Skip to content

Commit

Permalink
chore: add github workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
mikhailswift committed Jun 12, 2024
1 parent 81465ea commit 6571909
Show file tree
Hide file tree
Showing 5 changed files with 335 additions and 0 deletions.
28 changes: 28 additions & 0 deletions .github/workflows/golangci-lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: golangci-lint
on:
push:
tags:
- v*
branches:
- main
pull_request:
branches:
- main
paths:
- "**.go"
- "go.mod"
- ".github/workflows/golangci-lint.yml"
permissions:
contents: read
pull-requests: read
jobs:
golangci:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: golangci-lint
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
with:
version: latest
args: --timeout=3m
124 changes: 124 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
# Copyright 2022 The Witness Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: release
on:
push:
tags:
- v*
branches:
- main
pull_request:
branches:
- main
paths-ignore:
- "**.md"
- "docs/**"
- "docs-site/**"

permissions:
contents: read # This is required for actions/checkout


jobs:
fmt:
uses: ./.github/workflows/witness.yml
permissions:
id-token: write # This is required for requesting the JWT
contents: read
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
attestations: "git github environment"
command: go fmt ./...

sast:
needs: [fmt]
uses: ./.github/workflows/witness.yml
permissions:
id-token: write # This is required for requesting the JWT
contents: read
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
attestations: "git github environment"
command: go vet ./...

unit-test:
needs: [fmt]
uses: ./.github/workflows/witness.yml
permissions:
id-token: write # This is required for requesting the JWT
contents: read
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
attestations: "git github environment"
command: go test -v -coverprofile=profile.cov -covermode=atomic ./...
artifact-upload-name: profile.cov
artifact-upload-path: profile.cov

release:
permissions:
id-token: write
contents: write
packages: write
runs-on: ubuntu-latest
needs: [sast, unit-test]
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')

steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0

- name: Set up Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: 1.21.x
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Login to GitHub Container Registry
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Install syft
uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0

- name: Download GoReleaser
run: go install github.com/goreleaser/goreleaser@v1.23.0

- name: Run GoReleaser
uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
with:
step: "build"
attestations: "github"
command: goreleaser release --clean
24 changes: 24 additions & 0 deletions .github/workflows/verify-licence.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Verify License
on:
workflow_dispatch:
push:
branches: ["main", "release-*"]
pull_request:
permissions:
contents: read

jobs:
license-check:
name: license boilerplate check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: "1.21.x"
- name: Install addlicense
run: go install github.com/google/addlicense@v1.1.1
- name: Check license headers
run: |
set -e
addlicense --check -l apache -c 'The Witness Contributors' --ignore "chart/**" -v *
86 changes: 86 additions & 0 deletions .github/workflows/witness.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# Copyright 2023 The Witness Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

on:
workflow_call:
inputs:
pull_request:
required: true
type: boolean
artifact-download:
required: false
type: string
artifact-upload-name:
required: false
type: string
artifact-upload-path:
required: false
type: string
pre-command:
required: false
type: string
command:
required: true
type: string
step:
required: true
type: string
attestations:
required: true
type: string

permissions:
contents: read

jobs:
witness:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: 1.21.x

- if: ${{ inputs.artifact-download != '' }}
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{ inputs.artifact-download }}
path: /tmp

- if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8
with:
step: pre-${{ inputs.step }}
attestations: ${{ inputs.attestations }}
command: /bin/sh -c "${{ inputs.pre-command }}"
- if: ${{ inputs.pre-command != '' && inputs.pull_request == true }}
run: ${{ inputs.pre-command }}

- if: ${{ inputs.pull_request == false }}
uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8
with:
step: ${{ inputs.step }}
attestations: ${{ inputs.attestations }}
command: /bin/sh -c "${{ inputs.command }}"
- if: ${{ inputs.pull_request == true }}
run: ${{ inputs.command }}

- if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ inputs.artifact-upload-name }}
path: ${{ inputs.artifact-upload-path }}
73 changes: 73 additions & 0 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
project_name: witness-webhook
builds:
- ldflags:
- "-s -w"
- "-extldflags=-zrelro"
- "-extldflags=-znow"
- "-extldflags -w -X 'github.com/testifysec/witness-webhook/main.Version={{.Tag}}-{{.ShortCommit}}'"
env:
- "CGO_ENABLED=0"
- "GO111MODULE=on"
- "GOFLAGS=-mod=readonly -trimpath"
goos:
- linux
- darwin
goarch:
- amd64
- arm64
main: ./
source:
enabled: true
signs:
- cmd: cosign
args:
- "sign-blob"
- "--output-signature=${signature}"
- "${artifact}"
- "--yes" # needed on cosign 2.0.0+
artifacts: all
changelog:
use: github
groups:
- title: Features
regexp: "^.*feat[(\\w)]*:+.*$"
order: 0
- title: 'Bug fixes'
regexp: "^.*fix[(\\w)]*:+.*$"
order: 1
- title: 'Documentation'
regexp: "^.*docs[(\\w)]*:+.*$"
order: 2
- title: Others
order: 999
release:
prerelease: auto
github:
owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}"
kos:
- repository: ghcr.io/testifysec/witness-webhook
tags:
- '{{.Version}}'
bare: true
preserve_import_paths: false
creation_time: '{{.CommitTimestamp}}'
platforms:
- linux/amd64
- linux/arm64
sbom: spdx
docker_signs:
- artifacts: manifests
cmd: cosign
args:
- "sign"
- "${artifact}"
- "--yes" # needed on cosign 2.0.0+
sboms:
- id: archive
cmd: syft
artifacts: archive
args: ["$artifact", "--output", "spdx-json=$document"]
- id: source
cmd: syft
artifacts: source
args: ["$artifact", "--output", "spdx-json=$document"]

0 comments on commit 6571909

Please sign in to comment.