Merge pull request #8770 from cri-o/dependabot/github_actions/actions… #2168
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: test | |
| on: | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - v* | |
| branches: | |
| - main | |
| - release-* | |
| - nixpkgs | |
| pull_request: | |
| env: | |
| GO_VERSION: "1.23" | |
| NIX_VERSION: "2.24.3" | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - run: scripts/github-actions-packages | |
| - run: make | |
| - run: bin/crio version | |
| - run: make bin/crio.cross.linux.amd64 | |
| - run: bin/crio.cross.linux.amd64 version | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: build | |
| path: | | |
| bin/crio | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: docs | |
| path: | | |
| docs/crio.8 | |
| docs/crio.conf.5 | |
| docs/crio.conf.d.5 | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: config | |
| path: crio.conf | |
| build-freebsd: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - run: scripts/github-actions-packages | |
| - run: make bin/crio.cross.freebsd.amd64 | |
| validate-docs: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build | |
| path: bin | |
| - run: chmod -R +x bin | |
| - run: | | |
| sudo -E make docs-generation | |
| hack/tree_status.sh | |
| validate-completions: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build | |
| path: bin | |
| - run: chmod -R +x bin | |
| - run: | | |
| sudo -E make completions-generation | |
| hack/tree_status.sh | |
| validate-nri-tests: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build | |
| path: bin | |
| - run: | | |
| sudo -E make check-nri-bats-tests GOSUMDB= | |
| build-static: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| run: | |
| - go-arch: amd64 | |
| os-arch: x86-64 | |
| - go-arch: arm64 | |
| os-arch: aarch64 | |
| - go-arch: ppc64le | |
| os-arch: PowerPC | |
| - go-arch: s390x | |
| os-arch: S/390 | |
| name: build static / ${{ matrix.run.go-arch }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27 | |
| with: | |
| install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install | |
| - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 | |
| with: | |
| name: cri-o-static | |
| authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| pushFilter: cri-o | |
| - run: nix-build nix/default-${{ matrix.run.go-arch }}.nix | |
| - run: file result/bin/crio | grep ${{ matrix.run.os-arch }} | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: build-static-${{ matrix.run.go-arch }} | |
| path: | | |
| result/bin/crio | |
| result/bin/pinns | |
| static-build-upload: | |
| if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/heads/release') || contains(github.ref, 'refs/tags') | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-static | |
| steps: | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build-static-amd64 | |
| path: ${{ github.sha }}/amd64 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build-static-arm64 | |
| path: ${{ github.sha }}/arm64 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build-static-ppc64le | |
| path: ${{ github.sha }}/ppc64le | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build-static-s390x | |
| path: ${{ github.sha }}/s390x | |
| - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
| with: | |
| credentials_json: ${{ secrets.GCS_CRIO_SA }} | |
| - uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 | |
| with: | |
| path: ${{ github.sha }} | |
| destination: cri-o/artifacts | |
| upload-artifacts: | |
| if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/heads/release') || contains(github.ref, 'refs/tags') | |
| runs-on: ubuntu-latest | |
| needs: | |
| - static-build-upload | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - run: make upload-artifacts | |
| env: | |
| GCS_CRIO_SA: ${{ secrets.GCS_CRIO_SA }} | |
| create-release: | |
| if: contains(github.ref, 'refs/tags') | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| needs: | |
| - release-notes | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: release-notes | |
| path: build/release-notes | |
| - name: Get release version | |
| run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV | |
| - uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
| with: | |
| allowUpdates: true | |
| bodyFile: build/release-notes/${{ env.RELEASE_VERSION }}.md | |
| unit: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| run: | |
| - runner: ubuntu-latest | |
| arch: amd64 | |
| type: root | |
| - runner: ubuntu-latest | |
| arch: amd64 | |
| type: rootless | |
| name: unit / ${{ matrix.run.arch }} / ${{ matrix.run.type }} | |
| runs-on: ${{ matrix.run.runner }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: go-unit-${{ matrix.run.arch }}-${{ matrix.run.type }}-${{ hashFiles('**/go.sum') }} | |
| - run: scripts/github-actions-packages | |
| - name: Update mocks | |
| run: | | |
| make mockgen -j $(nproc) | |
| hack/tree_status.sh | |
| - name: Run unit tests as root | |
| if: ${{ matrix.run.type == 'root' }} | |
| run: | | |
| sudo PATH="$PATH" GOCACHE="$(go env GOCACHE)" GOMODCACHE="$(go env GOMODCACHE)" make testunit | |
| sudo chown -R $(id -u):$(id -g) "$(go env GOCACHE)" "$(go env GOMODCACHE)" || true | |
| - name: Run unit tests rootless | |
| if: ${{ matrix.run.type == 'rootless' }} | |
| run: make testunit | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: unit-${{ matrix.run.arch }}-${{ matrix.run.type }} | |
| path: build/coverage | |
| coverage: | |
| needs: unit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: unit-amd64-root | |
| path: build/coverage | |
| - uses: codecov/codecov-action@985343d70564a82044c1b7fcb84c2fa05405c1a2 # v5.0.4 | |
| with: | |
| files: build/coverage/coverprofile | |
| verbose: true | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| release-notes: | |
| permissions: | |
| contents: write | |
| if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/heads/release') || contains(github.ref, 'refs/tags') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Set current branch | |
| run: | | |
| raw=$(git branch -r --contains ${{ github.ref }}) | |
| branch=${raw##*/} | |
| echo "CURRENT_BRANCH=$branch" >> $GITHUB_ENV | |
| - run: make release-notes | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: release-notes | |
| path: build/release-notes | |
| if-no-files-found: ignore | |
| dependencies: | |
| permissions: | |
| contents: write | |
| if: github.ref == 'refs/heads/main' | |
| needs: release-notes | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - run: make dependencies | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: dependencies | |
| path: build/dependencies | |
| codeql-build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: github/codeql-action/init@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 | |
| with: | |
| languages: go | |
| - uses: github/codeql-action/autobuild@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 | |
| - uses: github/codeql-action/analyze@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 | |
| security-checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run govulncheck | |
| run: make verify-govulncheck | |
| - name: Run gosec | |
| run: make verify-gosec |