ci: pin actions in nightly workflow #10136
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
workflow_dispatch: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
name: PR CI Workflow | |
jobs: | |
ci-js: | |
name: CI Test JS | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version-file: package.json | |
cache: yarn | |
- run: make node_modules | |
- name: Check that package.json & package-lock.json were updated in commit | |
run: | | |
echo "Using node.js "$(node --version) | |
echo "Using Yarn "$(yarn --version) | |
git diff --no-ext-diff --exit-code | |
- run: make ui-audit | |
- run: make ui | |
- run: make ui-lint | |
- run: make ui-prettify-check | |
- run: make ui-test | |
- run: make ui-lib | |
ci-go: | |
name: CI Test Go | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Go | |
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
with: | |
go-version-file: go.mod | |
- name: Setup Flux CLI | |
uses: fluxcd/flux2/action@5350425cdcd5fa015337e09fa502153c0275bd4b # v2.4.0 | |
- run: make unit-tests | |
ci-static: | |
name: CI Check Static Checks | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Go | |
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
with: | |
go-version-file: go.mod | |
- run: make check-format | |
- run: make lint | |
- run: go mod tidy | |
- name: Check that go mod tidy has been run | |
run: git diff --no-ext-diff --exit-code | |
- run: make proto | |
- name: Check that make proto has been run | |
run: git diff --no-ext-diff --exit-code | |
- run: make fakes | |
- name: Check that make fakes has been run | |
run: git diff --no-ext-diff --exit-code | |
build-push-image: | |
name: CI Build Image | |
uses: ./.github/workflows/build-push-image.yaml | |
with: | |
file: ${{ matrix.docker-image }}.dockerfile | |
image: ghcr.io/${{ github.repository }}/${{ matrix.docker-image }} | |
push: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
id-token: write # for Cosign to be able to sign images with GHA token | |
packages: write # for docker/build-push-action to push images | |
strategy: | |
matrix: | |
docker-image: | |
- gitops | |
- gitops-server | |
ci-upload-binary: | |
name: Upload Binary - Disabled | |
runs-on: ${{ matrix.os }} | |
needs: [ci-go, ci-static, ci-js] | |
strategy: | |
matrix: | |
os: [ubuntu-latest, macOS-latest] | |
if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Go | |
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
with: | |
go-version-file: go.mod | |
- name: Clean | |
run: make clean | |
- id: gitsha | |
run: | | |
gitsha=$(git rev-parse --short ${{ github.sha }}) | |
echo "sha=$gitsha" >> $GITHUB_OUTPUT | |
- name: build | |
run: | | |
make gitops | |
- name: Upload binary | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 | |
with: | |
name: gitops-${{ matrix.os }}-${{ steps.gitsha.outputs.sha }} | |
path: bin/gitops | |
overwrite: true | |
ci-publish-js-lib: | |
name: Publish js library | |
runs-on: ubuntu-latest | |
if: "${{ github.repository_owner == 'weaveworks' && github.ref_name == 'main'}}" | |
needs: [ci-js] | |
permissions: | |
packages: write | |
outputs: | |
js-version: ${{ steps.package-version.outputs.js-version }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
# avoid the merge commit that on.pull_request creates | |
# fallback to github.sha if not present (e.g. on.push(main)) | |
# https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit | |
# We want the correct sha so we can tag the npm package correctly | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
fetch-depth: 0 | |
- name: Setup Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version-file: package.json | |
registry-url: "https://npm.pkg.github.com" | |
scope: "@weaveworks" | |
- run: yarn | |
- run: make ui-lib | |
- name: Update package version | |
id: package-version | |
run: | | |
GITOPS_VERSION=$(git describe) | |
echo "js-version=$GITOPS_VERSION" >> $GITHUB_OUTPUT | |
jq '.version = "'$GITOPS_VERSION'" | .name = "@weaveworks/weave-gitops-main"' < dist/package.json > dist/package-new.json | |
mv dist/package-new.json dist/package.json | |
cp .npmrc dist | |
- run: cd dist && npm publish | |
env: | |
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# release step updates 'release' status check for non releases branches. See ../../doc/incidents/issues-3907 for full context. | |
release: | |
if: ${{ github.event_name == 'pull_request' && !startsWith(github.event.pull_request.head.ref, 'releases/') && !github.event.pull_request.head.repo.fork }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Release | |
run: | | |
curl --fail --request POST \ | |
--url https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \ | |
--header 'authorization: Bearer ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}' \ | |
--header 'content-type: application/json' \ | |
--data '{ | |
"state":"success", | |
"description":"release not required", | |
"context":"release" | |
}' |