66 pull_request :
77 branches :
88 - main
9+ env :
10+ GOPATH : /home/runner/go/
11+ GOPROXY : " https://proxy.golang.org"
12+ REGISTRY_IMAGE : ghcr.io/pluralsh/plural-cli
913jobs :
10- contract-validation :
11- name : Validate PR Contracts
14+
15+ test :
16+ name : Unit test
1217 runs-on : ubuntu-latest
1318 steps :
1419 - uses : actions/checkout@v4
15- name : checkout repo
20+ - uses : actions/setup-go@v5
21+ with :
22+ go-version-file : go.mod
23+ - run : make test
1624
25+ lint :
26+ name : Lint
27+ runs-on : ubuntu-latest
28+ steps :
29+ - uses : actions/checkout@v4
1730 - uses : actions/setup-go@v5
1831 with :
1932 go-version-file : go.mod
33+ - name : golangci-lint
34+ uses : golangci/golangci-lint-action@v7
35+ with :
36+ version : v2.1.5
37+ skip-cache : true
2038
39+ contract-validation :
40+ name : Validate PR Contracts
41+ runs-on : ubuntu-latest
42+ steps :
43+ - uses : actions/checkout@v4
44+ - uses : actions/setup-go@v5
45+ with :
46+ go-version-file : go.mod
2147 - run : make install-cli
22-
2348 - name : Run Plural PR Contracts Validation
24- run : |
25- plural pr contracts --file test/contracts.yaml --validate || { echo "❌ Contract validation failed! Blocking merge."; exit 1; }
49+ run : plural pr contracts --file test/contracts.yaml --validate
2650
27- image :
51+ build- image :
2852 name : Build image
29- runs-on : ubuntu-latest
53+ needs : [test]
3054 permissions :
3155 contents : ' read'
3256 id-token : ' write'
3357 packages : ' write'
3458 security-events : write
3559 actions : read
60+ strategy :
61+ fail-fast : false
62+ matrix :
63+ platforms :
64+ - platform : linux/amd64
65+ runner : ubuntu-24.04
66+ - platform : linux/arm64
67+ runner : ubuntu-24.04-arm
68+ runs-on : ${{ matrix.platforms.runner }}
69+
3670 steps :
3771 - name : Checkout
3872 uses : actions/checkout@v4
73+ - name : Prepare
74+ run : |
75+ platform=${{ matrix.platforms.platform }}
76+ echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
3977 - name : Docker meta
4078 id : meta
41- uses : docker/metadata-action@v4
79+ uses : docker/metadata-action@v5
4280 with :
43- # list of Docker images to use as base name for tags
44- images : |
45- ghcr.io/pluralsh/plural-cli
46- # generate Docker tags based on the following events/attributes
47- tags : |
48- type=sha
49- type=ref,event=pr
50- type=ref,event=branch
81+ images : ${{ env.REGISTRY_IMAGE }}
5182 - name : Set up QEMU
5283 uses : docker/setup-qemu-action@v3
5384 - name : Set up Docker Buildx
@@ -61,20 +92,68 @@ jobs:
6192 - name : Get current date
6293 id : date
6394 run : echo "date=$(date -u +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
64- - uses : docker/build-push-action@v6
95+ - name : Build and push by digest
96+ id : build
97+ uses : docker/build-push-action@v6
6598 with :
66- context : .
67- file : ./Dockerfile
68- push : true
69- tags : ${{ steps.meta.outputs.tags }}
99+ context : " ."
100+ file : " ./Dockerfile"
101+ tags : ${{ env.REGISTRY_IMAGE }}
70102 labels : ${{ steps.meta.outputs.labels }}
71- platforms : linux/amd64,linux/arm64
72- # cache-from: type=gha
73- # cache-to: type=gha,mode=max
103+ platforms : ${{ matrix.platforms.platform }}
104+ outputs : type=image,push-by-digest=true,name-canonical=true,push=true
105+ cache-from : type=gha
106+ cache-to : type=gha,mode=max
74107 build-args : |
75108 APP_VSN=dev
76109 APP_COMMIT=${{ github.sha }}
77110 APP_DATE=${{ steps.date.outputs.date }}
111+ - name : Export digest
112+ run : |
113+ mkdir -p ${{ runner.temp }}/digests
114+ digest="${{ steps.build.outputs.digest }}"
115+ touch "${{ runner.temp }}/digests/${digest#sha256:}"
116+ - name : Upload digest
117+ uses : actions/upload-artifact@v4
118+ with :
119+ name : digests-${{ env.PLATFORM_PAIR }}
120+ path : ${{ runner.temp }}/digests/*
121+ if-no-files-found : error
122+ retention-days : 1
123+
124+ publish-image :
125+ name : Publish image
126+ needs : [build-image]
127+ runs-on : ubuntu-latest
128+ steps :
129+ - name : Download digests
130+ uses : actions/download-artifact@v4
131+ with :
132+ path : ${{ runner.temp }}/digests
133+ pattern : digests-*
134+ merge-multiple : true
135+ - name : Login to GHCR
136+ uses : docker/login-action@v3
137+ with :
138+ registry : ghcr.io
139+ username : ${{ github.repository_owner }}
140+ password : ${{ secrets.GITHUB_TOKEN }}
141+ - name : Set up Docker Buildx
142+ uses : docker/setup-buildx-action@v3
143+ - name : Docker meta
144+ id : meta
145+ uses : docker/metadata-action@v5
146+ with :
147+ images : ghcr.io/pluralsh/plural-cli
148+ tags : |
149+ type=sha
150+ type=ref,event=pr
151+ type=ref,event=branch
152+ - name : Create manifest list and push
153+ working-directory : ${{ runner.temp }}/digests
154+ run : |
155+ docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
156+ $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
78157 - name : Run Trivy vulnerability scanner on cli image
79158 uses : aquasecurity/trivy-action@master
80159 with :
@@ -85,24 +164,11 @@ jobs:
85164 output : ' trivy-results.sarif'
86165 scanners : ' vuln'
87166 ignore-unfixed : true
88- # severity: 'CRITICAL,HIGH'
89167 - name : Upload Trivy scan results to GitHub Security tab
90168 uses : github/codeql-action/upload-sarif@v2
91169 with :
92170 sarif_file : ' trivy-results.sarif'
93- # - name: Configure AWS Credentials
94- # uses: aws-actions/configure-aws-credentials@v4
95- # if: always()
96- # with:
97- # aws-region: us-east-2
98- # role-to-assume: arn:aws:iam::312272277431:role/github-actions/buildx-deployments
99- # role-session-name: PluralCLI
100- # - name: Manually cleanup buildx
101- # if: always()
102- # run: |
103- # docker buildx stop ${{ steps.builder.outputs.name }}
104- # sleep 10
105- # docker buildx rm ${{ steps.builder.outputs.name }}
171+
106172 # cloud:
107173 # name: Build cloud image
108174 # runs-on: ubuntu-latest
@@ -261,28 +327,6 @@ jobs:
261327 uses : github/codeql-action/upload-sarif@v2
262328 with :
263329 sarif_file : ' trivy-results.sarif'
264- test :
265- name : Unit test
266- runs-on : ubuntu-latest
267- steps :
268- - uses : actions/checkout@v4
269- - uses : actions/setup-go@v5
270- with :
271- go-version-file : go.mod
272- - run : make test
273- lint :
274- name : Lint
275- runs-on : ubuntu-latest
276- steps :
277- - uses : actions/checkout@v4
278- - uses : actions/setup-go@v5
279- with :
280- go-version-file : go.mod
281- - name : golangci-lint
282- uses : golangci/golangci-lint-action@v4
283- with :
284- version : v1.62.2
285- skip-cache : true
286330 build :
287331 name : GoReleaser build
288332 runs-on : ubuntu-latest
0 commit comments