Merge pull request #90 from uselagoon/update-ci

update ci
uselagoon · Mar 13, 2024 · 6e4742f · 6e4742f
2 parents 3312841 + 19a052a
commit 6e4742f
Show file tree

Hide file tree

Showing 18 changed files with 313 additions and 278 deletions.
diff --git a/commitlint.config.js → .github/commitlint.config.js b/commitlint.config.js → .github/commitlint.config.js
diff --git a/.github/dependabot.yml → .github/dependabot.yaml b/.github/dependabot.yml → .github/dependabot.yaml
@@ -1,14 +1,26 @@
 version: 2
 updates:
-- package-ecosystem: docker
+- package-ecosystem: github-actions
  directory: /
  schedule:
- interval: daily
-- package-ecosystem: github-actions
+ interval: weekly
+ groups:
+ github-actions:
+ patterns:
+ - "*"
+- package-ecosystem: docker
  directory: /
  schedule:
  interval: daily
+ groups:
+ docker:
+ patterns:
+ - "*"
 - package-ecosystem: gomod
  directory: /
  schedule:
  interval: daily
+ groups:
+ gomod:
+ patterns:
+ - "*"
diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml
@@ -0,0 +1,17 @@
+# https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
+allow-licenses:
+- 'Apache-2.0'
+- 'BSD-2-Clause'
+- 'BSD-2-Clause-FreeBSD'
+- 'BSD-3-Clause'
+- 'ISC'
+- 'MIT'
+- 'PostgreSQL'
+- 'Python-2.0'
+- 'X11'
+- 'Zlib'
+
+# this action is GPL-3 but it is only used in CI
+# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806
+allow-dependencies-licenses: >
+ pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,68 +1,52 @@
-name: Build
-on: pull_request
+name: build
+on:
+ pull_request:
+ branches:
+ - main
+permissions: {}
 jobs:
- build:
+ build-snapshot:
+ permissions:
+ contents: read
+ packages: write
  runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ binary:
+ - lagoon-opensearch-sync
  steps:
- - name: Checkout
- uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  with:
  ref: ${{ github.event.pull_request.head.sha }}
- - name: Install Go
- uses: actions/setup-go@v4
+ - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version: stable
- - name: Set up environment
- run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV
- - name: Run GoReleaser
- uses: goreleaser/goreleaser-action@v5
+ - run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
+ - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
  with:
  version: latest
- args: build --snapshot --rm-dist
- - name: Tar up binaries
- # work around limitations in the upload/download artifact actions
- # https://github.com/actions/download-artifact#limitations
- run: tar -cvf dist.tar dist
- - name: Upload binaries tar file
- uses: actions/upload-artifact@v3
- with:
- name: dist.tar
- path: dist.tar
- buildimage:
- if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
- strategy:
- matrix:
- binary:
- - lagoon-opensearch-sync
- needs: build
- runs-on: ubuntu-latest
- steps:
- - name: Checkout
- uses: actions/checkout@v4
- - name: Download binaries tar file
- uses: actions/download-artifact@v3
- with:
- name: dist.tar
- - name: Untar binaries
- run: tar -xvf dist.tar
+ args: build --clean --debug --single-target --snapshot
  - name: Login to GHCR
- uses: docker/login-action@v3
+ if: github.actor != 'dependabot[bot]'
+ uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
  with:
  registry: ghcr.io
  username: ${{ github.repository_owner }}
  password: ${{ secrets.GITHUB_TOKEN }}
- - name: Docker metadata
- # this id is namespaced per matrix run
+ - name: Get Docker metadata
+ if: github.actor != 'dependabot[bot]'
  id: docker_metadata
- uses: docker/metadata-action@v5
+ uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
  with:
- images: ghcr.io/${{ github.repository_owner }}/${{ matrix.binary }}
+ images: ghcr.io/${{ github.repository }}/${{ matrix.binary }}
+ - run: echo "GITHUB_REPOSITORY_NAME=$(basename ${{ github.repository }})" >> "$GITHUB_ENV"
  - name: Build and push ${{ matrix.binary }} container image
- id: docker_build
- uses: docker/build-push-action@v5
+ if: github.actor != 'dependabot[bot]'
+ uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
  with:
  push: true
  tags: ${{ steps.docker_metadata.outputs.tags }}
  labels: ${{ steps.docker_metadata.outputs.labels }}
- file: deploy/${{ matrix.binary }}/Dockerfile
+ file: Dockerfile
+ build-args: BINARY=${{ matrix.binary }}
  context: dist/${{ matrix.binary }}_linux_amd64_v1
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -1,34 +1,32 @@
-name: "CodeQL"
-
+name: codeQL
 on:
  push:
  branches:
  - main
  pull_request:
  branches:
  - main
- schedule:
- - cron: '44 10 * * 5'
-
+permissions: {}
 jobs:
  analyze:
- name: Analyze
- runs-on: ubuntu-latest
  permissions:
  actions: read
  contents: read
  security-events: write
+ runs-on: ubuntu-latest
  strategy:
  fail-fast: false
  matrix:
  language:
  - go
  steps:
- - name: Checkout repository
- uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+ with:
+ go-version: stable
  - name: Initialize CodeQL
- uses: github/codeql-action/init@v2
+ uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
  with:
  languages: ${{ matrix.language }}
  - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v2
+ uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
@@ -1,30 +1,29 @@
-name: Coverage
+name: coverage
 on:
  push:
  branches:
  - main
-
+permissions: {}
 jobs:
  coverage:
+ permissions:
+ contents: write
  runs-on: ubuntu-latest
  steps:
- - name: Checkout repository
- uses: actions/checkout@v4
- - name: Configure git
- run: |
- git config --global user.name "$GITHUB_ACTOR"
- git config --global user.email "[email protected]"
- - name: Set up go
- uses: actions/setup-go@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version: stable
  - name: Calculate coverage
  run: |
- go test -v -covermode=count -coverprofile=coverage.out.raw -coverpkg=./... ./...
- grep -v mock_ coverage.out.raw > coverage.out
- - name: Convert coverage to lcov
- uses: jandelgado/gcov2lcov-action@v1
- - name: Coveralls
- uses: coverallsapp/github-action@v2
+ go test -v -covermode=atomic -coverprofile=cover.out.raw -coverpkg=./... ./...
+ # remove generated code from coverage calculation
+ grep -Ev 'internal/mock|_enumer.go' cover.out.raw > cover.out
+ - name: Generage coverage badge
+ uses: vladopajic/go-test-coverage@97ecc524075d8ece0e1a406edec1c191e2dd3277 # v2.8.3
  with:
- github-token: ${{ secrets.github_token }}
+ profile: cover.out
+ local-prefix: github.com/smlx/go-cli-github
+ git-token: ${{ secrets.GITHUB_TOKEN }}
+ # orphan branch for storing badges
+ git-branch: badges
diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml
@@ -1,17 +1,24 @@
 # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
-name: Dependabot auto-merge
-on: pull_request
-
-permissions:
- contents: write
- pull-requests: write
-
+name: dependabot auto-merge
+on:
+ pull_request:
+ branches:
+ - main
+permissions: {}
 jobs:
- dependabot:
+ dependabot-automerge:
+ permissions:
+ contents: write
+ pull-requests: write
  runs-on: ubuntu-latest
- if: ${{ github.actor == 'dependabot[bot]' }}
+ if: github.actor == 'dependabot[bot]'
  steps:
- - name: Enable auto-merge for Dependabot PRs
+ - name: Fetch dependabot metadata
+ id: metadata
+ uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
+ with:
+ github-token: "${{ secrets.GITHUB_TOKEN }}"
+ - name: Enable auto-merge for Dependabot PRs # these still need approval before merge
  run: gh pr merge --auto --merge "$PR_URL"
  env:
  PR_URL: ${{github.event.pull_request.html_url}}

diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -0,0 +1,16 @@
+name: dependency review
+on:
+ pull_request:
+ branches:
+ - main
+permissions: {}
+jobs:
+ dependency-review:
+ permissions:
+ contents: read
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
+ with:
+ config-file: .github/dependency-review-config.yaml
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -1,29 +1,40 @@
-name: Lint
-on: pull_request
+name: lint
+on:
+ pull_request:
+ branches:
+ - main
+permissions: {}
 jobs:
- golangci-lint:
- name: lint
+ lint-go:
+ permissions:
+ contents: read
  runs-on: ubuntu-latest
  steps:
- - name: Checkout
- uses: actions/checkout@v4
- - name: Install Go
- uses: actions/setup-go@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
  with:
  go-version: stable
- - name: golangci-lint
- uses: golangci/golangci-lint-action@v3
+ - uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
  with:
- args: --timeout=180s
-  # temporarily pin the linter version until
-  # https://github.com/golangci/golangci-lint/issues/3862 is fixed
-  version: v1.52.2
- commitlint:
+ args: --timeout=180s --enable gocritic
+ lint-commits:
+ permissions:
+ contents: read
+  pull-requests: read
  runs-on: ubuntu-latest
  steps:
- - name: Checkout
- uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  with:
  fetch-depth: 0
- - name: Lint commit messages
- uses: wagoid/commitlint-github-action@v5
+ - uses: wagoid/commitlint-github-action@5ce82f5d814d4010519d15f0552aec4f17a1e1fe # v5.4.5
+ with:
+ configFile: .github/commitlint.config.js
+ lint-actions:
+ permissions:
+ contents: read
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - uses: docker://rhysd/actionlint:latest@sha256:2eb91a78b5a19140be099c7b4262d298c2567f2a9f27e10ed2a4323c5bcface8
+ with:
+ args: -color
diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml
@@ -0,0 +1,31 @@
+name: OSSF scorecard
+on:
+ push:
+ branches:
+ - main
+permissions: {}
+jobs:
+ ossf-scorecard-analysis:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ # Needed if using Code scanning alerts
+ security-events: write
+ # Needed for GitHub OIDC token if publish_results is true
+ id-token: write
+ steps:
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - name: Run analysis
+ uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ # Publish the results for public repositories to enable scorecard badges. For more details, see
+ # https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories, `publish_results` will automatically be set to `false`, regardless
+ # of the value entered here.
+ publish_results: true
+ - name: Upload SARIF results to code scanning
+ uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+ with:
+ sarif_file: results.sarif