fixes (#367) #1231
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| push: | |
| # Publish `main` as Docker `latest` image. | |
| branches: | |
| - main | |
| - dev | |
| - dev-* | |
| - release-* | |
| # Publish `v1.2.3` tags as releases. | |
| tags: | |
| - v* | |
| # Run tests for all PRs | |
| pull_request: | |
| env: | |
| VAULT_ADDR: https://vault.eng.aserto.com/ | |
| PRE_RELEASE: ${{ github.ref == 'refs/heads/main' && 'main' || '' }} | |
| GO_VERSION: "1.22" | |
| GO_RELEASER_VERSION: "v1.24.0" | |
| GO_LANGCI_LINT_VERSION: "v1.56.2" | |
| GO_TESTSUM_VERSION: "1.11.0" | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - | |
| uses: actions/checkout@v4 | |
| - | |
| name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - | |
| name: Build | |
| uses: goreleaser/goreleaser-action@v5 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| distribution: goreleaser | |
| version: ${{ env.GO_RELEASER_VERSION }} | |
| args: build --clean --snapshot --single-target | |
| - | |
| name: Lint | |
| uses: golangci/golangci-lint-action@v4 | |
| with: | |
| version: ${{ env.GO_LANGCI_LINT_VERSION }} | |
| args: --timeout=30m | |
| - | |
| name: Test Setup | |
| uses: gertd/action-gotestsum@v3.0.0 | |
| with: | |
| gotestsum_version: ${{ env.GO_TESTSUM_VERSION }} | |
| - | |
| name: Test | |
| run: | | |
| gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/authz/... | |
| gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/builtin/... | |
| gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/manifest/... | |
| gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/policy/... | |
| gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/query/... | |
| - | |
| name: Upload code coverage | |
| uses: shogo82148/actions-goveralls@v1 | |
| continue-on-error: true | |
| with: | |
| path-to-profile: cover.out | |
| push: | |
| runs-on: ubuntu-latest | |
| # when on a branch only push if the branch is main | |
| # always push when ref is a tag | |
| if: github.event_name == 'push' && ( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-') || startsWith(github.ref, 'refs/heads/dev-') || startsWith(github.ref, 'refs/tags/v') ) | |
| steps: | |
| - | |
| name: Read Configuration | |
| uses: hashicorp/vault-action@v3 | |
| id: vault | |
| with: | |
| url: https://vault.eng.aserto.com/ | |
| token: ${{ secrets.VAULT_TOKEN }} | |
| secrets: | | |
| kv/data/github "SSH_PRIVATE_KEY" | SSH_PRIVATE_KEY; | |
| kv/data/github "USERNAME" | DOCKER_USERNAME; | |
| kv/data/github "DOCKER_PUSH_TOKEN" | DOCKER_PASSWORD; | |
| kv/data/github "READ_WRITE_TOKEN" | READ_WRITE_TOKEN; | |
| - | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - | |
| name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - | |
| name: Setup QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - | |
| name: Login to GitHub Packages Docker Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: https://ghcr.io | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_PASSWORD }} | |
| - | |
| name: Docker SSH Setup | |
| run: | | |
| mkdir -p $HOME/.ssh | |
| umask 0077 && echo -e "${SSH_PRIVATE_KEY}" > $HOME/.ssh/id_rsa | |
| ssh-keyscan github.com >> $HOME/.ssh/known_hosts | |
| git config --global url."git@github.com:".insteadOf https://github.com/ | |
| git config --global user.email "github-bot@aserto.com" | |
| git config --global user.name "Aserto Bot" | |
| eval `ssh-agent` | |
| ssh-add $HOME/.ssh/id_rsa | |
| - | |
| name: Wait for tests to succeed | |
| uses: fountainhead/action-wait-for-check@v1.2.0 | |
| id: wait-for-tests | |
| with: | |
| token: ${{ env.READ_WRITE_TOKEN }} | |
| checkName: test | |
| ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| - | |
| name: Stop if tests fail | |
| if: steps.wait-for-tests.outputs.conclusion != 'success' | |
| run: exit 1 | |
| - | |
| name: Push image to GitHub Container Registry | |
| uses: goreleaser/goreleaser-action@v5 | |
| with: | |
| distribution: goreleaser | |
| version: ${{ env.GO_RELEASER_VERSION }} | |
| args: release --clean --snapshot | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| release: | |
| needs: [test, push] | |
| runs-on: ubuntu-latest | |
| # Only release when ref is a tag | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') | |
| steps: | |
| - | |
| name: Read Configuration | |
| uses: hashicorp/vault-action@v3 | |
| id: vault | |
| with: | |
| url: https://vault.eng.aserto.com/ | |
| token: ${{ secrets.VAULT_TOKEN }} | |
| secrets: | | |
| kv/data/github "SSH_PRIVATE_KEY" | SSH_PRIVATE_KEY; | |
| kv/data/github "USERNAME" | DOCKER_USERNAME; | |
| kv/data/github "DOCKER_PUSH_TOKEN" | DOCKER_PASSWORD; | |
| kv/data/github "READ_WRITE_TOKEN" | READ_WRITE_TOKEN; | |
| kv/data/github "ASERTO_TAP" | ASERTO_TAP; | |
| kv/data/gcp "SERVICE_ACCOUNT_GITHUB_ACTIONS_RELEASE" | SERVICE_ACCOUNT_GITHUB_ACTIONS_RELEASE; | |
| - | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - | |
| name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - | |
| name: Setup QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - | |
| name: Login to GitHub Packages Docker Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: https://ghcr.io | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_PASSWORD }} | |
| - | |
| name: Docker SSH Setup | |
| run: | | |
| mkdir -p $HOME/.ssh | |
| umask 0077 && echo -e "${SSH_PRIVATE_KEY}" > $HOME/.ssh/id_rsa | |
| ssh-keyscan github.com >> $HOME/.ssh/known_hosts | |
| git config --global url."git@github.com:".insteadOf https://github.com/ | |
| git config --global user.email "github-bot@aserto.com" | |
| git config --global user.name "Aserto Bot" | |
| eval `ssh-agent` | |
| ssh-add $HOME/.ssh/id_rsa | |
| - | |
| name: GCS Application Credentials | |
| run: | | |
| echo "${SERVICE_ACCOUNT_GITHUB_ACTIONS_RELEASE}" > /tmp/gs.json | |
| - | |
| name: Write Version Info | |
| run: | | |
| git describe --tags > VERSION.txt | |
| - | |
| name: Release | |
| uses: goreleaser/goreleaser-action@v5 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| HOMEBREW_TAP: ${{ secrets.GITHUB_TOKEN }} | |
| GOOGLE_APPLICATION_CREDENTIALS: /tmp/gs.json | |
| with: | |
| distribution: goreleaser | |
| version: ${{ env.GO_RELEASER_VERSION }} | |
| args: release --clean | |
| - | |
| name: Archive deployment examples | |
| run: | | |
| cd docs/deployments/sidecar-deployment && zip topaz_deployment_examples.zip *.yaml | |
| - | |
| name: Upload deployment examples | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: docs/deployments/sidecar-deployment | |
| asset_name: topaz_deployment_examples.zip | |
| tag: ${{ github.ref }} | |
| overwrite: false | |
| msi: | |
| needs: release | |
| runs-on: windows-latest | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - | |
| name: Read Configuration | |
| uses: hashicorp/vault-action@v3 | |
| id: vault | |
| with: | |
| url: ${{ env.VAULT_ADDR }} | |
| token: ${{ secrets.VAULT_TOKEN }} | |
| secrets: | | |
| kv/data/github "ROOT_TOKEN" | ROOT_TOKEN; | |
| - | |
| name: Download exe | |
| id: download_exe | |
| shell: bash | |
| run: | | |
| gh release download "${GITHUB_REF#refs/tags/}" -p "topaz_windows_x86_64.zip" | |
| printf "zip=%s\n" *.zip >> $GITHUB_OUTPUT | |
| unzip -o *.zip && rm -v *.zip | |
| env: | |
| GITHUB_TOKEN: ${{ steps.vault.outputs.ROOT_TOKEN }} | |
| - | |
| name: Install go-msi | |
| run: choco install -y "go-msi" | |
| - | |
| name: Prepare PATH | |
| shell: bash | |
| run: | | |
| echo "$WIX\\bin" >> $GITHUB_PATH | |
| echo "C:\\Program Files\\go-msi" >> $GITHUB_PATH | |
| - | |
| name: Build MSI | |
| id: buildmsi | |
| shell: bash | |
| env: | |
| ZIP_FILE: ${{ steps.download_exe.outputs.zip }} | |
| run: | | |
| mkdir -p build | |
| msi="$(basename "$ZIP_FILE" ".zip").msi" | |
| printf "msi=${msi}" >> $GITHUB_OUTPUT | |
| go-msi make --arch amd64 --msi "$PWD/$msi" --out "$PWD/build" --version "${GITHUB_REF#refs/tags/}" | |
| - | |
| name: Upload MSI | |
| shell: bash | |
| run: | | |
| tag_name="${GITHUB_REF#refs/tags/}" | |
| gh release upload "$tag_name" "$MSI_FILE" --repo aserto-dev/topaz --clobber | |
| env: | |
| MSI_FILE: ${{ steps.buildmsi.outputs.msi }} | |
| GITHUB_TOKEN: ${{ steps.vault.outputs.ROOT_TOKEN }} |