NoiseCutter/.github/workflows/pr.yml at main · SentinelOps-CI/NoiseCutter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: PR fastpath

on:
  pull_request:
    branches: [main]

concurrency:
  group: pr-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read
  security-events: write

jobs:
  go-multi-entry:
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest]
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
          cache: pip
          cache-dependency-path: uv.lock

      - uses: astral-sh/setup-uv@v5
        with:
          version: "0.6.9"

      - uses: actions/setup-go@v5
        with:
          go-version: "1.22"

      - name: Install Python package
        run: uv sync --frozen --extra dev

      - name: Install Syft
        run: bash scripts/install-syft.sh
        env:
          SYFT_INSTALL_DIR: ${{ github.workspace }}/bin

      - name: Install govulncheck
        env:
          GOBIN: ${{ github.workspace }}/bin
        run: |
          mkdir -p "$GOBIN"
          go install golang.org/x/vuln/cmd/govulncheck@v1.2.0

      - name: Add tools to PATH
        run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"

      - name: Go multi-entry — build and verify goldens
        working-directory: examples/go-multi-entry
        env:
          NOISECUTTER_STRICT_REPRO: "1"
        run: |
          make all_artifacts
          make verify-golden

      - name: Upload SARIF (server)
        uses: github/codeql-action/upload-sarif@v3
        if: matrix.os == 'ubuntu-latest'
        with:
          sarif_file: examples/go-multi-entry/report.server.sarif

  windows-smoke:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
          cache: pip
          cache-dependency-path: uv.lock

      - uses: astral-sh/setup-uv@v5
        with:
          version: "0.6.9"

      - name: Install and test
        run: |
          uv sync --frozen --extra dev
          uv run pytest tests/ -q --cov=noisecutter