Update golangci/golangci-lint-action action to v9.2.0 #485
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "*" | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| # tailout environment variables | |
| TAILOUT_REGION: eu-west-3 | |
| TAILOUT_NON_INTERACTIVE: "true" | |
| TAILOUT_CREATE_CONNECT: "true" | |
| TAILOUT_CREATE_SHUTDOWN: 5m | |
| TAILOUT_TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }} | |
| TAILOUT_TAILSCALE_AUTH_KEY: ${{ secrets.TAILSCALE_AUTH_KEY }} | |
| defaults: | |
| run: | |
| shell: bash | |
| concurrency: | |
| group: ${{ github.ref_name }}-ci | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| checks: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 | |
| with: | |
| go-version: stable | |
| cache-dependency-path: | | |
| go.sum | |
| .github/.cache/buster-for-checks | |
| - name: Generate templ code | |
| uses: capthiron/templ-generator-action@f1f7b5d0b261eccff32fa3fc17cf563d993fee94 # v1 | |
| with: | |
| commit: "false" | |
| setup-go: "false" | |
| directory: "internal/views" | |
| templ-version: v0.3.960 # renovate: datasource=github-tags depName=a-h/templ | |
| - name: Check if templ code is up to date | |
| run: git diff --exit-code | |
| binary: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| actions: write | |
| needs: checks | |
| outputs: | |
| cache-key: ${{ steps.restore-cache.outputs.cache-primary-key }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 | |
| with: | |
| go-version: stable | |
| cache-dependency-path: | | |
| go.sum | |
| .github/.cache/buster-for-binary | |
| - name: Restore Artifacts Cache | |
| id: restore-cache | |
| uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: tailout-${{ runner.os }}-${{ hashFiles('**/go.sum') }} | |
| - name: Create/Update Draft | |
| uses: lucacome/draft-release@0ebb400b90474a1b791602046abf8394e9f5402d # v2.0.2 | |
| with: | |
| minor-label: "enhancement" | |
| major-label: "change" | |
| publish: ${{ github.ref_type == 'tag' }} | |
| collapse-after: 30 | |
| if: github.event_name != 'pull_request' | |
| - name: Download Syft | |
| uses: anchore/sbom-action/download-syft@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 | |
| if: github.ref_type == 'tag' | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| if: github.ref_type == 'tag' | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 | |
| with: | |
| version: v2.13.0 # renovate: datasource=github-tags depName=goreleaser/goreleaser | |
| args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_PAT }} | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 | |
| continue-on-error: true | |
| with: | |
| subject-checksums: tailout_${GITHUB_REF_NAME#v}_checksums.txt | |
| if: github.ref_type == 'tag' | |
| - name: Generate SBOM attestation | |
| uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0 | |
| continue-on-error: true | |
| with: | |
| subject-path: 'dist/**/tailout*' | |
| sbom-path: 'dist/**/tailout*.sbom.spdx.json' | |
| if: github.ref_type == 'tag' | |
| - name: Print tailout version | |
| run: ./dist/tailout_linux_amd64_v1/tailout version | |
| # Delete the old cache on hit to emulate a cache update. See | |
| # https://github.com/actions/cache/issues/342. | |
| - name: Delete old cache | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| if: steps.restore-cache.outputs.cache-hit == 'true' | |
| # Using `--repo` makes it so that this step doesn't require checking out the | |
| # repo first. | |
| run: gh cache delete --repo ${{ github.repository }} ${{ steps.restore-cache.outputs.cache-primary-key }} | |
| - name: Cache Artifacts | |
| uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| if: always() | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: ${{ steps.restore-cache.outputs.cache-primary-key }} | |
| build-and-push-image: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| security-events: write | |
| services: | |
| registry: | |
| image: registry:3 | |
| ports: | |
| - 5000:5000 | |
| needs: binary | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| with: | |
| version: latest | |
| driver-opts: network=host | |
| - name: Fetch Cached Artifacts | |
| uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: ${{ needs.binary.outputs.cache-key }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| if: github.event_name != 'pull_request' | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| with: | |
| images: | | |
| name=ghcr.io/${{ github.repository }},enable=${{ github.event_name != 'pull_request' }} | |
| name=localhost:5000/tailout/tailout-local | |
| tags: | | |
| type=edge | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| - name: Build and push Docker image | |
| id: push | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| context: . | |
| push: true | |
| pull: true | |
| platforms: linux/arm/v5,linux/arm/v6,linux/arm/v7,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x,linux/mips64le,linux/386,linux/riscv64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| annotations: ${{ steps.meta.outputs.annotations }} | |
| cache-from: type=gha,scope=tailout | |
| cache-to: type=gha,scope=tailout,mode=max | |
| no-cache: ${{ github.event_name != 'pull_request' }} | |
| provenance: mode=max | |
| sbom: true | |
| - name: Inspect SBOM and output manifest | |
| run: | | |
| docker buildx imagetools inspect localhost:5000/tailout/tailout-local:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom.json | |
| docker buildx imagetools inspect localhost:5000/tailout/tailout-local:${{ steps.meta.outputs.version }} --raw | |
| - name: Scan SBOM | |
| id: scan | |
| uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1 | |
| with: | |
| sbom: "sbom.json" | |
| only-fixed: true | |
| add-cpes-if-none: true | |
| fail-build: false | |
| - name: Upload scan result to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 | |
| continue-on-error: true | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| e2e-tests: | |
| runs-on: ubuntu-24.04 | |
| if: ${{ github.event.repository.fork == false && github.actor != 'renovate[bot]' }} | |
| needs: binary | |
| permissions: | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - first_command: "tailout init" | |
| - first_command: "tailout create" | |
| second_command: "tailout status" | |
| third_command: "tailout disconnect" | |
| - first_command: "tailout create" | |
| second_command: "tailout disconnect" | |
| third_command: "tailout status" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Setup environment | |
| uses: ./.github/actions/setup | |
| with: | |
| region: ${{ env.TAILOUT_REGION }} | |
| role_arn: ${{ secrets.AWS_GITHUB_ACTIONS_TAILOUT_ROLE_ARN }} | |
| tailscale_oauth_client_id: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }} | |
| tailscale_oauth_client_secret: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }} | |
| - name: First command | |
| run: ${{ matrix.first_command }} | |
| - name: Second command | |
| if: ${{ matrix.second_command != '' }} | |
| run: ${{ matrix.second_command }} | |
| - name: Third command | |
| if: ${{ matrix.third_command != '' }} | |
| run: ${{ matrix.third_command }} | |
| # TODO: check if the public IP address matches the one from the new instance | |
| # TODO: find a better concurrency pattern | |
| cleanup: | |
| runs-on: ubuntu-24.04 | |
| if: ${{ github.event.repository.fork == false && github.actor != 'renovate[bot]' }} | |
| needs: e2e-tests | |
| concurrency: | |
| group: cleanup | |
| cancel-in-progress: true | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Setup environment | |
| uses: ./.github/actions/setup | |
| with: | |
| region: ${{ env.TAILOUT_REGION }} | |
| role_arn: ${{ secrets.AWS_GITHUB_ACTIONS_TAILOUT_ROLE_ARN }} | |
| tailscale_oauth_client_id: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }} | |
| tailscale_oauth_client_secret: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }} | |
| - name: Cleanup | |
| run: tailout stop --all | |
| # TODO: Add cleanup for github nodes as well |