ci: bump the github-actions group with 6 updates #246
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, master, "features/**"] | |
| tags: ["v*"] | |
| pull_request: | |
| branches: [main, master] | |
| # Restrict permissions to read-only by default (supply chain security) | |
| permissions: | |
| contents: read | |
| env: | |
| GO_VERSION: "1.26" | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Check go mod tidy | |
| run: | | |
| go mod tidy | |
| git diff --exit-code go.mod go.sum || (echo "::error::go.mod or go.sum is not tidy. Run 'go mod tidy' and commit." && exit 1) | |
| - name: Run golangci-lint | |
| uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 | |
| with: | |
| version: v2.10.1 | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write # For SARIF upload | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Verify dependencies | |
| run: go mod download && go mod verify | |
| - name: Run govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck ./... || echo "::warning::govulncheck found vulnerabilities (may be stdlib issues)" | |
| - name: Run gosec | |
| # Exclusions: | |
| # - G104: Unhandled errors (too noisy for deferred closes) | |
| # - G117: Deprecated TLS versions (we use modern defaults) | |
| # - G118: Context cancel not called (false positive when cancel func is returned to caller) | |
| # - G704: SSRF via taint (false positive for reverse proxy - backends are from config) | |
| # - G706: Unsafe use of filepath.Clean (handled separately) | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| gosec -exclude=G104,G117,G118,G704,G706 -fmt sarif -out gosec.sarif ./... | |
| - name: Upload gosec SARIF | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: gosec.sarif | |
| category: gosec | |
| - name: Run Semgrep | |
| run: | | |
| pip install semgrep | |
| semgrep scan --config p/golang --config p/security-audit --config p/secrets --sarif --output semgrep.sarif | |
| - name: Upload Semgrep SARIF | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: semgrep.sarif | |
| category: semgrep | |
| - name: Run TruffleHog (secrets in git history) | |
| uses: trufflesecurity/trufflehog@586f66d7886cd0b037c7c245d4a6e34ef357ab10 # main | |
| with: | |
| extra_args: --only-verified | |
| test: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Run unit tests | |
| run: go test -v -race -coverpkg=./internal/... -coverprofile=coverage.out ./test/unit/... | |
| - name: Upload coverage | |
| uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 | |
| with: | |
| files: coverage.out | |
| fail_ci_if_error: false | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| integration: | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| services: | |
| redis: | |
| image: redis:7-alpine | |
| ports: | |
| - 6379:6379 | |
| options: >- | |
| --health-cmd "redis-cli ping" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Run integration tests | |
| run: go test -v -race ./test/integration/... | |
| env: | |
| ELIDA_REDIS_ADDR: localhost:6379 | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: [lint, security, test] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Build binary | |
| run: go build -ldflags="-X main.Version=${{ github.ref_name }}" -o bin/elida ./cmd/elida | |
| - name: Verify binary | |
| run: ./bin/elida -version || true | |
| build-matrix: | |
| name: Build (${{ matrix.os }}/${{ matrix.arch }}) | |
| runs-on: ubuntu-latest | |
| needs: [lint, security, test] | |
| strategy: | |
| matrix: | |
| include: | |
| - os: linux | |
| arch: amd64 | |
| - os: linux | |
| arch: arm64 | |
| - os: darwin | |
| arch: amd64 | |
| - os: darwin | |
| arch: arm64 | |
| - os: windows | |
| arch: amd64 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Build binary | |
| run: | | |
| GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o bin/elida-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.os == 'windows' && '.exe' || '' }} ./cmd/elida | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: elida-${{ matrix.os }}-${{ matrix.arch }} | |
| path: bin/elida-${{ matrix.os }}-${{ matrix.arch }}* | |
| sbom: | |
| name: SBOM Generation | |
| runs-on: ubuntu-latest | |
| needs: [lint, security, test] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Generate SBOM (CycloneDX) | |
| run: | | |
| go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest | |
| cyclonedx-gomod mod -licenses -json -output sbom.cdx.json | |
| cyclonedx-gomod mod -licenses -output sbom.cdx.xml | |
| - name: Set up Rust | |
| uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master | |
| with: | |
| toolchain: stable | |
| - name: Cache Rust | |
| uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 | |
| - name: Install sbom-tools | |
| run: | | |
| cargo install sbom-tools | |
| echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
| - name: Analyze SBOM | |
| run: | | |
| sbom-tools quality sbom.cdx.json | |
| - name: Upload SBOM artifacts | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: sbom | |
| path: | | |
| sbom.cdx.json | |
| sbom.cdx.xml | |
| docker: | |
| name: Docker Build & Push | |
| runs-on: ubuntu-latest | |
| needs: [lint, security, test, sbom] | |
| # Only run on main branch or tags | |
| if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # For OIDC | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 | |
| with: | |
| images: ${{ secrets.DOCKERHUB_USERNAME }}/elida | |
| tags: | | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=sha,prefix= | |
| type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} | |
| - name: Build and push | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-args: VERSION=${{ steps.meta.outputs.version }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| platforms: linux/amd64,linux/arm64 |