[FEAT] added reissue account #436
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: GHA Build | |
# The `name:` here is also used in badge.svg rendering as the left-hand-side | |
permissions: | |
# Control the GITHUB_TOKEN permissions. | |
# By having this block, all permissions not listed here are set to none. | |
# Available permissions listed at: | |
# <https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token> | |
# Which API calls need which permissions at what level, listed at: | |
# <https://docs.github.com/en/rest/reference/permissions-required-for-github-apps> | |
# | |
contents: read | |
checks: write | |
statuses: write | |
on: | |
push: | |
branches-ignore: | |
- 'exp' | |
- 'exp/*' | |
- 'exp-*' | |
- 'exp_*' | |
- 'wip' | |
- 'wip/*' | |
- 'wip-*' | |
- 'wip_*' | |
pull_request: | |
jobs: | |
test: | |
runs-on: ${{ matrix.os }} | |
continue-on-error: ${{ matrix.experimental || false }} | |
strategy: | |
# Debugging multi-platform builds, let them all complete (for now) | |
fail-fast: false | |
matrix: | |
# It's called a matrix but in practice I'm just listing out the precise combinations we want, via include. | |
# The canonical entry is the only one where we run vet/lint/style checks. | |
# `experimental: true` entries do not cause the tests to fail. | |
include: | |
- go: '1.21.x' | |
os: ubuntu-latest | |
canonical: true | |
- go: '1.21.x' | |
os: windows-latest | |
canonical: false | |
- go: '1.21.x' | |
os: macos-latest | |
canonical: false | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v2 | |
with: | |
go-version: ${{ matrix.go }} | |
# We're not doing releases, just checks, so we can live without check-latest here | |
- name: Export Go environment to Actions outputs | |
id: go-settings | |
run: | | |
echo "::set-output name=arch::$(go env GOARCH)" | |
echo "::set-output name=hostarch::$(go env GOHOSTARCH)" | |
echo "::set-output name=os::$(go env GOOS)" | |
echo "::set-output name=hostos::$(go env GOHOSTOS)" | |
echo "::set-output name=go-version::$(go env GOVERSION)" | |
# Use with: | |
# ${{ steps.go-settings.outputs.go-version }} | |
# which will look like `go1.17.1` if matrix `1.17.x` matches `1.17.1`. | |
# These are independent of how the matrix is setup, or if a matrix is even used. | |
# | |
# You can see the individual values in the "Set up Go" output, collapsed inside a "go env" group at the end. | |
- name: Install additional check/lint tools | |
id: tools-install | |
run: | | |
go install github.com/mattn/goveralls@latest | |
go install github.com/wadey/gocovmerge@latest | |
go install honnef.co/go/tools/cmd/[email protected] | |
if: matrix.canonical | |
- name: Basic Go integrity checks | |
id: integrity | |
run: | | |
go vet ./... | |
if: matrix.canonical | |
- name: Run Tests (with coverage enabled) | |
id: coverage | |
run: | | |
mkdir cov | |
echo "::group::Coverage of ./cmd" | |
go test -v -failfast -covermode=atomic -coverprofile=./cov/cmd.out ./cmd | |
echo "::endgroup::" | |
echo "::group::Coverage of ./cmd/store" | |
go test -v -failfast -covermode=atomic -coverprofile=./cov/store.out ./cmd/store | |
echo "::endgroup::" | |
if: runner.os != 'Windows' | |
- name: Run Tests (Windows) | |
id: wintest | |
# nb2: if we use the coverage approach on Windows, the -coverprofile flag appears to be looked for as a package, and I've no idea why (am not a Windows dev) | |
# cannot find package "github.com/nats-io/nsc/cov/cmd.out" in any of: | |
# C:\hostedtoolcache\windows\go\1.16.13\x64\src\github.com\nats-io\nsc\cov\cmd.out (from $GOROOT) | |
# D:\a\nsc\nsc\go\src\github.com\nats-io\nsc\cov\cmd.out (from $GOPATH) | |
run: | | |
echo "::group::Testing of ./cmd" | |
go test -v -failfast ./cmd | |
echo "::endgroup::" | |
echo "::group::Testing of ./cmd/store" | |
go test -v -failfast ./cmd/store | |
echo "::endgroup::" | |
if: runner.os == 'Windows' | |
- name: Upload coverage results | |
id: coverage-upload | |
run: | | |
gocovmerge ./cov/*.out > coverage.out | |
goveralls -coverprofile=coverage.out -service=github | |
env: | |
COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
if: matrix.canonical | |
- name: Bad versions creep defense | |
id: go-module-versions | |
# The go.mod includes tests, and some of our tests explicitly pull in jwtv1, which is unmaintained and has security issues. | |
# It's only in the tests, so that's not critical enough to need to rewrite things at this time. | |
# But we don't want the _binary_ to link against v1. So we want to check what the actual binary links against. | |
# Add whatever other checks we care about here. | |
run: | | |
go build | |
go version -m ./nsc > versions | |
if grep -qsE '^[[:space:]]+dep[[:space:]]+github\.com/nats-io/jwt[[:space:]]' versions; then | |
echo "::error title=Bad dependency in binary::JWT library v1 detected" | |
exit 1 | |
fi | |
if: matrix.canonical | |
#EOF |