-
Notifications
You must be signed in to change notification settings - Fork 42
138 lines (124 loc) · 4 KB
/
Copy pathpull_request_ci.yaml
File metadata and controls
138 lines (124 loc) · 4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: Build PR
on:
pull_request:
workflow_dispatch:
permissions:
contents: read
pull-requests: read
actions: read
concurrency:
group: pull-request-ci-${{ github.ref }}
cancel-in-progress: true
jobs:
changes:
runs-on: ubuntu-latest
outputs:
# Expose matched filters as job 'src' output variable
paths: ${{ steps.filter.outputs.changes }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
id: filter
with:
filters: .github/filters.yml
yamllint:
runs-on: ubuntu-latest
needs: changes
if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Validate YAML file
run: yamllint templates
go-build:
runs-on: ubuntu-latest
needs: changes
if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
golang.org:443
go.dev:443
proxy.golang.org:443
sum.golang.org:443
*.githubusercontent.com:443
storage.googleapis.com:443
mise.jdx.dev:443
mise-versions.jdx.dev:443
tuf-repo-cdn.sigstore.dev:443
dl.k8s.io:443
cdn.dl.k8s.io:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Mise
uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0
with:
install_args: go
- name: Build
run: mise run build
- name: Check for generated diff
run: mise run check-gen-diff
image-build:
runs-on: ubuntu-latest
needs: changes
if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
index.docker.io:443
proxy.golang.org:443
sum.golang.org:443
go.dev:443
dl.google.com:443
golang.org:443
*.githubusercontent.com:443
registry-1.docker.io:443
auth.docker.io:443
production.cloudflare.docker.com:443
production.cloudfront.docker.com:443
gcr.io:443
storage.googleapis.com:443
mise.jdx.dev:443
mise-versions.jdx.dev:443
tuf-repo-cdn.sigstore.dev:443
dl.k8s.io:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Mise
uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0
with:
install_args: go ko
- name: Build the image
run: mise run ko-build