Skip to content

ci

ci #445

Workflow file for this run

name: ci
on:
push:
branches:
- main
pull_request:
schedule:
# Random time to avoid thundering herd, Monday-Friday.
- cron: "41 9 * * 1-5"
workflow_dispatch:
permissions:
actions: read
checks: none
contents: read
deployments: none
issues: none
packages: write
pull-requests: none
repository-projects: none
security-events: write
statuses: none
# Cancel in-progress runs for pull requests when developers push
# additional changes
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
lint:
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
steps:
- name: Checkout
uses: actions/checkout@v3
# Install Go!
#
# NOTE: The lint job needs Go 1.25+ explicitly. golangci-lint refuses
# to load a config when the Go version it was built with is lower than
# the targeted Go version (read from go.mod, currently 1.25.9).
# Other jobs can stay on ~1.24 because Go's toolchain directive
# auto-downloads a matching toolchain at build time, but golangci-lint
# is a fixed pre-built binary and does not use the toolchain mechanism.
- uses: actions/setup-go@v3
with:
go-version: "~1.25"
# Check for Go linting errors!
#
# install-mode: goinstall makes the action build golangci-lint v1.64.8
# from source using the Go installed above (1.25), instead of downloading
# the official pre-built binary which is built with Go 1.24 and fails
# the build-version check on this module.
- name: Lint Go
uses: golangci/golangci-lint-action@v6.1.1
with:
version: v1.64.8
install-mode: goinstall
args: "--out-${NO_FUTURE}format colored-line-number"
- name: Lint shell scripts
uses: ludeeus/action-shellcheck@2.0.0
env:
SHELLCHECK_OPTS: --external-sources
with:
ignore: node_modules
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.1.9
terraform_wrapper: false
- name: Terraform init
run: terraform init
- name: Terraform validate
run: terraform validate
fmt:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
submodules: true
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.1.9
terraform_wrapper: false
- name: Install markdownfmt
run: go install github.com/Kunde21/markdownfmt/v3/cmd/markdownfmt@latest
- name: make fmt
run: |
export PATH=${PATH}:$(go env GOPATH)/bin
make --output-sync -j -B fmt
- name: Check for unstaged files
run: ./scripts/check_unstaged.sh
unit-tests:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~1.24"
# Sadly the new "set output" syntax (of writing env vars to
# $GITHUB_OUTPUT) does not work on both powershell and bash so we use the
# deprecated syntax here.
- name: Echo Go Cache Paths
id: go-cache-paths
run: |
echo "::set-output name=GOCACHE::$(go env GOCACHE)"
echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)"
- name: Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Run unit tests
id: test
shell: bash
run: go test ./...
integration-tests:
runs-on: ubuntu-22.04
timeout-minutes: 20
steps:
- name: Install dependencies
run: sudo apt update && sudo apt install -y gcc
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~1.24"
# Sadly the new "set output" syntax (of writing env vars to
# $GITHUB_OUTPUT) does not work on both powershell and bash so we use the
# deprecated syntax here.
- name: Echo Go Cache Paths
id: go-cache-paths
run: |
echo "::set-output name=GOCACHE::$(go env GOCACHE)"
echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)"
- name: Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Run integration tests
id: test
shell: bash
run: go test -tags=integration ./...
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~1.24"
- name: Go Cache Paths
id: go-cache-paths
run: |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
- name: Install yq
run: go run github.com/mikefarah/yq/v4@v4.30.6
- name: build image
run: make -j build/image/envbox
osv-scan-scheduled:
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@43f380b8fc43a816831a9f5ee6fc91170809c7e9" # v2.3.5
permissions:
contents: read
actions: read
security-events: write
with:
scan-args: |-
-r
--call-analysis=all
./
osv-scan-pr:
if: ${{ github.event_name == 'pull_request' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@43f380b8fc43a816831a9f5ee6fc91170809c7e9" # v2.3.5
permissions:
contents: read
actions: read
security-events: write
with:
scan-args: |-
-r
--call-analysis=all
./
osv-scan-alert:
name: OSV Source Scan Slack Alert
needs: [osv-scan-scheduled]
if: failure() && github.event_name == 'schedule'
runs-on: ubuntu-latest
steps:
- name: Slack Alert on Failure
uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
with:
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
webhook-type: webhook-trigger
payload: |
content: ":rotating_light: OSV source scan failed. See run logs for more details."
run_url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
osv-scan-image:
name: OSV Image Scanner
runs-on: ubuntu-22.04
permissions:
contents: read
actions: read
security-events: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~1.24"
- name: Go Cache Paths
id: go-cache-paths
run: |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
- name: Install yq
run: go run github.com/mikefarah/yq/v4@v4.30.6
- name: Build image
run: make -j build/image/envbox
- name: Install OSV Scanner
run: |
set -euxo pipefail
OSV_VERSION="v2.3.5"
OSV_SHA256="bb30c580afe5e757d3e959f4afd08a4795ea505ef84c46962b9a738aa573b41b"
curl -fsSL "https://github.com/google/osv-scanner/releases/download/${OSV_VERSION}/osv-scanner_linux_amd64" -o /usr/local/bin/osv-scanner
echo "${OSV_SHA256} /usr/local/bin/osv-scanner" | sha256sum -c -
chmod +x /usr/local/bin/osv-scanner
osv-scanner --version
- name: Run OSV Image Scanner
run: |
set -euo pipefail
# Exit code 1 means vulnerabilities found (expected), anything else
# is a real error (e.g. 127=scan error, 128=no packages, 130=bad config).
osv-scanner scan image \
--format=sarif \
--output-file=osv-image-results.sarif \
"envbox:latest" || exit_code=$?
if [ "${exit_code:-0}" -ne 0 ] && [ "${exit_code}" -ne 1 ]; then
echo "::error::OSV scanner failed with exit code ${exit_code}"
exit "${exit_code}"
fi
- name: Upload OSV image scan results to GitHub Security tab
if: ${{ !cancelled() }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: osv-image-results.sarif
category: "OSV Image Scanner"
- name: Upload OSV image scan results as an artifact
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: osv-image-scan
path: osv-image-results.sarif
retention-days: 7
codeql:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: "~1.24"
- name: Go Cache Paths
id: go-cache-paths
run: |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: go
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
publish:
runs-on: ubuntu-22.04
if: github.ref == 'refs/heads/main'
steps:
- name: Docker Login
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v3
with:
# Needed to get older tags
fetch-depth: 0
- uses: actions/setup-go@v3
with:
go-version: "~1.24"
- name: build image
run: make -j build/image/envbox
- name: Tag and push envbox-preview
run: |
VERSION=$(./scripts/version.sh)-dev-$(git rev-parse --short HEAD)
BASE=ghcr.io/${{ github.repository_owner }}/envbox-preview
docker tag envbox "${BASE}:${VERSION}"
docker push "${BASE}:${VERSION}"