Skip to content

chore(ci): bump actions/checkout from 4.1.1 to 4.1.2 #33

chore(ci): bump actions/checkout from 4.1.1 to 4.1.2

chore(ci): bump actions/checkout from 4.1.1 to 4.1.2 #33

Workflow file for this run

name: ci
on:
merge_group:
push:
branches:
- main
- master
paths-ignore:
- '**/*.md'
pull_request:
branches:
- "**"
paths-ignore:
- '**/*.md'
env:
GOLANG_VERSION: '1.22.x'
permissions:
contents: read # for actions/checkout to fetch code
jobs:
build:
name: Build Binary and Docker Image
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
packages: write # to upload docker image(s) to ghcr.io
id-token: write # identity challenge with sigstore/fulcio
env:
GOFLAGS: -trimpath
GOOS: linux
GOARCH: amd64
steps:
- name: Checkout Repo
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GOLANG_VERSION }}
- name: Build Go Binary
run: go build -o .build/${GOOS}-${GOARCH}/node_exporter
- name: Generate Go Binary hashes
shell: bash
id: binhash
run: |
# single-line base64 encoded checksum(s)
echo "hashes=$(cd .build/${GOOS}-${GOARCH} >/dev/null 2>&1 && sha256sum node_exporter | tee node_exporter.sha256sum | base64 -w0)" >>"$GITHUB_OUTPUT"
- name: Upload Go Binary
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: node_exporter
path: .build/${GOOS}-${GOARCH}/node_exporter
retention-days: 14 # 90 is the default
- name: Upload Go Binary Checksum
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: node_exporter.sha256sum
path: .build/${GOOS}-${GOARCH}/node_exporter.sha256sum
retention-days: 14 # 90 is the default
- name: Setup Docker
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
id: buildx
- name: Extract GitHub Metadata for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ghcr.io/${{ github.repository }}
- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Docker Image (and push if not PR)
id: build-and-push
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
context: .
file: Dockerfile
load: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: |
type=gha,scope=${{ github.workflow }}
cache-to: |
type=gha,scope=${{ github.workflow }},mode=max
- name: Install cosign (if signing)
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
- name: Generate SBOM with Trivy
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
with:
image-ref: ${{ steps.meta.outputs.tags }}
scan-type: image
format: cyclonedx
output: trivy-sbom.json
- name: Scan Image with Trivy
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
with:
scan-ref: trivy-sbom.json
scan-type: sbom
ignore-unfixed: true
format: sarif
output: trivy-image-vuln-report.sarif
- name: Upload Trivy SBOM
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: trivy-sbom
path: trivy-sbom.json
retention-days: 14 # 90 is the default
- name: Upload Trivy Vulnerability Report
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: trivy-image-vuln-report
path: trivy-image-vuln-report.sarif
retention-days: 14 # 90 is the default
- name: Generate Trivy hashes
shell: bash
id: trivyhash
run: |
# single-line base64 encoded checksum(s)
echo "hashes=$(sha256sum trivy-sbom.json trivy-image-vuln-report.sarif | base64 -w0)" >>"$GITHUB_OUTPUT"
outputs:
binhashes: ${{ steps.binhash.outputs.hashes }}
trivyhashes: ${{ steps.trivyhash.outputs.hashes }}
tags: ${{ steps.meta.outputs.tags }}
image-digest: ${{ steps.build-and-push.outputs.digest }}
test:
name: Unit Testing
runs-on: ubuntu-latest
env:
GOFLAGS: -trimpath -tags=nobtrfs
steps:
- name: Checkout Repo
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GOLANG_VERSION }}
- name: Test (Unit)
run: |
make collector/fixtures/sys/.unpacked collector/fixtures/udev/.unpacked
go install gotest.tools/gotestsum@latest
gotestsum --format github-actions --jsonfile test-results/unittests.json --junitfile test-results/unittests.xml -- -coverprofile=coverage.out ./...
- name: Upload code coverage
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: code-coverage
path: coverage.out
- name: Generate test results
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: test-results
path: test-results/
lint:
name: Linting with Go ${{ matrix.go-version }}
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
steps:
- name: Checkout Repo
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
cache: false # golangci-lint-action has its own cache
go-version: ${{ env.GOLANG_VERSION }}
- name: golangci-lint
env:
GOFLAGS: -trimpath
uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
with:
version: v1.56.2
publish-binary-provenance:
name: Publish Binary Provenance
if: ${{ github.event_name != 'pull_request' }}
needs:
- build
permissions:
contents: write # for SLSA to upload attestations as build assets
actions: read # for SLSA to read the environment
id-token: write # for SLSA to create OIDC tokens for signing
# Note: SLSA action must be referenced by a tag rather than by a digest
# https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
with:
base64-subjects: "${{ needs.build.outputs.binhashes }}"
publish-image-provenance:
name: Publish Image Provenance
if: ${{ github.event_name != 'pull_request' }}
needs:
- build
permissions:
contents: write # for SLSA to upload attestations as build assets
actions: read # for SLSA to read the environment
id-token: write # for SLSA to create OIDC tokens for signing
packages: write # for SLSA to upload attestations to registry
# Note: SLSA action must be referenced by a tag rather than by a digest
# https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
with:
image: ${{ needs.build.outputs.tags }}
digest: ${{ needs.build.outputs.image-digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
publish-sbom-provenance:
name: Publish SBOM Provenance
if: ${{ github.event_name != 'pull_request' }}
needs:
- build
permissions:
contents: write # for SLSA to upload attestations as build assets
actions: read # for SLSA to read the environment
id-token: write # for SLSA to create OIDC tokens for signing
# Note: SLSA action must be referenced by a tag rather than by a digest
# https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
with:
base64-subjects: "${{ needs.build.outputs.trivyhashes }}"