|
35 | 35 | RUN_TMATE: ${{ secrets.RUN_TMATE }}
|
36 | 36 |
|
37 | 37 | jobs:
|
| 38 | + diagnostics: |
| 39 | + name: Run diagnostics |
| 40 | + runs-on: ubuntu-latest |
| 41 | + steps: |
| 42 | + # Note that a duplicate of this step must be added at the top of |
| 43 | + # each job. |
| 44 | + - id: harden-runner |
| 45 | + name: Harden the runner |
| 46 | + uses: step-security/harden-runner@v2 |
| 47 | + with: |
| 48 | + egress-policy: audit |
| 49 | + - id: github-status |
| 50 | + name: Check GitHub status |
| 51 | + uses: crazy-max/ghaction-github-status@v3 |
| 52 | + - id: dump-context |
| 53 | + name: Dump context |
| 54 | + uses: crazy-max/ghaction-dump-context@v2 |
38 | 55 | lint:
|
39 | 56 | # Checks out the source and runs pre-commit hooks. Detects coding errors
|
40 | 57 | # and style deviations.
|
41 |
| - name: "Lint sources" |
| 58 | + name: Lint sources |
| 59 | + needs: |
| 60 | + - diagnostics |
42 | 61 | runs-on: ubuntu-latest
|
43 | 62 | steps:
|
| 63 | + - id: harden-runner |
| 64 | + name: Harden the runner |
| 65 | + uses: step-security/harden-runner@v2 |
| 66 | + with: |
| 67 | + egress-policy: audit |
44 | 68 | - id: setup-env
|
45 | 69 | uses: cisagov/setup-env-github-action@develop
|
46 |
| - - uses: actions/checkout@v3 |
| 70 | + - uses: actions/checkout@v4 |
47 | 71 | - id: setup-python
|
48 | 72 | uses: actions/setup-python@v4
|
49 | 73 | with:
|
@@ -104,11 +128,26 @@ jobs:
|
104 | 128 | - uses: hashicorp/setup-terraform@v2
|
105 | 129 | with:
|
106 | 130 | terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
|
| 131 | + - name: Install go-critic |
| 132 | + env: |
| 133 | + PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic |
| 134 | + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} |
| 135 | + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} |
| 136 | + - name: Install gosec |
| 137 | + env: |
| 138 | + PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec |
| 139 | + PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} |
| 140 | + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} |
107 | 141 | - name: Install shfmt
|
108 | 142 | env:
|
109 | 143 | PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
|
110 | 144 | PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
|
111 | 145 | run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
|
| 146 | + - name: Install staticcheck |
| 147 | + env: |
| 148 | + PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck |
| 149 | + PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} |
| 150 | + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} |
112 | 151 | - name: Install Terraform-docs
|
113 | 152 | env:
|
114 | 153 | PACKAGE_URL: github.com/terraform-docs/terraform-docs
|
@@ -166,15 +205,22 @@ jobs:
|
166 | 205 | # with the value specified by the user.
|
167 | 206 | #
|
168 | 207 | # Scheduled builds are tagged with `:nightly`.
|
169 |
| - name: "Prepare build variables" |
170 |
| - runs-on: ubuntu-latest |
| 208 | + name: Prepare build variables |
| 209 | + needs: |
| 210 | + - diagnostics |
171 | 211 | outputs:
|
172 | 212 | created: ${{ steps.prep.outputs.created }}
|
173 | 213 | repometa: ${{ steps.repo.outputs.result }}
|
174 | 214 | source_version: ${{ steps.prep.outputs.source_version }}
|
175 | 215 | tags: ${{ steps.prep.outputs.tags }}
|
| 216 | + runs-on: ubuntu-latest |
176 | 217 | steps:
|
177 |
| - - uses: actions/checkout@v3 |
| 218 | + - id: harden-runner |
| 219 | + name: Harden the runner |
| 220 | + uses: step-security/harden-runner@v2 |
| 221 | + with: |
| 222 | + egress-policy: audit |
| 223 | + - uses: actions/checkout@v4 |
178 | 224 | - name: Gather repository metadata
|
179 | 225 | id: repo
|
180 | 226 | uses: actions/github-script@v6
|
@@ -228,16 +274,23 @@ jobs:
|
228 | 274 | build:
|
229 | 275 | # Builds a single test image for the native platform. This image is saved
|
230 | 276 | # as an artifact and loaded by the test job.
|
231 |
| - name: "Build test image" |
| 277 | + name: Build test image |
| 278 | + needs: |
| 279 | + - diagnostics |
| 280 | + - prepare |
232 | 281 | runs-on: ubuntu-latest
|
233 |
| - needs: [prepare] |
234 | 282 | steps:
|
| 283 | + - id: harden-runner |
| 284 | + name: Harden the runner |
| 285 | + uses: step-security/harden-runner@v2 |
| 286 | + with: |
| 287 | + egress-policy: audit |
235 | 288 | - name: Checkout
|
236 |
| - uses: actions/checkout@v3 |
| 289 | + uses: actions/checkout@v4 |
237 | 290 | - name: Set up QEMU
|
238 |
| - uses: docker/setup-qemu-action@v2 |
| 291 | + uses: docker/setup-qemu-action@v3 |
239 | 292 | - name: Set up Docker Buildx
|
240 |
| - uses: docker/setup-buildx-action@v2 |
| 293 | + uses: docker/setup-buildx-action@v3 |
241 | 294 | - name: Cache Docker layers
|
242 | 295 | uses: actions/cache@v3
|
243 | 296 | env:
|
@@ -298,11 +351,18 @@ jobs:
|
298 | 351 | if: env.RUN_TMATE
|
299 | 352 | test:
|
300 | 353 | # Executes tests on the single-platform image created in the "build" job.
|
301 |
| - name: "Test image" |
| 354 | + name: Test image |
| 355 | + needs: |
| 356 | + - diagnostics |
| 357 | + - build |
302 | 358 | runs-on: ubuntu-latest
|
303 |
| - needs: [build] |
304 | 359 | steps:
|
305 |
| - - uses: actions/checkout@v3 |
| 360 | + - id: harden-runner |
| 361 | + name: Harden the runner |
| 362 | + uses: step-security/harden-runner@v2 |
| 363 | + with: |
| 364 | + egress-policy: audit |
| 365 | + - uses: actions/checkout@v4 |
306 | 366 | - id: setup-python
|
307 | 367 | uses: actions/setup-python@v4
|
308 | 368 | with:
|
@@ -344,32 +404,41 @@ jobs:
|
344 | 404 | # GitHub Container Registry. The contents of README.md are pushed as the
|
345 | 405 | # image's description to Docker Hub. This job is skipped when the
|
346 | 406 | # triggering event is a pull request.
|
347 |
| - name: "Build and push all platforms" |
348 |
| - runs-on: ubuntu-latest |
349 |
| - needs: [lint, prepare, test] |
350 | 407 | if: github.event_name != 'pull_request'
|
| 408 | + name: Build and push all platforms |
| 409 | + needs: |
| 410 | + - diagnostics |
| 411 | + - lint |
| 412 | + - prepare |
| 413 | + - test |
351 | 414 | # When Dependabot creates a PR it requires this permission in
|
352 | 415 | # order to push Docker images to ghcr.io.
|
353 | 416 | permissions:
|
354 | 417 | packages: write
|
| 418 | + runs-on: ubuntu-latest |
355 | 419 | steps:
|
| 420 | + - id: harden-runner |
| 421 | + name: Harden the runner |
| 422 | + uses: step-security/harden-runner@v2 |
| 423 | + with: |
| 424 | + egress-policy: audit |
356 | 425 | - name: Login to Docker Hub
|
357 |
| - uses: docker/login-action@v2 |
| 426 | + uses: docker/login-action@v3 |
358 | 427 | with:
|
359 | 428 | username: ${{ secrets.DOCKER_USERNAME }}
|
360 | 429 | password: ${{ secrets.DOCKER_PASSWORD }}
|
361 | 430 | - name: Login to GitHub Container Registry
|
362 |
| - uses: docker/login-action@v2 |
| 431 | + uses: docker/login-action@v3 |
363 | 432 | with:
|
364 | 433 | registry: ghcr.io
|
365 | 434 | username: ${{ github.actor }}
|
366 | 435 | password: ${{ secrets.GITHUB_TOKEN }}
|
367 | 436 | - name: Checkout
|
368 |
| - uses: actions/checkout@v3 |
| 437 | + uses: actions/checkout@v4 |
369 | 438 | - name: Set up QEMU
|
370 |
| - uses: docker/setup-qemu-action@v2 |
| 439 | + uses: docker/setup-qemu-action@v3 |
371 | 440 | - name: Set up Docker Buildx
|
372 |
| - uses: docker/setup-buildx-action@v2 |
| 441 | + uses: docker/setup-buildx-action@v3 |
373 | 442 | - name: Cache Docker layers
|
374 | 443 | uses: actions/cache@v3
|
375 | 444 | env:
|
|
0 commit comments