Skip to content

Harden GitHub Actions workflows #707

Harden GitHub Actions workflows

Harden GitHub Actions workflows #707

Workflow file for this run

name: Check
on:
pull_request: ~
push:
branches:
- main
permissions: read-all
jobs:
build:
name: Build
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Build binary
run: go run tasks.go build
- name: Build all release binaries
run: go run tasks.go build-all
compliance:
name: Compliance
runs-on: ubuntu-24.04
needs:
- build
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Check compliance
run: go run tasks.go compliance
container:
name: Container
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
engine:
- docker
- podman
needs:
- build
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Build container with ${{ matrix.engine }}
run: go run tasks.go container
env:
CONTAINER_ENGINE: ${{ matrix.engine }}
- name: Test run container with ${{ matrix.engine }}
run: ${CONTAINER_ENGINE} run --rm ericornelissen/ades -help
env:
CONTAINER_ENGINE: ${{ matrix.engine }}
development-image:
name: Development image
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Build
run: go run tasks.go dev-img
format:
name: Format
runs-on: ubuntu-24.04
needs:
- build
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Check source code formatting
run: go run tasks.go format-check
reproducible:
name: Reproducible build
runs-on: ubuntu-24.04
needs:
- build
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Check reproducibility
run: go run tasks.go reproducible
reproducible-container:
name: Reproducible container
runs-on: ubuntu-24.04
needs:
- container
- reproducible
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Check reproducibility
run: go run tasks.go reproducible-container
reproducible-web:
name: Reproducible web
runs-on: ubuntu-24.04
needs:
- web
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Check reproducibility
run: go run tasks.go web-reproducible
test-unit:
name: Unit test
runs-on: ubuntu-24.04
needs:
- build
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Run tests
run: go run tasks.go test-randomized
test-dogfeed:
name: Dogfeed
runs-on: ubuntu-24.04
needs:
- test-unit
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Run on this repository
run: go run tasks.go dogfeed
test-mutation:
name: Mutation test
runs-on: ubuntu-24.04
needs:
- test-unit
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Run mutation tests
run: go run tasks.go test-mutation
vet:
name: Vet
runs-on: ubuntu-24.04
needs:
- build
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Vet source code
run: go run tasks.go vet
web:
name: Web
runs-on: ubuntu-24.04
needs:
- build
steps:
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Build web app
run: go run tasks.go web-build