-
Notifications
You must be signed in to change notification settings - Fork 96
183 lines (149 loc) · 6.04 KB
/
ci-sync-deployment.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
# Copyright 2023 Terramate GmbH
# SPDX-License-Identifier: MPL-2.0
name: ci
on:
push:
branches:
- main
- v*.x # backporting branches.
jobs:
build_test:
name: Build and Test
runs-on: ${{ matrix.os.value }}
permissions:
id-token: write
contents: read
pull-requests: write
checks: read
strategy:
fail-fast: false
matrix:
os:
- name: ubuntu-focal
value: "ubuntu-20.04"
- name: macos-ventura
value: "macos-13"
go: [ "1.21" ]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # pin@v5
with:
go-version: ${{ matrix.go }}
- uses: opentofu/setup-opentofu@12f4debbf681675350b6cd1f0ff8ecfbda62027b # pin@v1
with:
tofu_version: 1.6.2
tofu_wrapper: false
github_token: ${{ secrets.GITHUB_TOKEN }}
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # pin@v3
with:
terraform_version: "1.7.5"
terraform_wrapper: false
- name: Install Terramate
uses: terramate-io/terramate-action@b733b79e37eda5caba8703a75b522e9053d0846e # pin@i4k-fix-macos
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: build Terramate
run: make build && cp -v ./bin/terramate /usr/local/bin/terramate-bin
- name: make generate
run: make generate
### Check for changed stacks
- name: List changed Go packages
id: list_go_packages
run: terramate list --tags golang --changed --git-change-base HEAD^
- name: List changed e2e tests packages
id: list_e2e_packages
run: terramate list --tags e2etests --changed --git-change-base HEAD^
### Linting
- name: linting code
if: ${{ steps.list_go_packages.outputs.stdout || steps.list_e2e_packages }}
run: make lint
- name: checking go mod tidyness
if: ${{ steps.list_go_packages.outputs.stdout || steps.list_e2e_packages }}
run: make mod/check
- name: checking license on source code
if: ${{ steps.list_go_packages.outputs.stdout || steps.list_e2e_packages }}
run: make license/check
- name: Check Terramate formatting
run: terramate fmt --check
- name: Check Terraform formatting
if: ${{ steps.list_go_packages.outputs.stdout || steps.list_e2e_packages }}
run: terraform fmt -recursive -check -diff
### Run the Terramate tests and create a Cloud deployment
- name: Run Terraform deployment on changed packages
if: ${{ steps.list_go_packages.outputs.stdout }}
timeout-minutes: 30
run: terramate script run --changed --git-change-base HEAD^ --tags golang --continue-on-error --target ${{ matrix.os.name }}-go-packages --parallel 12 deploy
env:
GITHUB_TOKEN: ${{ github.token }}
TM_TEST_TERRAFORM_REQUIRED_VERSION: "1.7.5"
- name: Run all e2e tests if any Go packages changed
if: ${{ steps.list_go_packages.outputs.stdout }}
timeout-minutes: 30
run: terramate script run --tags e2etests --target ${{ matrix.os.name }}-e2e --parallel 12 deploy
env:
GITHUB_TOKEN: ${{ github.token }}
TM_TEST_TERRAFORM_REQUIRED_VERSION: "1.7.5"
- name: Else only run the changed e2e packages
if: ${{ !steps.list_e2e_packages.outputs.stdout && steps.list_e2e_packages.outputs.stdout }}
timeout-minutes: 30
run: terramate script run --tags e2etests --changed --git-change-base HEAD^ --target "${{ matrix.os.name }}-e2e" --parallel 12 deploy
env:
GITHUB_TOKEN: ${{ github.token }}
TM_TEST_TERRAFORM_REQUIRED_VERSION: "1.7.5"
release_dry_run:
name: Release Dry Run
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # pin@v5
with:
go-version: '1.21'
- name: install cosign
run: go install github.com/sigstore/cosign/v2/cmd/[email protected]
- name: install goreleaser
run: |
curl -sL https://github.com/goreleaser/goreleaser-pro/releases/download/v1.14.0-pro/goreleaser-pro_Linux_x86_64.tar.gz -o /tmp/goreleaser.tar.gz
cd /tmp && tar -xzf goreleaser.tar.gz && chmod +x goreleaser
sudo mv /tmp/goreleaser /usr/local/bin/
- name: Create cosign.pub file
run: echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
- name: release dry run
run: make release/dry-run
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_KEY: ${{ secrets.GORELEASER_API_KEY }}
FURY_TOKEN: ${{ secrets.FURY_TOKEN}}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD}}
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY }}
- name: Locate checksum file
id: find_checksum
run: |
if [ -z "$(ls dist/*checksums.txt)" ]; then
echo "Error: Checksum file not found."
exit 1
fi
echo "CHECKSUM_FILE=$(ls dist/*checksums.txt)" >> $GITHUB_ENV
- name: Locate signature file
id: find_signature
run: |
if [ -z "$(ls dist/*checksum*.txt.sig)" ]; then
echo "Error: Signature file not found."
exit 1
fi
echo "SIGNATURE_FILE=$(ls dist/*checksum*.txt.sig)" >> $GITHUB_ENV
- name: Verify checksums with cosign
run: |
cosign verify-blob --key cosign.pub --signature ${{ env.SIGNATURE_FILE }} ${{ env.CHECKSUM_FILE }}
ci:
needs:
- build_test
runs-on: ubuntu-20.04
steps:
- run: echo "All jobs ran successfully"