ci: pin GitHub Actions (with pinact) #26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Actions CI | |
| # This `name:` is used in the badge.svg rendering in the README.md. | |
| on: | |
| push: | |
| branches-ignore: | |
| - 'exp' | |
| - 'exp/*' | |
| - 'exp-*' | |
| - 'exp_*' | |
| - 'wip' | |
| - 'wip/*' | |
| - 'wip-*' | |
| - 'wip_*' | |
| pull_request: | |
| workflow_dispatch: | |
| permissions: {} | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - go: 'stable' | |
| canonical: true | |
| - go: 'oldstable' | |
| canonical: false | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| id: checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| # We're not using release process or version stamping which needs Git History in this workflow. | |
| # Thus we do not need to set with.fetch-depth to 0. We can live with a shallow clone. | |
| with: | |
| # security posture improvement: | |
| persist-credentials: false | |
| - name: Set up Go | |
| id: go-setup | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: ${{ matrix.go }} | |
| - id: go-settings | |
| name: Export Go environment to Actions outputs | |
| run: | | |
| echo >> "$GITHUB_OUTPUT" "arch=$(go env GOARCH)" | |
| echo >> "$GITHUB_OUTPUT" "hostarch=$(go env GOHOSTARCH)" | |
| echo >> "$GITHUB_OUTPUT" "os=$(go env GOOS)" | |
| echo >> "$GITHUB_OUTPUT" "hostos=$(go env GOHOSTOS)" | |
| echo >> "$GITHUB_OUTPUT" "go-version=$(go env GOVERSION)" | |
| # Use with: | |
| # ${{ steps.go-settings.outputs.go-version }} | |
| # which will look like `go1.17.1` if matrix `1.17.x` matches `1.17.1`. | |
| # These are independent of how the matrix is setup, or if a matrix is even used. | |
| # We now rely upon actions/setup-go setting up the module download cache for us, | |
| # and do not bother with a build cache. | |
| - name: Download all Go dependencies | |
| id: go-dependencies | |
| # nb: `go mod download` is heavyweight and extends beyond the actual dependencies | |
| run: | | |
| go list all | |
| - name: Basic Go integrity checks | |
| id: go-integrity | |
| run: | | |
| t="$(gofmt -s -l .)" | |
| if [ ".$t" != "." ]; then printf 'gofmt would modify files:\n%s\n' "$t"; exit 1; fi | |
| go vet ./... | |
| t="$(go list -m -retracted -f '{{if .Retracted}}::error file=go.mod::{{.Path}} is retracted{{end}}' all)" | |
| if [ ".$t" != "." ]; then printf '%s\n' "$t"; exit 1; fi | |
| if: matrix.canonical | |
| # This doesn't actually invoke static checks unless in a pull-request | |
| # Leaving present-but-commented-out as an easy reference. | |
| # - name: Go static checks | |
| # uses: reviewdog/action-staticcheck@v1 | |
| # with: | |
| # filter_mode: nofilter | |
| # fail_on_error: true | |
| # if: matrix.canonical | |
| - name: Go build & test | |
| id: build | |
| run: | | |
| go build ./... | |
| go test -v -coverprofile=${{ runner.temp }}/profile.cov -coverpkg ./... ./... | |
| - name: Send coverage | |
| id: coverage | |
| uses: shogo82148/actions-goveralls@e6875f831db61e6abffbd8df91a2eb6cd24b46c9 # v1.9.1 | |
| with: | |
| path-to-profile: ${{ runner.temp }}/profile.cov | |
| flag-name: ${{ steps.go-settings.outputs.go-version }} | |
| parallel: true | |
| finish: | |
| needs: test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: coveralls.io completion notification | |
| id: coverage | |
| uses: shogo82148/actions-goveralls@e6875f831db61e6abffbd8df91a2eb6cd24b46c9 # v1.9.1 | |
| with: | |
| parallel-finished: true | |
| - name: Notify PT Slack | |
| id: slack | |
| uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3 | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_PT_AUTOBUILDS }} | |