-
Notifications
You must be signed in to change notification settings - Fork 13
197 lines (171 loc) · 5.26 KB
/
build_test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
name: Build and test
on:
workflow_dispatch:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+*"
pull_request:
branches:
- "master"
paths-ignore:
- "**/*.md"
- "doc/**"
- ".gitignore"
- ".hadolint.yaml"
- ".pre-commit-config.yaml"
- ".yamllint.yaml"
- "LICENSE"
- "Makefile"
jobs:
build_binary:
name: Build the binary
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ^1.19
- name: Install UPX
run: sudo apt-get install -y upx
- name: Install Syft
uses: anchore/sbom-action/download-syft@v0
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v5
with:
distribution: goreleaser
version: latest
args: ${{ startsWith(github.event.ref, 'refs/tags/') && 'release --rm-dist' || 'build --snapshot --rm-dist' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload the binaries
uses: actions/upload-artifact@v3
with:
name: dist
path: dist/*
retention-days: 7
#####
test_binary:
name: Test the binary
needs: build_binary
uses: ./.github/workflows/test.yml
strategy:
fail-fast: false
matrix:
platform:
- os: linux
runner: ubuntu-latest
- os: darwin
runner: macos-latest
- os: windows
runner: windows-latest
with:
os: ${{ matrix.platform.os }}
runner: ${{ matrix.platform.runner }}
test_docker_image: false
#####
build_docker_image:
name: Build the Docker image
needs: test_binary
permissions:
packages: write
strategy:
fail-fast: false
matrix:
platform:
- os: linux
platforms: "linux/amd64,linux/arm64"
- os: darwin
platforms: "linux/amd64,linux/arm64"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v3
with:
name: dist
path: dist/
- name: Make binaries executable
run: chmod +x dist/*/terraform-graph-beautifier
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: ${{ matrix.platform.platforms }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- id: docker_metadata
name: Generate the Docker metadata
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }} # Will give: ghcr.io/owner/repository
flavor: |
latest=auto
suffix=-${{ matrix.platform.os }},onlatest=true
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- name: Export the Docker metadata
run: echo "${{ toJSON(steps.docker_metadata.outputs.json) }}" > docker_metadata_${{ matrix.platform.os }}.json
- name: Upload the Docker metadata
uses: actions/upload-artifact@v3
with:
name: docker_metadata_${{ matrix.platform.os }}
path: docker_metadata_${{ matrix.platform.os }}.json
retention-days: 7
- name: Get the first image tag
# Take the first tag and make it available as an environment variable.
run: echo "DOCKER_IMAGE_TAG=$(jq -r .tags[0] docker_metadata_${{ matrix.platform.os }}.json)" >> "${GITHUB_ENV}"
- name: Build and push the Docker image
uses: docker/build-push-action@v5
with:
context: .
target: binary_from_build_context
platforms: ${{ matrix.platform.platforms }}
tags: ${{ steps.docker_metadata.outputs.tags }}
labels: ${{ steps.docker_metadata.outputs.labels }}
push: true
- name: Analyze the image efficiency
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
wagoodman/dive:latest \
--ci \
--lowestEfficiency=0.95 \
--highestUserWastedPercent=0.05 \
${{ env.DOCKER_IMAGE_TAG }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.DOCKER_IMAGE_TAG }}
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
security-checks: "vuln,secret,config"
severity: "CRITICAL,HIGH"
#####
test_docker_image:
name: Test the Docker image
needs: build_docker_image
uses: ./.github/workflows/test.yml
strategy:
fail-fast: false
matrix:
platform:
- os: linux
runner: ubuntu-latest
- os: darwin
runner: macos-latest
with:
os: ${{ matrix.platform.os }}
runner: ${{ matrix.platform.runner }}
test_docker_image: true