Go CI #257
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Go CI | |
| "on": | |
| push: | |
| branches: | |
| - main | |
| pull_request: null | |
| workflow_dispatch: null | |
| schedule: | |
| - cron: "0 14 * * 1" # Mondays at 2pm UTC | |
| jobs: | |
| test: | |
| needs: get_refs | |
| strategy: | |
| matrix: | |
| go-version: [1.19.x, 1.20.x] | |
| os: | |
| - ubuntu-22.04 | |
| - macos-12 | |
| # - windows-2022 Can't install libzmq. | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| - uses: actions/checkout@v4 | |
| - name: clone the tsp | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: IronCoreLabs/tenant-security-proxy | |
| ref: ${{ needs.get_refs.outputs.tenant-security-proxy }} | |
| path: tenant-security-proxy | |
| token: ${{ secrets.WORKFLOW_PAT }} | |
| - uses: actions/cache@v4 | |
| with: | |
| # In order: | |
| # * Module download cache | |
| # * Build cache (Linux) | |
| # * Build cache (Mac) | |
| # * Build cache (Windows) | |
| # * Cargo registry | |
| # * Cargo packages | |
| # * TSP build | |
| path: | | |
| ~/go/pkg/mod | |
| ~/.cache/go-build | |
| ~/Library/Caches/go-build | |
| ~\AppData\Local\go-build | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| tenant-security-proxy/target | |
| key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ matrix.go-version }}- | |
| - name: Decrypt TSC integration keys | |
| uses: IronCoreLabs/ironhide-actions/decrypt@v3 | |
| with: | |
| keys: ${{ secrets.IRONHIDE_KEYS }} | |
| input: .env.integration.iron | |
| - name: install zmq (linux) | |
| if: ${{ runner.os == 'Linux' }} | |
| run: sudo apt update && sudo apt install -y --no-install-recommends libzmq3-dev | |
| - name: install zmq (mac) | |
| if: ${{ runner.os == 'macOS' }} | |
| run: brew install zmq coreutils | |
| - name: Build TSP | |
| working-directory: tenant-security-proxy | |
| run: cargo build --release | |
| - name: Run tests | |
| run: | | |
| cd tenant-security-proxy && env $(cat ../.env.integration) cargo run --release & | |
| timeout 700 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:9000/ready)" =~ ''[01346-9][0-9][0-9]'' ]]; do sleep 5; done' || false | |
| env $(cat .env.integration) go test ./... -v | |
| lint: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.20.x | |
| - uses: actions/checkout@v4 | |
| - uses: golangci/golangci-lint-action@v6 | |
| with: | |
| version: v1.53 | |
| # Look for a comment telling us what refs to use from the other repos we depend on. | |
| # To add additional repositories, add them to "outputs" and to the "Setup list of required repos" step. | |
| get_refs: | |
| # Only run if it's on a PR. | |
| if: github.base_ref != '' | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| tenant-security-proxy: ${{ steps.get_refs.outputs.tenant-security-proxy }} | |
| steps: | |
| - name: Setup list of required repos | |
| run: | | |
| echo tenant-security-proxy >> repos | |
| - name: Get PR number | |
| id: get_pr | |
| run: | | |
| PR=$(jq -r .pull_request.number "${GITHUB_EVENT_PATH}") | |
| echo "PR is ${PR}" | |
| # Sanity check that ${PR} is a number. | |
| test "${PR}" -ge 0 | |
| echo "pr=${PR}" >> "$GITHUB_OUTPUT" | |
| - name: Find Comment | |
| uses: peter-evans/find-comment@v3 | |
| id: find_comment | |
| with: | |
| issue-number: ${{ steps.get_pr.outputs.pr }} | |
| body-includes: CI_branches | |
| - name: Parse refs | |
| if: steps.find_comment.outputs.comment-id != 0 | |
| id: get_refs | |
| env: | |
| COMMENT_BODY: ${{ steps.find_comment.outputs.comment-body }} | |
| run: | | |
| # Extract the JSON part of the comment into a file. | |
| echo "${COMMENT_BODY}" | tr '\n' ' ' | sed -e 's,^[^{]*,,' -e 's,[^}]*$,,' > refs.json | |
| echo "Got JSON:" | |
| cat refs.json && echo "" | |
| # Sanity check that all repos in the JSON comment are ones that we know about. | |
| jq -r 'keys[]' < refs.json > extra_repos | |
| for REPO in $(cat repos) ; do | |
| grep -v "^${REPO}\$" < extra_repos > temp || true | |
| mv temp extra_repos | |
| done | |
| if [ -s extra_repos ] ; then | |
| echo "Unrecognized repositories:" | |
| cat extra_repos | |
| exit 1 | |
| fi | |
| # Emit an output variable for each repo. | |
| for REPO in $(cat repos) ; do | |
| REF=$(jq -r '.["'"${REPO}"'"]' < refs.json) | |
| if [ "${REF}" = "null" ] ; then | |
| REF="main" | |
| fi | |
| echo "${REPO}: ${REF}" | |
| echo "${REPO}=${REF}" >> "$GITHUB_OUTPUT" | |
| done | |
| - name: Post a reaction (parsed your comment) | |
| if: steps.get_refs.outcome == 'success' | |
| uses: peter-evans/create-or-update-comment@v4 | |
| with: | |
| issue-number: ${{ steps.get_pr.outputs.pr }} | |
| comment-id: ${{ steps.find_comment.outputs.comment-id }} | |
| reactions: eyes | |
| - name: Post a reaction (unparsed comment) | |
| if: steps.get_refs.outcome == 'failure' | |
| uses: peter-evans/create-or-update-comment@v4 | |
| with: | |
| issue-number: ${{ steps.get_pr.outputs.pr }} | |
| comment-id: ${{ steps.find_comment.outputs.comment-id }} | |
| reactions: confused |