fix(deps): update aws sdk (#727) #1619
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Test & Build | |
on: | |
# Trigger the workflow on push or pull request, | |
# but only for the main branch | |
push: | |
branches: | |
- "main" | |
tags: | |
- "v*" | |
pull_request: | |
branches: | |
- main | |
workflow_dispatch: | |
jobs: | |
test: | |
name: Test | |
runs-on: depot-ubuntu-22.04-8 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # also fetch tags and branches for `git describe` | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: 1.x | |
check-latest: true | |
- name: Get dependencies | |
run: | | |
go get -v -t -d ./... | |
- name: Go Generate | |
run: | | |
go generate ./... | |
- name: Validate Docs Data | |
run: | | |
if [ -z "$(git status --porcelain)" ]; then | |
echo "No pending docs changes" | |
else | |
echo "Pending docs changes found, please run 'go generate ./...' and commit the changes" | |
git status | |
exit 1 | |
fi | |
- name: Vet | |
run: go vet ./... | |
# get .golangci.yml from github.com/overmindtech/golangci-lint_config | |
- name: Get .golangci.yml from github.com/overmindtech/golangci-lint_configs | |
run: | | |
curl -sfL https://raw.githubusercontent.com/overmindtech/golangci-lint_config/main/.golangci.yml -o .golangci.yml | |
- name: golangci-lint | |
uses: golangci/golangci-lint-action@v6 | |
with: | |
version: v1.60.1 | |
args: --timeout 3m | |
skip-cache: true # the linters require all code generation and dependecies to be present, but the cache implementation completely falls over when there is already existing content. See https://github.com/golangci/golangci-lint-action/issues/23, https://github.com/golangci/golangci-lint-action/issues/863, https://github.com/golangci/golangci-lint-action/issues/984 | |
- name: Run tests | |
run: go test -race -v ./... | |
env: | |
# Environment variables so that AWS resources can be created | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: eu-west-2 | |
scan-container: | |
name: Scan Container | |
runs-on: | |
depot-ubuntu-24.04 | |
# this is for container scanning with aws inspector | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout@v2 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # also fetch tags and branches for `git describe` | |
- uses: depot/setup-action@v1 | |
- name: Build Docker image | |
uses: depot/build-push-action@v1 | |
with: | |
project: xnsnw3m20t | |
context: . | |
file: "build/package/Dockerfile" | |
push: false | |
tags: app:latest | |
load: true | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: "eu-west-2" | |
role-to-assume: "${{ secrets.AWS_INSPECTOR_ROLE }}" | |
- name: Invoke Amazon Inspector Scan | |
id: inspector | |
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main | |
with: | |
artifact_type: "container" | |
artifact_path: "app:latest" | |
display_vulnerability_findings: "enabled" | |
sbomgen_version: "latest" | |
build: | |
name: Build | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
needs: | |
- test | |
- scan-container | |
permissions: | |
contents: read # required for checkout | |
id-token: write # mint credentials through OIDC | |
packages: write | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- dockerfile: Dockerfile | |
image_name: aws-source | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # also fetch tags and branches for `git describe` | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
ghcr.io/overmindtech/${{ matrix.image_name }} | |
docker.cloudsmith.io/overmind/service/${{ matrix.image_name }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Login to Cloudsmith Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: docker.cloudsmith.io | |
username: ${{ secrets.CLOUDSMITH_SERVICE_USER }} | |
password: ${{ secrets.CLOUDSMITH_API_KEY }} | |
- uses: depot/setup-action@v1 | |
- name: Build and push | |
id: push | |
uses: depot/build-push-action@v1 | |
with: | |
project: xnsnw3m20t | |
file: build/package/${{ matrix.dockerfile }} | |
context: . | |
sbom: true | |
platforms: linux/amd64,linux/arm64 | |
push: ${{ github.event_name != 'pull_request' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Prepare Deployment | |
run: | | |
echo "ghcr.io/overmindtech/${{ matrix.image_name }}@${{ steps.push.outputs.digest }}" | tee ${{ matrix.image_name }}.imageref | |
- name: Upload Deployment File | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ matrix.image_name }}.imageref | |
path: ${{ matrix.image_name }}.imageref |