diff --git a/.github/workflows/check-generated.yml b/.github/workflows/check-generated.yml new file mode 100644 index 0000000..d992f7a --- /dev/null +++ b/.github/workflows/check-generated.yml @@ -0,0 +1,46 @@ +name: Check generated files + +on: + push: + branches: + - master + pull_request: + branches: + - "*" + schedule: + - cron: "00 13 * * 1" + + workflow_dispatch: {} + +env: + GO_VERSION: "1.19" + +jobs: + check-go-generate: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install Go + uses: actions/setup-go@v3 + with: + go-version: ${{ env.GO_VERSION }}.x + check-latest: true + cache: true + + - run: | + go install github.com/kyleconroy/sqlc/cmd/sqlc@latest + + - name: Ensure 'go generate' is clean + run: | + # shellcheck disable=SC2046 + go generate $(go list ./...) + echo + echo + + if ! git diff --name-only --exit-code; then + echo "The files above need updating. Please run 'go generate'." + exit 1 + fi diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..d63a60f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,55 @@ +name: CodeQL + +on: + push: + branches: + - master + pull_request: + branches: + - "*" + schedule: + - cron: "00 13 * * 1" + + workflow_dispatch: {} + +jobs: + analyze: + runs-on: ubuntu-latest + timeout-minutes: 15 + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: + - go + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/lint-actions.yml b/.github/workflows/lint-actions.yml index c5fcc5a..f9521c0 100644 --- a/.github/workflows/lint-actions.yml +++ b/.github/workflows/lint-actions.yml @@ -13,6 +13,7 @@ env: jobs: lint-workflows: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/.github/workflows/lint-docker.yml b/.github/workflows/lint-docker.yml index b34461f..78595a1 100644 --- a/.github/workflows/lint-docker.yml +++ b/.github/workflows/lint-docker.yml @@ -10,6 +10,7 @@ on: jobs: lint-dockerfile: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/.github/workflows/lint-go.yml b/.github/workflows/lint-go.yml index f304fc9..f22d07d 100644 --- a/.github/workflows/lint-go.yml +++ b/.github/workflows/lint-go.yml @@ -16,6 +16,7 @@ env: jobs: check-mod-tidy: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - name: Checkout code uses: actions/checkout@v3 @@ -37,36 +38,9 @@ jobs: fi exit 0 - check-go-generate: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version: ${{ env.GO_VERSION }}.x - check-latest: true - cache: true - - - run: | - go install github.com/kyleconroy/sqlc/cmd/sqlc@latest - - - name: Ensure 'go generate' is clean - run: | - # shellcheck disable=SC2046 - go generate $(go list ./...) - echo - echo - - if ! git diff --name-only --exit-code; then - echo "The files above need updating. Please run 'go generate'." - exit 1 - fi - staticcheck: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - name: Checkout code uses: actions/checkout@v3 @@ -85,6 +59,7 @@ jobs: golangci-lint: runs-on: ubuntu-latest + timeout-minutes: 15 permissions: pull-requests: read steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cb44d46..7d08bf5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,7 @@ jobs: release-binary: runs-on: ubuntu-latest if: github.ref_type == 'tag' + timeout-minutes: 15 permissions: id-token: write contents: write @@ -47,6 +48,7 @@ jobs: release-image: runs-on: ubuntu-latest + timeout-minutes: 15 permissions: id-token: write packages: write diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e51df37..42e5db4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,6 +18,7 @@ jobs: # required for nftables to work correctly # TODO: change to "ubuntu-latest" when 22.04 is the latest runs-on: ubuntu-22.04 + timeout-minutes: 15 steps: - name: Checkout code uses: actions/checkout@v3 @@ -37,6 +38,7 @@ jobs: binary-test: runs-on: ubuntu-22.04 + timeout-minutes: 15 steps: - name: Checkout code uses: actions/checkout@v3 @@ -59,6 +61,7 @@ jobs: image-test: runs-on: ubuntu-22.04 + timeout-minutes: 15 steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/.github/workflows/vuln.yml b/.github/workflows/vuln.yml index e01eb5d..96c2197 100644 --- a/.github/workflows/vuln.yml +++ b/.github/workflows/vuln.yml @@ -7,6 +7,8 @@ on: pull_request: branches: - "*" + schedule: + - cron: "00 13 * * 1" workflow_dispatch: {} @@ -16,6 +18,7 @@ env: jobs: govulncheck: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - name: Checkout code uses: actions/checkout@v3