diff --git a/.craft b/.craft index ac54cb3..3074694 100644 --- a/.craft +++ b/.craft @@ -1,3 +1,4 @@ +docker_registry: ghcr.io license: mit ci: github maintainers: diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 2d04b69..376ea1e 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -1,11 +1,18 @@ # Code generated by craft; DO NOT EDIT. -name: Go Integration -run-name: Go Integration +name: Integration +run-name: Integration on: - - push - - workflow_dispatch + pull_request: + push: + branches: + - main + - staging + - develop + - v[0-9]+ + - v[0-9]+.[0-9]+ + workflow_dispatch: jobs: @@ -20,6 +27,10 @@ jobs: - uses: actions/checkout@v4 - id: sha run: echo "sha=$(echo "${{ github.ref_name }}" | sha256sum | cut -c -8)" >> $GITHUB_OUTPUT + - id: regexp + run: | + echo "ref=$(echo "${{ github.ref }}" | sed 's#\/#\\/#g')" >> $GITHUB_OUTPUT + echo "ref_name=$(echo "${{ github.ref_name }}" | sed 's#\/#\\/#g')" >> $GITHUB_OUTPUT - id: semantic_release uses: cycjimmy/semantic-release-action@v4 with: @@ -44,7 +55,8 @@ jobs: { "name": "alpha", "prerelease": true }, { "name": "staging", "prerelease": "beta" }, { "name": "develop", "prerelease": "alpha" }, - { "name": "${{ github.ref_name }}", "prerelease": "${{ steps.sha.outputs.sha }}" } + { "name": "${{ steps.regexp.outputs.ref }}", "prerelease": "${{ steps.sha.outputs.sha }}" }, + { "name": "${{ steps.regexp.outputs.ref_name }}", "prerelease": "${{ steps.sha.outputs.sha }}" } ] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -98,4 +110,43 @@ jobs: fail_ci_if_error: true file: coverage.out slug: ${{ github.repository }} - token: ${{ secrets.CODECOV_TOKEN }} \ No newline at end of file + token: ${{ secrets.CODECOV_TOKEN }} + + docker-hadolint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + security-events: write + steps: + - uses: actions/checkout@v3 + - uses: hadolint/hadolint-action@v3.1.0 + continue-on-error: true # enforce scan upload to codeql + with: + format: sarif + output-file: hadolint-results.sarif + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: hadolint-results.sarif + category: docker-hadolint + - id: hadolint + uses: hadolint/hadolint-action@v3.1.0 + continue-on-error: true # enforce scan upload pull request + with: + format: tty + - uses: actions/github-script@v7 + if: github.event_name == 'pull_request' + with: + script: | + const output = ` + #### Hadolint: \`${{ steps.hadolint.outcome }}\` + \`\`\` + ${process.env.HADOLINT_RESULTS} + \`\`\` + `; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }); \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 650e81f..364ce5b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,11 @@ run-name: Release on: workflow_dispatch: + inputs: + dry_run: + description: Dry run + type: boolean + default: false jobs: @@ -19,6 +24,8 @@ jobs: - uses: actions/checkout@v4 - id: sha run: echo "sha=$(echo "${{ github.ref_name }}" | sha256sum | cut -c -8)" >> $GITHUB_OUTPUT + - id: regexp + run: echo "branch=$(echo "${{ github.ref_name }}" | sed 's#\/#\\/#g')" >> $GITHUB_OUTPUT - id: semantic_release uses: cycjimmy/semantic-release-action@v4 with: @@ -43,7 +50,7 @@ jobs: { "name": "alpha", "prerelease": true }, { "name": "staging", "prerelease": "beta" }, { "name": "develop", "prerelease": "alpha" }, - { "name": "${{ github.ref_name }}", "prerelease": "${{ steps.sha.outputs.sha }}" } + { "name": "${{ steps.regexp.outputs.branch }}", "prerelease": "${{ steps.sha.outputs.sha }}" } ] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -72,30 +79,24 @@ jobs: - uses: actions/upload-artifact@v4 with: name: executables + # order is important to filter unwanted globs after the filter or desired globs path: | + dist/* !dist/*.json !dist/*.yaml !dist/*/ - checksums.txt - dist/* retention-days: 1 docker-build: runs-on: ubuntu-latest - environment: release - permissions: - packages: write needs: - version - env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} steps: - uses: actions/checkout@v4 - id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + images: ghcr.io/${{ github.repository }} labels: | org.opencontainers.image.created={{date 'YYYY-MM-DDTHH:mm:ssZ'}} org.opencontainers.image.ref.name="${{ github.ref_name }}" @@ -109,25 +110,51 @@ jobs: - uses: docker/setup-buildx-action@v3 - uses: docker/login-action@v3 with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.REGISTRY_TOKEN }} - uses: docker/build-push-action@v5 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + docker-trivy: + runs-on: ubuntu-latest + permissions: + security-events: write + needs: + - version + - docker-build + steps: + - uses: actions/checkout@v4 + - uses: aquasecurity/trivy-action@master + continue-on-error: true # enforce scan upload to codeql + with: + image-ref: "ghcr.io/${{ github.repository }}:${{ needs.version.outputs.version }}" + exit-code: "1" + format: sarif + output: trivy-results.sarif + ignore-unfixed: false + severity: MEDIUM,HIGH,CRITICAL + env: + TRIVY_USERNAME: ${{ github.repository_owner }} + TRIVY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }} + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-results.sarif + category: docker-trivy release: runs-on: ubuntu-latest - environment: release if: github.ref_protected == true permissions: contents: write issues: write needs: - go-build + - docker-build env: GIT_AUTHOR_NAME: ${{ github.triggering_actor }} GIT_AUTHOR_EMAIL: ${{ github.triggering_actor }}@users.noreply.github.com @@ -137,6 +164,8 @@ jobs: - uses: actions/checkout@v4 - id: sha run: echo "sha=$(echo "${{ github.ref_name }}" | sha256sum | cut -c -8)" >> $GITHUB_OUTPUT + - id: regexp + run: echo "branch=$(echo "${{ github.ref_name }}" | sed 's#\/#\\/#g')" >> $GITHUB_OUTPUT - uses: actions/download-artifact@v4 with: name: executables @@ -152,6 +181,7 @@ jobs: @semantic-release/release-notes-generator conventional-changelog-conventionalcommits semantic-release-license + dry_run: ${{ inputs.dry_run }} tag_format: v${version} branches: | [ @@ -162,7 +192,7 @@ jobs: { "name": "alpha", "prerelease": true }, { "name": "staging", "prerelease": "beta" }, { "name": "develop", "prerelease": "alpha" }, - { "name": "${{ github.ref_name }}", "prerelease": "${{ steps.sha.outputs.sha }}" } + { "name": "${{ steps.regexp.outputs.branch }}", "prerelease": "${{ steps.sha.outputs.sha }}" } ] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/codecov.yml b/codecov.yml index dbff346..ce8889b 100644 --- a/codecov.yml +++ b/codecov.yml @@ -1,5 +1,29 @@ # Code generated by craft; DO NOT EDIT. +codecov: + require_ci_to_pass: true + notify: + wait_for_ci: true + +comment: + require_changes: true + +coverage: + status: + project: + default: + target: 85% + threshold: 10% + if_not_found: failure + informational: false + only_pulls: false + patch: + target: 85% + threshold: 10% + if_not_found: failure + informational: false + only_pulls: false + ignore: - "cmd" - "examples"