name: CI on: push: branches: - main pull_request: {} env: # Common versions GOLANGCI_VERSION: 'v2.4.0' KUBERNETES_VERSION: '1.33.x' # Sonar SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} permissions: contents: read jobs: detect-noop: permissions: actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs contents: read # for fkirc/skip-duplicate-actions to read and compare commits runs-on: ubuntu-latest outputs: noop: ${{ steps.noop.outputs.should_skip }} steps: - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Detect No-op Changes id: noop uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} paths_ignore: '["**.md", "**.png", "**.jpg"]' do_not_skip: '["workflow_dispatch", "schedule", "push"]' concurrent_skipping: false lint: permissions: contents: read # for actions/checkout to fetch code pull-requests: read # for golangci/golangci-lint-action to fetch pull requests runs-on: ubuntu-latest needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main' steps: - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 id: setup-go with: go-version-file: "go.mod" - name: Download Go modules if: ${{ steps.setup-go.outputs.cache-hit != 'true' }} run: go mod download - name: Run lint run: make lint license-check: permissions: contents: read # for actions/checkout to fetch code pull-requests: read # for golangci/golangci-lint-action to fetch pull requests runs-on: ubuntu-latest needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main' steps: - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check License Headers uses: apache/skywalking-eyes/header@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0 check-diff: runs-on: ubuntu-latest needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main' steps: - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: hashicorp/setup-terraform@712b43959e9be7e82c34d18450fa5ec3237af3f1 # v3 - name: Setup Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 id: setup-go with: go-version-file: "go.mod" - name: Download Go modules if: ${{ steps.setup-go.outputs.cache-hit != 'true' }} run: go mod download - name: Configure Git run: | git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Check Diff run: | make check-diff unit-tests: runs-on: ubuntu-latest needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' steps: - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Fetch History run: git fetch --prune --unshallow - name: Setup Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 id: setup-go with: go-version-file: "go.mod" - name: Download Go modules if: ${{ steps.setup-go.outputs.cache-hit != 'true' }} run: go mod download - name: Cache envtest binaries uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: bin/k8s key: ${{ runner.os }}-envtest-${{env.KUBERNETES_VERSION}} - name: Run Unit Tests run: | make test - name: Publish Unit Test Coverage uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: flags: unittests file: ./cover.out publish-artifacts: needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' uses: ./.github/workflows/publish.yml permissions: contents: read #actions/checkout packages: write #for publishing artifacts id-token: write #for keyless sign strategy: matrix: include: - dockerfile: "Dockerfile" build-args: "CGO_ENABLED=0" build-arch: "amd64 arm64 s390x ppc64le" build-platform: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le" tag-suffix: "" # distroless - dockerfile: "Dockerfile.ubi" build-args: "CGO_ENABLED=0" build-arch: "amd64 arm64 ppc64le" build-platform: "linux/amd64,linux/arm64,linux/ppc64le" tag-suffix: "-ubi" - dockerfile: "Dockerfile.ubi" build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto" build-arch: "amd64 ppc64le" build-platform: "linux/amd64,linux/ppc64le" tag-suffix: "-ubi-boringssl" with: dockerfile: ${{ matrix.dockerfile }} tag-suffix: ${{ matrix.tag-suffix }} image-name: ghcr.io/${{ github.repository }} build-platform: ${{ matrix.build-platform }} build-args: ${{ matrix.build-args }} build-arch: ${{ matrix.build-arch }} ref: ${{ github.ref }} secrets: IS_FORK: ${{ secrets.GHCR_USERNAME }} # this is just a secret to verify it is a fork or not, no other utility