Skip to content

Commit 787dd00

Browse files
authored
ci: rework on github actions (#1824)
* rework ci * update changelog * revert * fix alert * fix alert * fix alert
1 parent 2d8a5be commit 787dd00

13 files changed

Lines changed: 318 additions & 36 deletions

.github/pr_labeler.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
"cli":
2+
- client/**/*
3+
- x/*/client/**/*
4+
"nix":
5+
- nix/**
6+
- default.nix
7+
- docker.nix
8+
- flake.nix
9+
"simulation":
10+
- types/simulation/**/*
11+
- x/simulation/**/*
12+
- x/*/simulation/**/*
13+
- simsx/**/*
14+
- tools/benchmark/**/*
15+
"cronos":
16+
- x/cronos/**/*
17+
"e2ee":
18+
- x/e2ee/**/*
19+
"adr":
20+
- docs/architecture/**/*
21+
"build":
22+
- Makefile
23+
- Dockerfile
24+
- docker-compose.yml
25+
- scripts/*
26+
"ci":
27+
- .github/**
28+
- buf.work.yaml
29+
- .golangci.yml
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
# Checks if a changelog is missing in the PR diff
2+
name: Changelog Reminder
3+
on:
4+
pull_request_target:
5+
types:
6+
- opened
7+
- edited
8+
- synchronize
9+
- reopened
10+
- ready_for_review
11+
paths: [ "**/*.go" ]
12+
permissions:
13+
contents: read
14+
pull-requests: write
15+
jobs:
16+
remind:
17+
name: Changelog Reminder
18+
runs-on: ubuntu-latest
19+
# Skip draft PRs and PRs starting with: revert, test, chore, ci, docs, style, build, refactor
20+
if: "!github.event.pull_request.draft && !contains(github.event.pull_request.title, 'revert') && !contains(github.event.pull_request.title, 'test') && !contains(github.event.pull_request.title, 'chore') && !contains(github.event.pull_request.title, 'ci') && !contains(github.event.pull_request.title, 'docs') && !contains(github.event.pull_request.title, 'style') && !contains(github.event.pull_request.title, 'build') && !contains(github.event.pull_request.title, 'refactor')"
21+
steps:
22+
- uses: actions/checkout@v4
23+
- uses: mskelton/changelog-reminder-action@v3
24+
with:
25+
message: "@${{ github.actor }} your pull request is missing a changelog!"

.github/workflows/codeql-analysis.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -41,13 +41,14 @@ jobs:
4141

4242
steps:
4343
- name: Checkout repository
44-
uses: actions/checkout@v3
45-
- uses: actions/setup-go@v3
44+
uses: actions/checkout@v4
45+
- uses: actions/setup-go@v5
4646
with:
47-
go-version: '^1.22.0'
47+
go-version: '^1.24.0'
48+
check-latest: true
4849
# Initializes the CodeQL tools for scanning.
4950
- name: Initialize CodeQL
50-
uses: github/codeql-action/init@v2
51+
uses: github/codeql-action/init@v3
5152
with:
5253
languages: "go"
5354
queries: +security-and-quality,github/codeql/go/ql/src/experimental/InconsistentCode/DeferInLoop.ql@main,github/codeql/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql@main,github/codeql/go/ql/src/experimental/CWE-369/DivideByZero.ql@main
@@ -60,7 +61,7 @@ jobs:
6061
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
6162
# If this step fails, then you should remove it and run the build manually (see below)
6263
- name: Autobuild
63-
uses: github/codeql-action/autobuild@v2
64+
uses: github/codeql-action/autobuild@v3
6465

6566
# ℹ️ Command-line programs to run using the OS shell.
6667
# 📚 https://git.io/JvXDl
@@ -74,4 +75,4 @@ jobs:
7475
# make release
7576

7677
- name: Perform CodeQL Analysis
77-
uses: github/codeql-action/analyze@v2
78+
uses: github/codeql-action/analyze@v3
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
name: Dependabot Update All Go Modules
2+
on: pull_request
3+
4+
permissions:
5+
contents: write
6+
pull-requests: write
7+
8+
env:
9+
PR_TITLE: ${{ github.event.pull_request.title }}
10+
11+
jobs:
12+
update-all:
13+
runs-on: ubuntu-latest
14+
if: ${{ github.actor == 'dependabot[bot]' }}
15+
steps:
16+
- name: Generate Token
17+
uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v1
18+
id: app-token
19+
with:
20+
app-id: "${{ secrets.APP_ID }}"
21+
private-key: "${{ secrets.APP_PRIVATE_KEY }}"
22+
- uses: actions/checkout@v4
23+
with:
24+
repository: ${{ github.event.pull_request.head.repo.full_name }}
25+
ref: ${{ github.event.pull_request.head.ref }}
26+
token: "${{ steps.app-token.outputs.token }}"
27+
- uses: actions/setup-go@v5
28+
with:
29+
go-version: "1.24"
30+
check-latest: true
31+
- name: Extract updated dependency
32+
id: deps
33+
run: |
34+
set -euo pipefail
35+
# Example title:
36+
# "build(deps): Bump github.com/cosmos/cosmos-sdk from v0.46.0 to v0.47.0-rc1"
37+
38+
dep_name=$(grep -oE 'github.com/[^ ]+' <<<"$PR_TITLE" || true)
39+
dep_version=$(grep -oE 'to v?([0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.]+)?)' <<<"$PR_TITLE" | awk '{print $2}' || true)
40+
41+
if [[ -z "$dep_name" || -z "$dep_version" ]]; then
42+
echo "❌ Unable to parse dependency from PR title: $PR_TITLE" >&2
43+
exit 1
44+
fi
45+
46+
echo "name=$dep_name" >> "$GITHUB_OUTPUT"
47+
echo "version=${dep_version#v}" >> "$GITHUB_OUTPUT"
48+
- name: Update all Go modules
49+
run: |
50+
./scripts/go-update-dep-all.sh ${{ format('{0}@v{1}', steps.deps.outputs.name, steps.deps.outputs.version) }}
51+
./scripts/go-mod-tidy-all.sh
52+
- name: Commit changes
53+
uses: EndBug/add-and-commit@v9
54+
with:
55+
default_author: user_info
56+
message: "${{ github.event.pull_request.title }} for all modules"
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
name: "Dependency Review"
2+
on:
3+
pull_request:
4+
merge_group:
5+
6+
permissions:
7+
contents: read
8+
9+
jobs:
10+
dependency-review:
11+
runs-on: ubuntu-latest
12+
steps:
13+
- name: "Checkout Repository"
14+
uses: actions/checkout@v4
15+
- name: "Setup Go"
16+
uses: actions/setup-go@v5
17+
with:
18+
go-version: "1.24"
19+
check-latest: true
20+
- name: "Dependency Review"
21+
uses: actions/dependency-review-action@v4
22+
with:
23+
base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
24+
head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
25+
fail-on-severity: high
26+
- name: "Go vulnerability check"
27+
id: govuln
28+
run: |
29+
# Run the vulnerability check and capture its output (ignoring non-zero exit codes)
30+
if ! make vulncheck 2>&1 | tee govulncheck-output.txt ; then
31+
echo "govulncheck failed to execute"
32+
exit 1
33+
fi
34+
35+
# Extract vulnerability identifiers from the output (e.g., GO-2025-3443)
36+
vulnerabilities=$(grep -o 'GO-[0-9]\{4\}-[0-9]\+' govulncheck-output.txt | sort | uniq)
37+
echo "Detected vulnerabilities: $vulnerabilities"
38+
39+
# Check if any vulnerability other than GO-2025-3443 exists
40+
for vuln in $vulnerabilities; do
41+
if [ "$vuln" != "GO-2025-3443" ]; then
42+
echo "Found vulnerability $vuln, failing..."
43+
exit 1
44+
fi
45+
done
46+
47+
echo "Only known vulnerability (GO-2025-3443) present. Continuing."
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
name: "Issue Labeler"
2+
on:
3+
issues:
4+
types: [opened]
5+
6+
jobs:
7+
triage:
8+
runs-on: ubuntu-latest
9+
steps:
10+
- uses: github/issue-labeler@v3.4
11+
# run only when the issue currently has NO labels
12+
if: ${{ join(github.event.issue.labels.*.name, '') == '' }}
13+
with:
14+
repo-token: "${{ secrets.GITHUB_TOKEN }}"
15+
configuration-path: .github/issue_labeler.yml
16+
enable-versioned-regex: 0

.github/workflows/lint-pr.yml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
name: "Lint PR"
2+
3+
on:
4+
pull_request_target:
5+
types:
6+
- opened
7+
- edited
8+
- synchronize
9+
10+
permissions:
11+
contents: read
12+
13+
jobs:
14+
main:
15+
permissions:
16+
pull-requests: write # for amannn/action-semantic-pull-request to analyze PRs
17+
statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
18+
runs-on: ubuntu-latest
19+
steps:
20+
- uses: amannn/action-semantic-pull-request@v5.5.3
21+
id: lint_pr_title
22+
env:
23+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
24+
25+
- uses: marocchino/sticky-pull-request-comment@v2
26+
# When the previous steps fails, the workflow would stop. By adding this
27+
# condition you can continue the execution with the populated error message.
28+
if: always() && (steps.lint_pr_title.outputs.error_message != '')
29+
with:
30+
header: pr-title-lint-error
31+
message: |
32+
Hey there and thank you for opening this pull request! 👋🏼
33+
34+
We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
35+
36+
Details:
37+
38+
```
39+
${{ steps.lint_pr_title.outputs.error_message }}
40+
```
41+
42+
# Delete a previous comment when the issue has been resolved
43+
- if: ${{ steps.lint_pr_title.outputs.error_message == '' }}
44+
uses: marocchino/sticky-pull-request-comment@v2
45+
with:
46+
header: pr-title-lint-error
47+
delete: true

.github/workflows/pr_labeler.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
name: "Pull Request Labeler"
2+
on:
3+
- pull_request_target
4+
5+
jobs:
6+
labeler:
7+
permissions:
8+
contents: read # for actions/labeler to determine modified files
9+
pull-requests: write # for actions/labeler to add labels to PRs
10+
runs-on: ubuntu-latest
11+
steps:
12+
- uses: actions/checkout@v4
13+
- uses: actions/labeler@v4 # v5 is broken, ref https://github.com/actions/labeler/issues/712. Do not bump.
14+
with:
15+
configuration-path: .github/pr_labeler.yml
16+
repo-token: "${{ secrets.GITHUB_TOKEN }}"

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
### Improvements
66

77
* [#1779](https://github.com/crypto-org-chain/cronos/pull/1779) Upgrade rocksdb to `v9.11.2`.
8+
* [#1824](https://github.com/crypto-org-chain/cronos/pull/1824) Rework on github actions.
89

910
*Jun 20, 2025*
1011

Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -325,3 +325,7 @@ proto-check-breaking:
325325

326326

327327
.PHONY: proto-all proto-gen proto-format proto-lint proto-check-breaking
328+
329+
vulncheck: $(BUILDDIR)/
330+
GOBIN=$(BUILDDIR) go install golang.org/x/vuln/cmd/govulncheck@latest
331+
$(BUILDDIR)/govulncheck ./...

0 commit comments

Comments
 (0)