-
Notifications
You must be signed in to change notification settings - Fork 3
123 lines (118 loc) · 4.16 KB
/
Copy pathci.yml
File metadata and controls
123 lines (118 loc) · 4.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: CI
permissions:
# Least-privilege: CI only needs read access to repository contents.
# Avoid granting write access to the GITHUB_TOKEN to reduce blast radius
# if a step or third-party action is compromised.
contents: read
on:
push:
branches: [ main ]
tags:
# Run on all tags except for release tags (e.g. v1.2.3)
- '!v[0-9]+.[0-9]+.[0-9]+'
pull_request:
branches: [ main ]
jobs:
test:
name: Run tests
runs-on: ubuntu-latest
env:
KEYMASTER_DB_MAX_OPEN_CONNS: '1'
KEYMASTER_DB_MAX_IDLE_CONNS: '1'
steps:
- uses: actions/checkout@v6
with:
# Do not persist the automatically-provided GITHUB_TOKEN to the
# checked-out repository. This prevents accidental leakage of the
# token to build artifacts or subprocesses that operate on the repo.
persist-credentials: false
# Fetch full history (tags) for version computations when needed.
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '1.26.3'
- name: Verify Go version
run: go version
- name: Clean Go module cache (prevent partial-restore issues)
run: |
rm -rf ~/go/pkg/mod || true
rm -rf ~/.cache/go-build || true
- name: Cache Go modules
uses: actions/cache@v5
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum','**/go.mod') }}
restore-keys: |
${{ runner.os }}-go-${{ hashFiles('**/go.mod') }}
${{ runner.os }}-go-
- name: Install tools
run: |
go install github.com/golang-migrate/migrate/v4/cmd/migrate@latest
- name: Check formatting
run: |
echo 'Checking gofmt...'
UNFORMATTED=$(gofmt -s -l .)
if [ -n "${UNFORMATTED}" ]; then
echo "gofmt found unformatted files:" && echo "$UNFORMATTED"
exit 1
fi
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v9
# Fail the job if linter reports issues. Continue-on-error masks problems
# and can be abused; require a passing linter in CI for safety.
with:
version: v2.11.4
# The action already invokes `golangci-lint run`, so pass only targets.
args: ./...
- name: Static vet
run: go vet ./...
- name: Run tests (race on Linux)
run: |
echo "Running tests with race detector on Linux, fallback to non-race on other OS"
if [ "${{ runner.os }}" = "Linux" ]; then
sudo apt-get update && sudo apt-get install -y build-essential
export CGO_ENABLED=1
go test ./... -v -race
else
go test ./... -v
fi
build:
name: Build binary with version
runs-on: ubuntu-latest
needs: test
steps:
- uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '1.26.3'
- name: Verify Go version
run: go version
- name: Compute version and git sha
id: ver
run: |
echo "GITHUB_REF=${GITHUB_REF}"
GIT_SHA=$(git rev-parse --short=8 HEAD)
echo "git_sha=$GIT_SHA" >> $GITHUB_OUTPUT
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
TAG=${GITHUB_REF#refs/tags/}
echo "tag=$TAG" >> $GITHUB_OUTPUT
# Version string: <tag> (sha)
VERSION="$TAG ($GIT_SHA)"
else
VERSION="$GIT_SHA"
fi
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Build
run: |
echo "Building with version ${{ steps.ver.outputs.version }} (git ${GITHUB_SHA::8})"
BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
go build -ldflags "-X main.version='${{ steps.ver.outputs.version }}' -X main.gitCommit='${{ steps.ver.outputs.git_sha }}' -X main.buildDate='${BUILD_DATE}'" -o keymaster .
- name: Upload binary
uses: actions/upload-artifact@v7
with:
name: keymaster-${{ steps.ver.outputs.version }}
path: keymaster