logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200
							name: CI

on:
  push:
    branches:
      - main
  pull_request: {}

env:
  # Common versions
  GOLANGCI_VERSION: 'v2.4.0'
  KUBERNETES_VERSION: '1.33.x'

  # Sonar
  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

permissions:
  contents: read

jobs:
  detect-noop:
    permissions:
      actions: write  # for fkirc/skip-duplicate-actions to skip or stop workflow runs
      contents: read  # for fkirc/skip-duplicate-actions to read and compare commits
    runs-on: ubuntu-latest
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Detect No-op Changes
        id: noop
        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
          concurrent_skipping: false

  lint:
    permissions:
      contents: read  # for actions/checkout to fetch code
      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
    runs-on: ubuntu-latest
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'

    steps:
      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Setup Go
        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
        run: go mod download

      - name: Lint
        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: ${{ env.GOLANGCI_VERSION }}
          skip-pkg-cache: true
          skip-build-cache: true

  license-check:
    permissions:
      contents: read  # for actions/checkout to fetch code
      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
    runs-on: ubuntu-latest
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'

    steps:
      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Check License Headers
        uses: apache/skywalking-eyes/header@5c5b974209f0de5d905f37deb69369068ebfc15c # v0.7.0

  check-diff:
    runs-on: ubuntu-latest
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'

    steps:
      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: hashicorp/setup-terraform@c529327889820530c60b4ce5bbc8d6099e166666 # v3
      - name: Setup Go
        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
        run: go mod download

      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Check Diff
        run: |
          make check-diff

  unit-tests:
    runs-on: ubuntu-latest
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'

    steps:
      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Fetch History
        run: git fetch --prune --unshallow

      - name: Setup Go
        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
        run: go mod download

      - name: Cache envtest binaries
        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: bin/k8s
          key: ${{ runner.os }}-envtest-${{env.KUBERNETES_VERSION}}

      - name: Run Unit Tests
        run: |
          make test

      - name: Publish Unit Test Coverage
        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
          flags: unittests
          file: ./cover.out

  publish-artifacts:
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    uses: ./.github/workflows/publish.yml
    permissions:
      contents: read  #actions/checkout
      packages: write #for publishing artifacts
      id-token: write #for keyless sign
    strategy:
      matrix:
        include:
        - dockerfile: "Dockerfile"
          build-args: "CGO_ENABLED=0"
          build-arch: "amd64 arm64 s390x ppc64le"
          build-platform: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le"
          tag-suffix: "" # distroless
        - dockerfile: "Dockerfile.ubi"
          build-args: "CGO_ENABLED=0"
          build-arch: "amd64 arm64 ppc64le"
          build-platform: "linux/amd64,linux/arm64,linux/ppc64le"
          tag-suffix: "-ubi"
        - dockerfile: "Dockerfile.ubi"
          build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto"
          build-arch: "amd64 ppc64le"
          build-platform: "linux/amd64,linux/ppc64le"
          tag-suffix: "-ubi-boringssl"
    with:
      dockerfile: ${{ matrix.dockerfile }}
      tag-suffix: ${{ matrix.tag-suffix }}
      image-name: ghcr.io/${{ github.repository }}
      build-platform: ${{ matrix.build-platform }}
      build-args: ${{ matrix.build-args }}
      build-arch: ${{ matrix.build-arch }}
      ref: ${{ github.ref }}
    secrets:
      IS_FORK: ${{ secrets.GHCR_USERNAME }} # this is just a secret to verify it is a fork or not, no other utility