ./... test: + needs: [fmt, static_analysis] uses: ./.github/workflows/witness.yml with: pull_request: ${{ github.event_name == 'pull_request' }} @@ -56,3 +57,38 @@ jobs: step: "e2e" attestations: "github" command: ./test/test.sh + + release: + permissions: + id-token: write + contents: write + packages: write + runs-on: ubuntu-latest + needs: test + if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') + + steps: + - uses: actions/checkout@v4.1.1 + - uses: actions/setup-go@v4.1.0 + with: + go-version: 1.21.x + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Download GoReleaser + run: go install github.com/goreleaser/goreleaser@latest + + - name: Run GoReleaser + uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} + with: + step: "build" + attestations: "github" + command: goreleaser release --clean \ No newline at end of file From ba742f09400f096d79bb57498d52cdcc18546a47 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Thu, 26 Oct 2023 22:57:07 -0500 Subject: [PATCH 3/3] Change release needs to e2e-test Signed-off-by: John Kjell --- .github/workflows/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 305512c2..5c93afa7 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -59,12 +59,12 @@ jobs: command: ./test/test.sh release: + needs: e2e-tests permissions: id-token: write contents: write packages: write runs-on: ubuntu-latest - needs: test if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') steps: