tektoncd
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 157 additions & 0 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 157 additions & 0 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/kind-e2e.yaml‎
Lines changed: 24 additions & 17 deletions b/‎.github/workflows/kind-e2e.yaml‎
Lines changed: 24 additions & 17 deletions
diff --git a/‎.github/workflows/lint.yaml‎
Lines changed: 0 additions & 53 deletions b/‎.github/workflows/lint.yaml‎
Lines changed: 0 additions & 53 deletions
@@ -0,0 +1,157 @@
+name: ci
+
+'on':
+  pull_request: {}
+  merge_group: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.merge_group.head_ref || github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  changes:
+    name: categorize changes
+    runs-on: ubuntu-latest
+    outputs:
+      non-docs: ${{ steps.detect.outputs.non-docs }}
+      yaml: ${{ steps.detect.outputs.yaml }}
+    steps:
+      - name: Get base depth
+        id: base-depth
+        run: echo "base-depth=$(expr ${{ github.event.pull_request.commits }} + 1)" >> $GITHUB_OUTPUT
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: ${{ steps.base-depth.outputs.base-depth }}
+          persist-credentials: false
+      - name: detect
+        id: detect
+        run: |
+          git fetch origin ${GITHUB_BASE_REF}
+          CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} | tr ' ' '\n')
+
+          echo -e "Changed files:\n${CHANGED_FILES}"
+
+          # If no files are changed at all, then `grep -v` will match even though no change outputs
+          # should be true. Skipping output on an empty set of changes eliminates the false positive
+          if [[ -n "${CHANGED_FILES}" ]]; then
+            NON_DOCS=$(echo "${CHANGED_FILES}" | grep -Eqv '\.md$' && echo 'true' || echo 'false')
+            YAML=$(echo "${CHANGED_FILES}" | grep -Eq '\.ya?ml$' && echo 'true' || echo 'false')
+            echo "non-docs=${NON_DOCS}" | tee -a $GITHUB_OUTPUT
+            echo "yaml=${YAML}" | tee -a $GITHUB_OUTPUT
+          fi
+
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    needs: [changes]
+    if: ${{ needs.changes.outputs.non-docs == 'true' }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: "go.mod"
+      - name: build
+        run: |
+          go build -v ./...
+  linting:
+    name: lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write # Used by golangci-lint to annotate code in the PR
+    needs: [changes]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: "go.mod"
+      - name: gofmt
+        if: ${{ needs.changes.outputs.non-docs == 'true' }}
+        run: |
+          gofmt_out=$(gofmt -d $(find * -name '*.go' ! -path 'vendor/*' ! -path 'third_party/*'))
+          if [[ -n "$gofmt_out" ]]; then
+            failed=1
+          fi
+          echo "$gofmt_out"
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        if: ${{ needs.changes.outputs.non-docs == 'true' }}
+        with:
+          version: v2.7.2
+          args: --new-from-merge-base=origin/${{ github.base_ref }} --timeout=10m
+      - name: yamllint
+        if: ${{ needs.changes.outputs.yaml == 'true' }}
+        run: |
+          apt-get update && apt-get install -y yamllint
+          make yamllint
+      - name: check-license
+        if: ${{ needs.changes.outputs.non-docs == 'true' }}
+        run: |
+          go install github.com/google/go-licenses@v1.0.0
+          go-licenses check ./...
+  tests:
+    needs: [build]
+    name: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: "go.mod"
+      - name: unit-test
+        run: |
+          make test-unit-verbose-and-race
+  e2e-tests:
+    needs: [build]
+    uses: ./.github/workflows/kind-e2e.yaml
+
+  ci-summary:
+    name: CI summary
+    needs: [build, linting, tests, e2e-tests]
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+      - name: Check CI results
+        run: |
+          results=(
+            "build=${NEEDS_BUILD_RESULT}"
+            "linting=${NEEDS_LINTING_RESULT}"
+            "tests=${NEEDS_TESTS_RESULT}"
+            "e2e-tests=${NEEDS_E2E_TESTS_RESULT}"
+          )
+          failed=0
+          for r in "${results[@]}"; do
+            name="${r%%=*}"
+            result="${r#*=}"
+            echo "${name}: ${result}"
+            if [ "$result" != "success" ] && [ "$result" != "skipped" ]; then
+              failed=1
+            fi
+          done
+          if [ "$failed" -eq 1 ]; then
+            echo ""
+            echo "Some CI jobs failed or were cancelled"
+            exit 1
+          fi
+          echo ""
+          echo "All CI checks passed"
+        env:
+          NEEDS_BUILD_RESULT: ${{ needs.build.result }}
+          NEEDS_LINTING_RESULT: ${{ needs.linting.result }}
+          NEEDS_TESTS_RESULT: ${{ needs.tests.result }}
+          NEEDS_E2E_TESTS_RESULT: ${{ needs.e2e-tests.result }}
@@ -40,11 +40,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@a8d1ac45b9a34d11fe398d5503176af0d06b303e # v3.30.7
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@a8d1ac45b9a34d11fe398d5503176af0d06b303e # v3.30.7
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -71,6 +71,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@a8d1ac45b9a34d11fe398d5503176af0d06b303e # v3.30.7
       with:
-        category: "/language:${{matrix.language}}"
+        category: "/language:${{matrix.language}}"
@@ -1,42 +1,49 @@
 name: Chains kind E2E Tests
 
-on:
-  pull_request:
-    branches:
-      - main
-      - release-*
+'on':
+  workflow_call: {}
+  # on:
+  # pull_request:
+  #   branches:
+  #   - main
+  #   - release-*
 
 defaults:
   run:
     shell: bash
-    working-directory: ./
 
 jobs:
   k8s:
+    permissions:
+      contents: read
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.k8s-version }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: true
     strategy:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         # Keep in sync with the list of supported releases: https://kubernetes.io/releases/
-        # TODO: add 1.31.x once it is added in https://github.com/sigstore/scaffolding/releases
+        # Add latest k8s-version once it is added in https://github.com/sigstore/scaffolding/releases
         k8s-version:
-        - v1.28.x
-        - v1.29.x
-        - v1.30.x
+          - v1.31.x
+          - v1.32.x
+          - v1.33.x
     uses: ./.github/workflows/reusable-e2e.yaml
     with:
       k8s-version: ${{ matrix.k8s-version }}
-      pipelines-release: v0.50.1
+      pipelines-release: v1.2.0 # Latest version
   pipelines-lts:
     strategy:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         pipelines-release:
-        # This should follow the list of versions from https://github.com/tektoncd/pipeline/blob/main/releases.md#release
-        - v0.53.5  # LTS
-        - v0.56.3  # LTS
-        - v0.59.2  # LTS
-        - v0.62.0
+          # This should follow the list of versions from
+          # https://github.com/tektoncd/pipeline/blob/main/releases.md#release
+          - v0.62.9  # LTS
+          - v0.65.7  # LTS
+          - v0.68.1  # LTS
+          - v1.0.0   # LTS
     uses: ./.github/workflows/reusable-e2e.yaml
     with:
-      k8s-version: v1.28.x
+      k8s-version: v1.30.x  # intersection of the latest version and scaffolding
       pipelines-release: ${{ matrix.pipelines-release }}