-
-
Notifications
You must be signed in to change notification settings - Fork 214
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
90 changed files
with
4,132 additions
and
1,000 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 1,13 @@ | ||
bin/ | ||
dist/ | ||
bin | ||
dist | ||
site | ||
docs | ||
node_modules | ||
.git | ||
.idea | ||
.github | ||
testdata/ | ||
node_modules/ | ||
.vscode | ||
.gitignore | ||
*.md | ||
LICENSE | ||
vendor |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,45 1,35 @@ | ||
name: CI Build | ||
on: [push, pull_request] | ||
jobs: | ||
|
||
build: | ||
name: Build | ||
make: | ||
name: Test | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
make: [build, test, race, docker-build, goreleaser] | ||
steps: | ||
- name: Check out code into the Go module directory | ||
uses: actions/checkout@v3 | ||
|
||
- name: Set up Go 1.18 | ||
uses: actions/setup-go@v1 | ||
- name: Set up Go | ||
uses: actions/setup-go@v3 | ||
with: | ||
go-version: 1.18 | ||
go-version-file: go.mod | ||
id: go | ||
|
||
- name: Check out code into the Go module directory | ||
uses: actions/checkout@v1 | ||
|
||
- name: Get dependencies | ||
run: | | ||
go get -v -t -d ./... | ||
if [ -f Gopkg.toml ]; then | ||
curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh | ||
dep ensure | ||
fi | ||
run: go mod download | ||
|
||
- name: Build | ||
run: make build | ||
|
||
- name: Test | ||
run: make test | ||
|
||
- name: Race detection | ||
run: make race | ||
- name: make ${{ matrix.make }} | ||
run: make ${{ matrix.make }} | ||
if: matrix.make != 'goreleaser' | ||
|
||
- name: Upload results to codecov | ||
run: bash <(curl -s https://codecov.io/bash) -t 48d6a1a8-a66e-4f27-9cc1-a7b91c4209b2 | ||
|
||
- name: Docker images | ||
run: make docker-build | ||
uses: codecov/codecov-action@v3 | ||
if: matrix.make == 'test' | ||
|
||
- name: Check GoReleaser configuration | ||
uses: goreleaser/goreleaser-action@v2 | ||
uses: goreleaser/goreleaser-action@v3 | ||
if: matrix.make == 'goreleaser' | ||
with: | ||
args: check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 1,25 @@ | ||
name: 'Close stale issues and PRs' | ||
on: | ||
schedule: | ||
- cron: '0 4 * * *' | ||
|
||
jobs: | ||
stale: | ||
runs-on: ubuntu-latest | ||
if: github.repository_owner == '0xERR0R' | ||
permissions: | ||
issues: write | ||
pull-requests: write | ||
steps: | ||
- uses: actions/stale@v6 | ||
with: | ||
stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.' | ||
stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.' | ||
close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.' | ||
close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.' | ||
days-before-issue-stale: 90 | ||
days-before-pr-stale: 45 | ||
days-before-issue-close: 5 | ||
days-before-pr-close: 10 | ||
exempt-all-milestones: true | ||
operations-per-run: 60 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,55 1,207 @@ | ||
name: Development docker build | ||
|
||
on: | ||
push: | ||
branches: | ||
- development | ||
- fb-* | ||
|
||
permissions: | ||
security-events: write | ||
actions: read | ||
contents: read | ||
packages: write | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
check: | ||
name: Check if workflow should run | ||
runs-on: ubuntu-latest | ||
outputs: | ||
enabled: ${{ steps.check.outputs.enabled }} | ||
steps: | ||
- name: Enabled Check | ||
id: check | ||
shell: bash | ||
run: | | ||
ENABLED=${{ secrets.DEVELOPMENT_DOCKER }} | ||
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then | ||
ENABLED="true" | ||
fi | ||
if [[ "${ENABLED,,}" != "true" ]]; then | ||
echo "enabled=0" >> $GITHUB_OUTPUT | ||
echo "Workflow is disabled" | ||
echo "### Workflow is disabled" >> $GITHUB_STEP_SUMMARY | ||
echo "To enable this workflow by creating a secret 'DEVELOPMENT_DOCKER' with the value 'true'" >> $GITHUB_STEP_SUMMARY | ||
else | ||
echo "enabled=1" >> $GITHUB_OUTPUT | ||
echo "Workflow is enabled" | ||
fi | ||
docker: | ||
if: github.repository_owner == '0xERR0R' | ||
name: Build Docker image | ||
runs-on: ubuntu-latest | ||
needs: check | ||
if: ${{ needs.check.outputs.enabled == 1 }} | ||
outputs: | ||
repository: ${{ steps.get_vars.outputs.repository }} | ||
branch: ${{ steps.get_vars.outputs.branch }} | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v2 | ||
uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v1 | ||
uses: docker/setup-qemu-action@v2 | ||
with: | ||
platforms: arm,arm64 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v1 | ||
uses: docker/setup-buildx-action@v2 | ||
|
||
- name: Get registry token | ||
id: get_token | ||
shell: bash | ||
run: | | ||
if [ "${{ secrets.CR_PAT }}" ]; then | ||
echo "token=${{ secrets.CR_PAT }}" >> $GITHUB_OUTPUT | ||
else | ||
echo "token=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_OUTPUT | ||
fi | ||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@v1 | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.CR_PAT }} | ||
password: ${{ steps.get_token.outputs.token }} | ||
|
||
- name: Login to DockerHub | ||
uses: docker/login-action@v1 | ||
if: github.repository_owner == '0xERR0R' | ||
uses: docker/login-action@v2 | ||
with: | ||
username: ${{ secrets.DOCKER_USERNAME }} | ||
password: ${{ secrets.DOCKER_PASSWORD }} | ||
- name: Extract branch name | ||
|
||
- name: Populate build variables | ||
id: get_vars | ||
shell: bash | ||
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" | ||
id: extract_branch | ||
run: | | ||
REPOSITORY=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]') | ||
echo "repository=${REPOSITORY}" >> $GITHUB_OUTPUT | ||
echo "REPOSITORY: ${REPOSITORY}" | ||
BRANCH=${GITHUB_REF#refs/heads/} | ||
echo "branch=${BRANCH}" >> $GITHUB_OUTPUT | ||
echo "Branch: ${BRANCH}" | ||
VERSION=$(git describe --always --tags) | ||
echo "version=${VERSION}" >> $GITHUB_OUTPUT | ||
echo "VERSION: ${VERSION}" | ||
BUILD_TIME=$(date ' %Y%m%d-%H%M%S') | ||
echo "build_time=${BUILD_TIME}" >> $GITHUB_OUTPUT | ||
echo "BUILD_TIME: ${BUILD_TIME}" | ||
TAGS="ghcr.io/${REPOSITORY}:${BRANCH}" | ||
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then | ||
TAGS="${TAGS} , spx01/blocky:${BRANCH}" | ||
fi | ||
echo "tags=${TAGS}" >> $GITHUB_OUTPUT | ||
echo "TAGS: ${TAGS}" | ||
- name: Build and push | ||
uses: docker/build-push-action@v2 | ||
uses: docker/build-push-action@v3 | ||
with: | ||
context: . | ||
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64 | ||
push: true | ||
tags: | | ||
ghcr.io/0xerr0r/blocky:${{ steps.extract_branch.outputs.branch }} | ||
spx01/blocky:${{ steps.extract_branch.outputs.branch }} | ||
- name: Scan image | ||
uses: anchore/scan-action@v3 | ||
id: scan | ||
with: | ||
image: "spx01/blocky:${{ steps.extract_branch.outputs.branch }}" | ||
fail-build: false | ||
acs-report-enable: true | ||
- name: upload Anchore scan SARIF report | ||
uses: github/codeql-action/upload-sarif@v1 | ||
with: | ||
sarif_file: ${{ steps.scan.outputs.sarif }} | ||
tags: ${{ steps.get_vars.outputs.tags }} | ||
build-args: | | ||
VERSION=${{ steps.get_vars.outputs.version }} | ||
BUILD_TIME=${{ steps.get_vars.outputs.build_time }} | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max | ||
|
||
repo-scan: | ||
name: Repo vulnerability scan | ||
runs-on: ubuntu-latest | ||
needs: check | ||
if: needs.check.outputs.enabled == 1 | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Run Trivy vulnerability scanner in repo mode | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
scan-type: 'fs' | ||
ignore-unfixed: true | ||
format: 'sarif' | ||
output: 'trivy-repo-results.sarif' | ||
severity: 'CRITICAL' | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: 'trivy-repo-results.sarif' | ||
|
||
image-scan: | ||
name: Image vulnerability scan | ||
runs-on: ubuntu-latest | ||
needs: docker | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Run Trivy vulnerability scanner on Docker image | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
image-ref: 'ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }}' | ||
format: 'sarif' | ||
output: 'trivy-image-results.sarif' | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: 'trivy-image-results.sarif' | ||
|
||
image-test: | ||
name: Test docker images | ||
runs-on: ubuntu-latest | ||
needs: docker | ||
steps: | ||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v2 | ||
with: | ||
platforms: arm,arm64 | ||
|
||
- name: Test images | ||
shell: bash | ||
run: | | ||
echo '::group::Version for linux/amd64' | ||
docker run --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version | ||
echo '::endgroup::' | ||
echo '::group::Version for linux/arm/v6' | ||
docker run --platform linux/arm/v6 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version | ||
echo '::endgroup::' | ||
echo '::group::Version for linux/arm/v7' | ||
docker run --platform linux/arm/v7 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version | ||
echo '::endgroup::' | ||
echo '::group::Version for linux/arm64' | ||
docker run --platform linux/arm64 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version | ||
echo '::endgroup::' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.