-
Notifications
You must be signed in to change notification settings - Fork 63
98 lines (97 loc) · 4.68 KB
/
build-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: Build & Test
on:
push:
branches: "**"
# pull_request:
# branches: [master]
# types: [opened, reopened] # avoid running twice (on push above), see https://github.com/open-telemetry/opentelemetry-python/issues/1370
env:
DOCKER_ENV_FILE: ".github/workflows/docker.env"
jobs:
build-test:
runs-on: ubuntu-latest
services:
postgres:
image: postgres:12.4-alpine # should be the same version as used in .drone.yml, .github/workflows, Dockerfile and live
env:
POSTGRES_DB: "development"
POSTGRES_USER: "dbuser"
POSTGRES_PASSWORD: "dbpass"
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
integresql:
image: ghcr.io/allaboutapps/integresql:v1.1.0
env:
PGHOST: "postgres"
PGUSER: "dbuser"
PGPASSWORD: "dbpass"
mailhog:
image: mailhog/mailhog
steps:
- uses: actions/[email protected]
- name: docker build (target builder)
run: DOCKER_BUILDKIT=1 docker build --target builder --file Dockerfile --tag allaboutapps.dev/aw/go-starter:builder-${GITHUB_SHA} .
- name: docker build (target app)
run: DOCKER_BUILDKIT=1 docker build --target app --file Dockerfile --tag allaboutapps.dev/aw/go-starter:app-${GITHUB_SHA} .
- name: trivy scan
uses: aquasecurity/trivy-action@master
with:
image-ref: 'allaboutapps.dev/aw/go-starter:app-${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: docker run (target builder)
run: docker run -d --env-file $DOCKER_ENV_FILE --network "${{ job.services.postgres.network }}" --name=builder -it allaboutapps.dev/aw/go-starter:builder-${GITHUB_SHA}
- name: "build & diff"
# Note builder stage now includes .git, thus we rm it again to again diff with the original git workspace
run: |
docker exec builder make tidy
docker exec builder make build
docker cp builder:/app ./post-build && rm -rf ./post-build/.git && git -C post-build diff --exit-code
- name: test
run: docker exec builder make test
- name: upload coverage to codecov
run: docker cp builder:/tmp/coverage.out ./coverage.out && bash <(curl -s https://codecov.io/bash)
- name: test-scripts (gsdev, go-starter only)
if: ${{ github.repository == 'allaboutapps/go-starter' }}
run: docker exec builder make test-scripts
- name: info
run: docker exec builder make info
- name: "binary: deps"
run: docker exec builder bash -c 'make get-embedded-modules-count && make get-embedded-modules'
- name: "binary: licenses"
run: docker exec builder make get-licenses
- name: docker run (target app)
run: |
docker run --env-file $DOCKER_ENV_FILE --network "${{ job.services.postgres.network }}" allaboutapps.dev/aw/go-starter:app-${GITHUB_SHA} help
docker run --env-file $DOCKER_ENV_FILE --network "${{ job.services.postgres.network }}" allaboutapps.dev/aw/go-starter:app-${GITHUB_SHA} -v
docker run --env-file $DOCKER_ENV_FILE --network "${{ job.services.postgres.network }}" allaboutapps.dev/aw/go-starter:app-${GITHUB_SHA} env
- name: upload trivy scan results to GitHub security tab
# Currently limited to master because of the following:
# Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access.
# To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches.
# See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
- name: stop container
if: ${{ always() }}
run: docker stop builder
- name: remove container
if: ${{ always() }}
run: docker rm builder
swagger-codegen-cli:
runs-on: ubuntu-latest
container: swaggerapi/swagger-codegen-cli
steps:
- uses: actions/[email protected]
- name: run the main swagger.yml validation
run: java -jar /opt/swagger-codegen-cli/swagger-codegen-cli.jar validate -i ./api/swagger.yml