ci #450
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| schedule: | |
| # Random time to avoid thundering herd, Monday-Friday. | |
| - cron: "41 9 * * 1-5" | |
| workflow_dispatch: | |
| permissions: | |
| actions: read | |
| checks: none | |
| contents: read | |
| deployments: none | |
| issues: none | |
| packages: write | |
| pull-requests: none | |
| repository-projects: none | |
| security-events: write | |
| statuses: none | |
| # Cancel in-progress runs for pull requests when developers push | |
| # additional changes | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| jobs: | |
| lint: | |
| runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| # Install Go! | |
| # | |
| # NOTE: The lint job needs Go 1.25+ explicitly. golangci-lint refuses | |
| # to load a config when the Go version it was built with is lower than | |
| # the targeted Go version (read from go.mod, currently 1.25.9). | |
| # Other jobs can stay on ~1.24 because Go's toolchain directive | |
| # auto-downloads a matching toolchain at build time, but golangci-lint | |
| # is a fixed pre-built binary and does not use the toolchain mechanism. | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version: "~1.25" | |
| # Check for Go linting errors! | |
| # | |
| # install-mode: goinstall makes the action build golangci-lint v1.64.8 | |
| # from source using the Go installed above (1.25), instead of downloading | |
| # the official pre-built binary which is built with Go 1.24 and fails | |
| # the build-version check on this module. | |
| - name: Lint Go | |
| uses: golangci/golangci-lint-action@v6.1.1 | |
| with: | |
| version: v1.64.8 | |
| install-mode: goinstall | |
| args: "--out-${NO_FUTURE}format colored-line-number" | |
| - name: Lint shell scripts | |
| uses: ludeeus/action-shellcheck@2.0.0 | |
| env: | |
| SHELLCHECK_OPTS: --external-sources | |
| with: | |
| ignore: node_modules | |
| - uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: 1.1.9 | |
| terraform_wrapper: false | |
| - name: Terraform init | |
| run: terraform init | |
| - name: Terraform validate | |
| run: terraform validate | |
| fmt: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| submodules: true | |
| - uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: 1.1.9 | |
| terraform_wrapper: false | |
| - name: Install markdownfmt | |
| run: go install github.com/Kunde21/markdownfmt/v3/cmd/markdownfmt@latest | |
| - name: make fmt | |
| run: | | |
| export PATH=${PATH}:$(go env GOPATH)/bin | |
| make --output-sync -j -B fmt | |
| - name: Check for unstaged files | |
| run: ./scripts/check_unstaged.sh | |
| unit-tests: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version: "~1.24" | |
| # Sadly the new "set output" syntax (of writing env vars to | |
| # $GITHUB_OUTPUT) does not work on both powershell and bash so we use the | |
| # deprecated syntax here. | |
| - name: Echo Go Cache Paths | |
| id: go-cache-paths | |
| run: | | |
| echo "::set-output name=GOCACHE::$(go env GOCACHE)" | |
| echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)" | |
| - name: Go Build Cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ${{ steps.go-cache-paths.outputs.GOCACHE }} | |
| key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }} | |
| - name: Go Mod Cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
| key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
| - name: Run unit tests | |
| id: test | |
| shell: bash | |
| run: go test ./... | |
| integration-tests: | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Install dependencies | |
| run: sudo apt update && sudo apt install -y gcc | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version: "~1.24" | |
| # Sadly the new "set output" syntax (of writing env vars to | |
| # $GITHUB_OUTPUT) does not work on both powershell and bash so we use the | |
| # deprecated syntax here. | |
| - name: Echo Go Cache Paths | |
| id: go-cache-paths | |
| run: | | |
| echo "::set-output name=GOCACHE::$(go env GOCACHE)" | |
| echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)" | |
| - name: Go Build Cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ${{ steps.go-cache-paths.outputs.GOCACHE }} | |
| key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }} | |
| - name: Go Mod Cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
| key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
| - name: Run integration tests | |
| id: test | |
| shell: bash | |
| run: go test -tags=integration ./... | |
| build: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version: "~1.24" | |
| - name: Go Cache Paths | |
| id: go-cache-paths | |
| run: | | |
| echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT | |
| - name: Go Mod Cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
| key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }} | |
| - name: Install yq | |
| run: go run github.com/mikefarah/yq/v4@v4.30.6 | |
| - name: build image | |
| run: make -j build/image/envbox | |
| osv-scan-scheduled: | |
| if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} | |
| uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@43f380b8fc43a816831a9f5ee6fc91170809c7e9" # v2.3.5 | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| with: | |
| scan-args: |- | |
| -r | |
| --call-analysis=all | |
| ./ | |
| osv-scan-pr: | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@43f380b8fc43a816831a9f5ee6fc91170809c7e9" # v2.3.5 | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| with: | |
| scan-args: |- | |
| -r | |
| --call-analysis=all | |
| ./ | |
| osv-scan-alert: | |
| name: OSV Source Scan Slack Alert | |
| needs: [osv-scan-scheduled] | |
| if: failure() && github.event_name == 'schedule' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Slack Alert on Failure | |
| uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3 | |
| with: | |
| webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| webhook-type: webhook-trigger | |
| payload: | | |
| content: ":rotating_light: OSV source scan failed. See run logs for more details." | |
| run_url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| osv-scan-image: | |
| name: OSV Image Scanner | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version: "~1.24" | |
| - name: Go Cache Paths | |
| id: go-cache-paths | |
| run: | | |
| echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT | |
| - name: Go Mod Cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
| key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }} | |
| - name: Install yq | |
| run: go run github.com/mikefarah/yq/v4@v4.30.6 | |
| - name: Build image | |
| run: make -j build/image/envbox | |
| - name: Install OSV Scanner | |
| run: | | |
| set -euxo pipefail | |
| OSV_VERSION="v2.3.5" | |
| OSV_SHA256="bb30c580afe5e757d3e959f4afd08a4795ea505ef84c46962b9a738aa573b41b" | |
| curl -fsSL "https://github.com/google/osv-scanner/releases/download/${OSV_VERSION}/osv-scanner_linux_amd64" -o /usr/local/bin/osv-scanner | |
| echo "${OSV_SHA256} /usr/local/bin/osv-scanner" | sha256sum -c - | |
| chmod +x /usr/local/bin/osv-scanner | |
| osv-scanner --version | |
| - name: Run OSV Image Scanner | |
| run: | | |
| set -euo pipefail | |
| # Exit code 1 means vulnerabilities found (expected), anything else | |
| # is a real error (e.g. 127=scan error, 128=no packages, 130=bad config). | |
| osv-scanner scan image \ | |
| --format=sarif \ | |
| --output-file=osv-image-results.sarif \ | |
| "envbox:latest" || exit_code=$? | |
| if [ "${exit_code:-0}" -ne 0 ] && [ "${exit_code}" -ne 1 ]; then | |
| echo "::error::OSV scanner failed with exit code ${exit_code}" | |
| exit "${exit_code}" | |
| fi | |
| - name: Upload OSV image scan results to GitHub Security tab | |
| if: ${{ !cancelled() }} | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: osv-image-results.sarif | |
| category: "OSV Image Scanner" | |
| - name: Upload OSV image scan results as an artifact | |
| if: ${{ !cancelled() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: osv-image-scan | |
| path: osv-image-results.sarif | |
| retention-days: 7 | |
| codeql: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Setup Go | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: "~1.24" | |
| - name: Go Cache Paths | |
| id: go-cache-paths | |
| run: | | |
| echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT | |
| - name: Go Mod Cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }} | |
| key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }} | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: go | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| publish: | |
| runs-on: ubuntu-22.04 | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Docker Login | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/checkout@v3 | |
| with: | |
| # Needed to get older tags | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version: "~1.24" | |
| - name: build image | |
| run: make -j build/image/envbox | |
| - name: Tag and push envbox-preview | |
| run: | | |
| VERSION=$(./scripts/version.sh)-dev-$(git rev-parse --short HEAD) | |
| BASE=ghcr.io/${{ github.repository_owner }}/envbox-preview | |
| docker tag envbox "${BASE}:${VERSION}" | |
| docker push "${BASE}:${VERSION}" |