Nightly #175
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Nightly | |
| on: | |
| workflow_dispatch: {} # Allow for manual triggers | |
| schedule: | |
| - cron: '0 8 * * 0-4' # Sun-Thu, at 8:00 UTC | |
| permissions: | |
| contents: read | |
| jobs: | |
| race-detector: | |
| name: Go Race Detector | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Test with Race Detector | |
| run: CGO_ENABLED=1 make ci-go-race-detector | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} | |
| if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,workflow | |
| native-fuzzer: | |
| name: Go Fuzzer (native) | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - id: go_version | |
| name: Read go version | |
| run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT | |
| - name: Install Go (${{ steps.go_version.outputs.go_version }}) | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ steps.go_version.outputs.go_version }} | |
| - name: go test -fuzz | |
| run: go test ./ast -fuzz FuzzParseStatementsAndCompileModules -fuzztime 1h -v -run '^$' | |
| - name: Dump crashers | |
| if: ${{ failure() }} | |
| run: find ast/testdata/fuzz ! -name '*.stmt' ! -type d -print -exec cat {} \; | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} | |
| if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,workflow | |
| go-perf: | |
| name: Go Perf | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Benchmark Test Golang | |
| run: make ci-go-perf | |
| timeout-minutes: 45 | |
| env: | |
| DOCKER_RUNNING: 0 | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} | |
| if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,workflow | |
| go-proxy-check: | |
| name: Go mod check | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Vendor without proxy | |
| run: make check-go-module | |
| timeout-minutes: 30 | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} | |
| if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,workflow | |
| trivy-scan-image: | |
| name: Trivy security scan image | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout code # needed for .trivyignore file | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - run: "docker pull openpolicyagent/opa:edge-static" | |
| # Equivalent to: | |
| # $ trivy image openpolicyagent/opa:edge-static | |
| - name: Run Trivy scan on image | |
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
| with: | |
| image-ref: 'openpolicyagent/opa:edge-static' | |
| format: table | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: os,library | |
| severity: CRITICAL,HIGH | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} | |
| if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,workflow | |
| trivy-scan-repo: | |
| name: Trivy security scan repo | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| # Equivalent to: | |
| # $ trivy fs . | |
| - name: Run Trivy scan on repo | |
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
| with: | |
| scan-type: fs | |
| format: table | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| skip-dirs: vendor/,internal/gqlparser/validator/imported/ | |
| severity: CRITICAL,HIGH | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} | |
| if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,workflow | |
| govulncheck: | |
| name: Go vulnerability check | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - id: go_version | |
| name: Read go version | |
| run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT | |
| - name: Install Go (${{ steps.go_version.outputs.go_version }}) | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ steps.go_version.outputs.go_version }} | |
| - run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - run: govulncheck ./... | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} | |
| if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,workflow |