-
Notifications
You must be signed in to change notification settings - Fork 4
135 lines (116 loc) · 4.17 KB
/
pull-request.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Build and test Go
on:
pull_request:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: checkly/checkly-operator
USE_EXISTING_CLUSTER: true
GO_MODULES: on
jobs:
golang:
name: Golang build
runs-on: ubuntu-latest
steps:
- name: Check out source code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
# We need kind to test the code
- name: Start kind cluster
uses: helm/kind-action@v1
with:
version: "v0.22.0" # This starts k8s v1.29
- name: Test code
env:
USE_EXISTING_CLUSTER: true
run: |
make test-ci
# Sonarcloud
# - name: SonarCloud Scan
# uses: SonarSource/sonarcloud-github-action@master
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# GO_MODULES: "on"
# Docker buildx does not allow for multi architecture builds and loading the docker container locally,
# this way we can not run trivy against the containers, one solution is to run multiple jobs for each arch
# ARM builds are really slow, we're only doing it in the `main-merge` workflow.
docker:
name: Docker build
runs-on: ubuntu-latest
strategy:
matrix:
# arch: ["amd64", "arm64", "arm"]
arch: ["amd64"]
steps:
- name: Check out source code
uses: actions/checkout@v4
# For multi-arch docker builds
# https://github.com/docker/setup-qemu-action
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
# Docker build specifics
- name: Docker meta
id: docker_meta # you'll use this in the next step
uses: docker/metadata-action@v5
with:
# list of Docker images to use as base name for tags
images: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# Docker tags based on the following events/attributes
tags: |
type=sha
# Check Dockerfile with hadolint
- uses: hadolint/[email protected]
with:
dockerfile: Dockerfile
- name: Build multi-platform images
uses: docker/build-push-action@v6
with:
context: .
platforms: ${{ matrix.arch }}
load: true
tags: ${{ steps.docker_meta.outputs.tags }}
- name: Trivy vulnerability scanner
uses: aquasecurity/[email protected]
env:
IMAGE: ${{ steps.docker_meta.outputs.tags }}
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.IMAGE }}
format: "table"
exit-code: "1"
semantic-validate:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v5
id: lint_pr_title
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: marocchino/sticky-pull-request-comment@v2
# When the previous steps fails, the workflow would stop. By adding this
# condition you can continue the execution with the populated error message.
if: always() && (steps.lint_pr_title.outputs.error_message != null)
with:
header: pr-title-lint-error
message: |
Hey there and thank you for opening this pull request! 👋🏼
We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
Details:
```
${{ steps.lint_pr_title.outputs.error_message }}
```
# Delete a previous comment when the issue has been resolved
- if: ${{ steps.lint_pr_title.outputs.error_message == null }}
uses: marocchino/sticky-pull-request-comment@v2
with:
header: pr-title-lint-error
delete: true