fix(deps): update github.com/observatorium/api digest to 9a6dbb7 #704
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main ] | |
| tags: | |
| - '*' | |
| pull_request: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| jobs: | |
| lint: | |
| name: lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.21.5' | |
| cache: true | |
| - uses: actions/checkout@v4 | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@v4 | |
| with: | |
| # Optional: golangci-lint command line arguments. | |
| args: --issues-exit-code=1 --timeout=5m --disable typecheck | |
| - name: go vet | |
| run: go vet ./... | |
| scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| scanners: 'vuln,secret,config' | |
| ignore-unfixed: true | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| category: 'code' | |
| # Hotfix, run the scan twice because format sarif exit code is not working | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| scanners: 'vuln,secret,config' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22.1' | |
| cache: true | |
| - name: Install dependencies | |
| run: go get . | |
| - name: Test | |
| run: go test -v ./... | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/cache@v4 | |
| with: | |
| path: ./.cache # Note that this path is not influenced by working-directory set in defaults, for example | |
| key: multena-proxy-${{ github.run_id }} | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22.1' | |
| cache: true | |
| - name: Install dependencies | |
| run: go get . | |
| - name: Build | |
| run: CGO_ENABLED=0 GOOS=linux GOEXPERIMENT=loopvar go build -ldflags="-X main.Commit=$(git rev-parse HEAD)" -o . -v ./... | |
| - name: Change permissions | |
| run: | | |
| sudo chgrp -R 0 multena-proxy | |
| sudo chmod -R g=u multena-proxy | |
| - name: Copy build | |
| run: mkdir ./.cache && cp ./multena-proxy ./.cache/multena-proxy | |
| push: | |
| needs: [ build, test, scan, lint ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.merge_commit_sha }} | |
| fetch-depth: '0' | |
| - uses: actions/cache@v4 | |
| with: | |
| path: ./.cache # Note that this path is not influenced by working-directory set in defaults, for example | |
| key: multena-proxy-${{ github.run_id }} | |
| fail-on-cache-miss: true | |
| - name: move from cache | |
| run: mv ./.cache/multena-proxy ./multena-proxy | |
| - name: Set image name | |
| run: echo "IMAGE_ID=$(echo ${{ github.repository }} | tr '[A-Z]' '[a-z]')" >> $GITHUB_ENV | |
| - name: Get tag version | |
| id: tag_version | |
| uses: anothrNick/github-tag-action@1.67.0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| WITH_V: true | |
| DRY_RUN: true | |
| DEFAULT_BUMP: patch | |
| RELEASE_BRANCHES: main | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/${{ env.IMAGE_ID }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=raw,value=${{ github.head_ref }}-${{ steps.tag_version.outputs.new_tag }}, enable=${{ github.ref != 'refs/heads/main' }} | |
| type=raw,value=${{ github.head_ref }}-${{ steps.tag_version.outputs.new_tag }}-${{github.sha}}, enable=${{ github.ref != 'refs/heads/main' }} | |
| type=raw,value=${{github.sha}} | |
| type=semver,pattern={{version}},value=${{ steps.tag_version.outputs.new_tag }},enable={{is_default_branch}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Buildah Action | |
| id: build-image | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| image: ${{ env.IMAGE_NAME }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| containerfiles: | | |
| ./build/Containerfile | |
| - name: Log in to the GitHub Container registry | |
| uses: redhat-actions/podman-login@v1 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: push image to trivy | |
| run: | | |
| buildah push ${{ steps.build-image.outputs.image-with-tag }} oci:./multena-proxy-oci | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| input: 'multena-proxy-oci' | |
| format: 'sarif' | |
| severity: 'CRITICAL,HIGH' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| category: 'container' | |
| - name: Image digest | |
| run: echo ${{ steps.docker_build.outputs.digest }} | |
| - name: Push to GitHub Container Repository | |
| id: push-to-ghcr | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: ${{ env.REGISTRY }} | |
| - name: Get tag version | |
| if: ${{ github.event_name != 'pull_request' }} | |
| id: tag_version_final | |
| uses: anothrNick/github-tag-action@1.67.0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| WITH_V: true | |
| DRY_RUN: false | |
| DEFAULT_BUMP: patch | |
| RELEASE_BRANCHES: main | |