gh-actions-for-devops/.github/workflows/ci.yml at main · dceoy/gh-actions-for-devops · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
---
name: CI/CD
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
    types:
      - opened
      - synchronize
      - reopened
  workflow_dispatch:  # checkov:skip=CKV_GHA_7:workflow_dispatch inputs are required to select the pipeline
    inputs:
      workflow:
        required: true
        type: choice
        options:
          - lint
          - analyze
          - release
          - update
        description: Choose the workflow to run
        default: lint
permissions:
  contents: read
defaults:
  run:
    shell: bash -euo pipefail {0}
    working-directory: .
jobs:
  go-lint-and-scan:
    if: >
      github.event_name == 'push'
      || github.event_name == 'pull_request'
      || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'lint')
    permissions:
      contents: read
      security-events: write
    uses: ./.github/workflows/go-package-lint-and-scan.yml
    with:
      package-path: ./src
      go-version: stable
  github-actions-lint-and-scan:
    if: >
      github.event_name == 'push'
      || github.event_name == 'pull_request'
      || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'lint')
    permissions:
      contents: read
      security-events: write
      actions: read
    uses: ./.github/workflows/github-actions-lint-and-scan.yml
    with:
      search-path: .github/workflows
      go-version: stable
      python-version: 3.x
  github-codeql-analysis:
    if: >
      github.event_name == 'push'
      || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'analyze')
    permissions:
      contents: read
      security-events: write
      actions: read
    uses: ./.github/workflows/github-codeql-analysis.yml
    with:
      language: >
        ["go"]
  github-release:
    if: >
      github.event_name == 'workflow_dispatch' && inputs.workflow == 'release'
    permissions:
      contents: write
    uses: ./.github/workflows/github-release.yml
    with:
      create-new-tag: false
    secrets:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  github-major-version-tag:
    if: >
      github.event_name == 'workflow_dispatch' && inputs.workflow == 'release'
    needs:
      - github-release
    permissions:
      contents: write
    uses: ./.github/workflows/github-major-version-tag.yml
    secrets:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  dependabot-auto-merge:
    if: >
      github.event_name == 'pull_request'
      && github.event.pull_request.user.login == 'dependabot[bot]'
    needs:
      - go-lint-and-scan
      - github-actions-lint-and-scan
    permissions:
      contents: write
      pull-requests: write
      actions: read
    uses: ./.github/workflows/dependabot-auto-merge.yml
    with:
      unconditional: true
    secrets:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  markdown-format-and-pr:
    if: >
      github.event_name == 'push'
      || github.event_name == 'pull_request'
      || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'update')
    permissions:
      contents: write
      pull-requests: write
    uses: ./.github/workflows/markdown-format-and-pr.yml
    secrets:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  update-readme-md:
    if: >
      github.event_name == 'push'
      || github.event_name == 'pull_request'
      || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'update')
    permissions:
      contents: write
      pull-requests: write
    runs-on: ubuntu-slim
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 1
          ref: ${{ github.head_ref || github.ref_name }}
          persist-credentials: true
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
        with:
          go-version: stable
      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
        with:
          node-version: latest
      - name: Install dependencies
        working-directory: ./src
        run: |
          go mod download
      - name: Build the Go program
        working-directory: ./src
        env:
          VERSION: ${{ github.ref_name || github.head_ref || 'unknown' }}
        run: |
          go build -ldflags "-X main.version=${VERSION}" -o build_readme_md .
      - name: Update README.md
        working-directory: ./src
        run: |
          ./build_readme_md
      - name: Commit and push the changes
        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321  # v10.0.0
        with:
          add: ./README.md
          message: Update README.md
          push: true
          github_token: ${{ secrets.GITHUB_TOKEN }}