agents/.github/workflows/ci.yaml at master · BH4AWS/agents · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: CI

on:
  push:
    branches:
      - master
      - release-*
  pull_request: { }
  workflow_dispatch: { }

# Declare default permissions as read only.
permissions: read-all

env:
  # Common versions
  GO_VERSION: '1.24'
  GOLANGCI_VERSION: 'v2.1'
  DOCKER_BUILDX_VERSION: 'v0.4.2'

  # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
  # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
  # credentials have been provided before trying to run steps that need them.
  DOCKER_USR: ${{ secrets.DOCKER_USR }}
  AWS_USR: ${{ secrets.AWS_USR }}

jobs:
  typos-check:
    name: Spell Check with Typos
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout Actions Repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check spelling with custom config file
        uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d # v1.44.0
        with:
          config: ./typos.toml

  golangci-lint:
    runs-on: ubuntu-24.04
    permissions:
      security-events: write
    steps:
      - name: Checkout Code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true
      - name: Setup Go
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Cache Go Dependencies
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-go-
      - name: Code generate
        run: |
          make generate
      - name: Lint golang code
        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
        with:
          version: ${{ env.GOLANGCI_VERSION }}
          args: --verbose
          skip-pkg-cache: true
          mod: readonly
      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          sarif_file: 'trivy-results.sarif'

  unit-tests:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true
      - name: Fetch History
        run: git fetch --prune --unshallow
      - name: Setup Go
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Cache Go Dependencies
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-go-
      - name: Run Unit Tests
        run: |
          make test
          git status
      - name: Publish Unit Test Coverage
        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          flags: unittests
          file: cover.out