Harden GitHub Actions workflows #707
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check | |
on: | |
pull_request: ~ | |
push: | |
branches: | |
- main | |
permissions: read-all | |
jobs: | |
build: | |
name: Build | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Build binary | |
run: go run tasks.go build | |
- name: Build all release binaries | |
run: go run tasks.go build-all | |
compliance: | |
name: Compliance | |
runs-on: ubuntu-24.04 | |
needs: | |
- build | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Check compliance | |
run: go run tasks.go compliance | |
container: | |
name: Container | |
runs-on: ubuntu-24.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
engine: | |
- docker | |
- podman | |
needs: | |
- build | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Build container with ${{ matrix.engine }} | |
run: go run tasks.go container | |
env: | |
CONTAINER_ENGINE: ${{ matrix.engine }} | |
- name: Test run container with ${{ matrix.engine }} | |
run: ${CONTAINER_ENGINE} run --rm ericornelissen/ades -help | |
env: | |
CONTAINER_ENGINE: ${{ matrix.engine }} | |
development-image: | |
name: Development image | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Build | |
run: go run tasks.go dev-img | |
format: | |
name: Format | |
runs-on: ubuntu-24.04 | |
needs: | |
- build | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Check source code formatting | |
run: go run tasks.go format-check | |
reproducible: | |
name: Reproducible build | |
runs-on: ubuntu-24.04 | |
needs: | |
- build | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Check reproducibility | |
run: go run tasks.go reproducible | |
reproducible-container: | |
name: Reproducible container | |
runs-on: ubuntu-24.04 | |
needs: | |
- container | |
- reproducible | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Check reproducibility | |
run: go run tasks.go reproducible-container | |
reproducible-web: | |
name: Reproducible web | |
runs-on: ubuntu-24.04 | |
needs: | |
- web | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Check reproducibility | |
run: go run tasks.go web-reproducible | |
test-unit: | |
name: Unit test | |
runs-on: ubuntu-24.04 | |
needs: | |
- build | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Run tests | |
run: go run tasks.go test-randomized | |
test-dogfeed: | |
name: Dogfeed | |
runs-on: ubuntu-24.04 | |
needs: | |
- test-unit | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Run on this repository | |
run: go run tasks.go dogfeed | |
test-mutation: | |
name: Mutation test | |
runs-on: ubuntu-24.04 | |
needs: | |
- test-unit | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Run mutation tests | |
run: go run tasks.go test-mutation | |
vet: | |
name: Vet | |
runs-on: ubuntu-24.04 | |
needs: | |
- build | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Vet source code | |
run: go run tasks.go vet | |
web: | |
name: Web | |
runs-on: ubuntu-24.04 | |
needs: | |
- build | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Build web app | |
run: go run tasks.go web-build |