Skip to content

chore: nix flake update #358

chore: nix flake update

chore: nix flake update #358

Workflow file for this run

---
name: CI
# Ensure only one job per branch.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
push:
branches: [master]
tags: ["*"]
pull_request:
branches: [master]
types: [opened, synchronize]
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Set up Nix
uses: ./.github/actions/setup-nix
with:
cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Run tests
run: nix develop . --command make test-cov-xml
- name: Upload test report
if: always()
uses: mikepenz/action-junit-report@v4
with:
check_name: Test report
report_paths: '**/.junit.xml'
- name: Upload coverage
uses: paambaati/[email protected]
env:
CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
with:
coverageLocations: |
${{ github.workspace }}/.coverage.xml:cobertura
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Set up Nix
uses: ./.github/actions/setup-nix
with:
cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Run tests
run: nix develop . --command make lint
scan-ast:
name: Scan AST security
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- uses: ./.github/actions/setup-nix
with:
cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Scan AST security
run: nix develop . --command make scan-sec-ast
scan-deps:
name: Scan dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Set up Nix
uses: ./.github/actions/setup-nix
with:
cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Export dependencies
run: go list -json -deps ./... > go.list
- name: Run nancy
uses: sonatype-nexus-community/nancy-github-action@main
with:
nancyVersion: "v1.0.41"
pub-image:
name: Publish Docker image
runs-on: ubuntu-latest
needs: [lint, test, scan-ast, scan-deps]
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Set up Nix
uses: ./.github/actions/setup-nix
with:
cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Set image tag
run: >
if [ "${{ github.ref_type }}" = "tag" ] && [ -n "${{ github.ref_name }}" ]; then
echo "IMG_TAG=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> ${GITHUB_ENV}
else
echo "IMG_TAG=latest" >> ${GITHUB_ENV}
fi
- name: Capture current tag for injection to binary
if: github.ref_type == 'tag' && github.ref_name != ''
run: echo ${{ github.ref_name }} > .tag && git add .tag
- name: Capture current commit hash for injection to binary
run: echo ${{ github.sha }} > .rev && git add .rev
- name: Build and push image to registry
run: >
nix build .#dockerArchiveStreamer
&& ./result
| gzip --fast
| skopeo copy
--dest-creds ${{ github.repository_owner }}:${{ secrets.GITHUB_TOKEN }}
docker-archive:/dev/stdin
docker://ghcr.io/${{ github.repository }}:${IMG_TAG}