Skip to content

Bump github.com/alecthomas/kingpin/v2 from 2.3.2 to 2.4.0 #62

Bump github.com/alecthomas/kingpin/v2 from 2.3.2 to 2.4.0

Bump github.com/alecthomas/kingpin/v2 from 2.3.2 to 2.4.0 #62

Workflow file for this run

name: Release
on:
pull_request_target:
types:
- closed
branches:
- master
- main
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions:
contents: write
packages: write
security-events: write
env:
PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
PULL_REQUEST_BRANCH: ${{ github.head_ref }}
BRANCH: ${{ github.event.pull_request.head.ref }}
REGISTRY: ghcr.io
IMAGE_NAME: "ghcr.io/${{ github.repository }}"
RELEASE: true
jobs:
config:
if: github.triggering_actor != 'dependabot[bot]' && github.event.pull_request.merged == true
runs-on: ubuntu-latest
outputs:
go-version: ${{ fromJson(steps.config.outputs.config).go-version }}
deploy-pull-request: ${{ fromJson(steps.config.outputs.config).deploy.pull-request }}
deploy-sign-docker-image: ${{ fromJson(steps.config.outputs.config).deploy.sign-docker-image }}
deploy-pre-release-matrix: ${{ steps.pre-release-matrix.outputs.matrix }}
deploy-release-matrix: ${{ steps.release-matrix.outputs.matrix }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Read config
id: config
run: echo "config=$(jq -M -c '.' ./.github/workflow-config.json)" >> $GITHUB_OUTPUT
- name: List Pre-release profiles
id: deploy-pr-images-profiles
run: echo "profiles=$(jq -c -M '.deploy."pull-request-images"' .github/workflow-config.json)" >> $GITHUB_OUTPUT
- name: Deploy pre-release matrix
id: pre-release-matrix
run: echo 'matrix={"include":${{ steps.deploy-pr-images-profiles.outputs.profiles }} }' >> $GITHUB_OUTPUT
- name: List release profiles
id: deploy-images-profiles
run: echo "profiles=$(jq -c -M '.deploy."release-images"' .github/workflow-config.json)" >> $GITHUB_OUTPUT
- name: Deploy release matrix
id: release-matrix
run: echo 'matrix={"include":${{ steps.deploy-images-profiles.outputs.profiles }} }' >> $GITHUB_OUTPUT
build:
runs-on: ubuntu-latest
needs:
- config
outputs:
version: ${{ steps.version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Golang
uses: actions/setup-go@v3
with:
go-version: ${{ needs.config.outputs.go-version }}
- name: Get makefile versions
id: version
run: |
version=$(make version)
echo "version=$version" >> $GITHUB_OUTPUT
- name: Setup Golang cache
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Build artifact
run: make go-build
- name: Run test
run: make go-test
- name: Go lint
continue-on-error: true
uses: golangci/golangci-lint-action@v3
with:
args: --issues-exit-code=0
skip-pkg-cache: true
skip-build-cache: true
- name: Package artifact
run: |
mv dist/*.tar.gz application.tar.gz
- name: Upload build output
uses: actions/upload-artifact@v3
with:
name: application
path: "./application.tar.gz"
- name: Upload test coverage
uses: actions/upload-artifact@v3
with:
name: test-coverage
path: "./test-coverage.out"
release:
runs-on: ubuntu-latest
needs:
- config
- build
outputs:
version: ${{ steps.version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set releasw version
id: version
run: echo "version=${{ needs.build.outputs.version }}" >> $GITHUB_OUTPUT
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: application
path: "."
- name: Rename artifact
run: mv application.tar.gz ${{ github.event.repository.name }}.tar.gz
- name: Create release
uses: softprops/action-gh-release@v1
id: create-release
with:
name: Release ${{ steps.version.outputs.version }}
tag_name: ${{ steps.version.outputs.version }}
token: ${{ secrets.GITHUB_TOKEN }}
body: ${{ steps.changelog.outputs.changelog }}
files: |
./${{ github.event.repository.name }}.tar.gz
draft: false
prerelease: false
generate_release_notes: true
deploy:
name: deploy-[${{ matrix.name }}]
runs-on: ubuntu-latest
strategy:
max-parallel: 1
matrix: ${{ fromJson(needs.config.outputs.deploy-release-matrix) }}
if: ${{ !failure() && needs.release.result == 'success' && needs.config.outputs.deploy-pull-request == 'true' }}
needs:
- config
- build
- release
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Build image
id: docker-meta
env:
VERSION: "${{ needs.release.outputs.version }}"
run: |
make ${{ matrix.name }}-image
TAG_SUFFIX=$(echo "-${{ matrix.name }}" | sed s/-ubuntu//)
echo "image-id=$IMAGE_NAME" >> $GITHUB_OUTPUT
echo "image-version=${VERSION}${TAG_SUFFIX}" >> $GITHUB_OUTPUT
- name: Log in to registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ${{ env.REGISTRY }} -u $ --password-stdin
- name: Push image
env:
VERSION: "${{ needs.release.outputs.version }}"
run: |
make push-${{ matrix.name }}-image
- name: Setup cosign
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' }}
uses: sigstore/cosign-installer@main
- name: Write signing key to disk (only needed for `cosign sign --key`)
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' }}
continue-on-error: true
run: echo "${{ secrets.SIGNING_SECRET }}" > cosign.key
- name: Sign the published Docker image
if: ${{ needs.config.outputs.deploy-sign-docker-image == 'true' }}
continue-on-error: true
env:
COSIGN_PASSWORD: ""
VERSION: "${{ needs.release.outputs.version }}"
run: make sign-${{ matrix.name }}-image
- name: Container scan
uses: aquasecurity/trivy-action@0.8.0
env:
image-ref: "${{ steps.docker-meta.outputs.image-id }}:${{ steps.docker-meta.outputs.image-version }}"
with:
image-ref: "${{ env.image-ref }}"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
category: trivy-${{ matrix.name }}