-
Notifications
You must be signed in to change notification settings - Fork 0
147 lines (121 loc) · 3.74 KB
/
ci.yml
File metadata and controls
147 lines (121 loc) · 3.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
# Cancel older runs on the same branch/PR when a new commit is pushed.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
env:
# Pinned Go toolchain. Bumping this also resolves stdlib CVEs
# tracked in autonoco/autono#331. 1.26.2 adds fixes for four
# more vulnerabilities (GO-2026-4866 x509 auth bypass, -4870
# TLS 1.3 KeyUpdate DoS, -4946/-4947 x509 DoS) that 1.26.1
# is still exposed to.
GO_VERSION: "1.26.2"
jobs:
test:
name: Test (${{ matrix.os }})
runs-on: ${{ matrix.os }}
timeout-minutes: 10
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
steps:
- name: Check out code
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Verify module integrity
run: go mod verify
- name: Build
run: go build ./...
- name: Vet
run: go vet ./...
- name: Unit tests (with race detector)
run: go test -race -count=1 ./internal/...
- name: Integration tests
run: go test -count=1 ./test/integration/...
gosec:
name: gosec
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Check out code
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec
run: gosec ./...
govulncheck:
name: govulncheck
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Check out code
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: govulncheck ./...
gitleaks:
name: gitleaks
runs-on: ubuntu-latest
timeout-minutes: 5
env:
# Pinned so Dependabot (or a follow-up PR) can bump it intentionally.
# gitleaks-action@v2 requires a license for private repos, so we
# install the binary directly instead — free regardless of repo
# visibility and also faster.
GITLEAKS_VERSION: "8.30.1"
steps:
- name: Check out code
uses: actions/checkout@v6
with:
fetch-depth: 0 # Full history so gitleaks can scan every commit.
- name: Install gitleaks
run: |
curl -sSfL -o gitleaks.tar.gz \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
tar -xzf gitleaks.tar.gz gitleaks
sudo install -m 0755 gitleaks /usr/local/bin/gitleaks
rm -f gitleaks gitleaks.tar.gz
gitleaks version
- name: Scan repository
run: gitleaks detect --source . --verbose --redact --no-banner
build-release:
name: Build (release ldflags)
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Check out code
uses: actions/checkout@v6
with:
fetch-depth: 0 # Tags + full history so `git describe` works.
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Build with version injection (make build)
run: make build
- name: Smoke test binary
run: ./buttons --help