fix: remove tag triggers from CI workflow and fix snapshot version te… #68
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| pull_request: | |
| branches: | |
| - main | |
| - develop | |
| env: | |
| GO_VERSION: "1.24" | |
| GOLANGCI_LINT_VERSION: "v2.2.1" | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Run go mod tidy | |
| run: go mod tidy | |
| - name: Run golangci-lint | |
| uses: golangci/golangci-lint-action@v8 | |
| with: | |
| version: ${{ env.GOLANGCI_LINT_VERSION }} | |
| - name: Check code formatting | |
| run: | | |
| if [ -n "$(gofmt -l .)" ]; then | |
| echo "The following files need formatting:" | |
| gofmt -l . | |
| exit 1 | |
| fi | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| go-version: ["1.24"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| cache: true | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Install gotestsum | |
| run: go install gotest.tools/gotestsum@latest | |
| - name: Run tests | |
| run: | | |
| gotestsum --junitfile junit.xml --format testname -- -v -cover -coverprofile=coverage.out ./internal/... | |
| - name: Upload test results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: test-results | |
| path: junit.xml | |
| - name: Upload coverage reports | |
| uses: codecov/codecov-action@v5 | |
| if: matrix.go-version == env.GO_VERSION | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| slug: Trozz/terraform-provider-pocketid | |
| files: ./coverage.out,./junit.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: true | |
| verbose: true | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| strategy: | |
| matrix: | |
| include: | |
| - os: linux | |
| arch: amd64 | |
| - os: linux | |
| arch: arm64 | |
| - os: darwin | |
| arch: amd64 | |
| - os: darwin | |
| arch: arm64 | |
| - os: windows | |
| arch: amd64 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Build binary | |
| env: | |
| GOOS: ${{ matrix.os }} | |
| GOARCH: ${{ matrix.arch }} | |
| run: | | |
| output="terraform-provider-pocketid_${{ matrix.os }}_${{ matrix.arch }}" | |
| if [ "${{ matrix.os }}" = "windows" ]; then | |
| output="${output}.exe" | |
| fi | |
| go build -o "$output" -ldflags "-X main.version=${{ github.ref_name }}" . | |
| - name: Generate build provenance attestations | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: | | |
| terraform-provider-pocketid* | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: terraform-provider-pocketid_${{ matrix.os }}_${{ matrix.arch }} | |
| path: terraform-provider-pocketid* | |
| # Acceptance tests are not run in CI because Pocket-ID requires: | |
| # 1. Manual passkey registration through the UI | |
| # 2. Manual API key generation through the UI | |
| # 3. No programmatic way to bootstrap an instance | |
| # | |
| # To run acceptance tests locally: | |
| # 1. Start a Pocket-ID instance | |
| # 2. Register a user with a passkey | |
| # 3. Generate an API key | |
| # 4. Set POCKETID_BASE_URL and POCKETID_API_TOKEN | |
| # 5. Run: make test-acc | |
| docs: | |
| name: Documentation | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Install tfplugindocs | |
| run: go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@latest | |
| - name: Generate documentation | |
| run: tfplugindocs generate --provider-name=pocketid | |
| - name: Check for uncommitted changes | |
| run: | | |
| if [[ -n $(git status -s) ]]; then | |
| echo "Documentation is out of date. Please run 'make docs' and commit the changes." | |
| git diff | |
| exit 1 | |
| fi | |
| pre-release: | |
| name: Pre-release | |
| runs-on: ubuntu-latest | |
| needs: [lint, test, build] | |
| if: github.ref == 'refs/heads/main' && !startsWith(github.ref, 'refs/tags/') && github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Import GPG key | |
| id: import_gpg | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
| - name: Generate snapshot version | |
| id: version | |
| run: | | |
| # Get the latest tag | |
| LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0") | |
| echo "Latest tag: ${LATEST_TAG}" | |
| # Remove 'v' prefix | |
| VERSION=${LATEST_TAG#v} | |
| echo "Version without prefix: ${VERSION}" | |
| # Parse version components | |
| IFS='.' read -r major minor patch <<< "$VERSION" | |
| echo "Version components: major=${major}, minor=${minor}, patch=${patch}" | |
| # Generate new version | |
| NEW_VERSION="${major}.${minor}.$((patch + 1))-dev.$(date +%Y%m%d%H%M%S)+$(git rev-parse --short HEAD)" | |
| echo "Pre-release version: ${NEW_VERSION}" | |
| echo "version=${NEW_VERSION}" >> $GITHUB_OUTPUT | |
| - name: Run GoReleaser (snapshot) | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| version: latest | |
| args: release --snapshot --skip=sign --clean --skip=validate | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GORELEASER_CURRENT_TAG: "v${{ steps.version.outputs.version }}" | |
| - name: Generate pre-release attestations | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: | | |
| dist/*.zip | |
| dist/*_checksums.txt | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: pre-release-artifacts | |
| path: dist/* | |
| - name: Create GitHub pre-release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| name: "Development Build v${{ steps.version.outputs.version }}" | |
| tag_name: "v${{ steps.version.outputs.version }}" | |
| prerelease: true | |
| draft: false | |
| files: | | |
| dist/*.zip | |
| dist/*_checksums.txt | |
| body: | | |
| ## Development Build | |
| This is an automated development build from commit ${{ github.sha }}. | |
| **⚠️ This is a pre-release version and should not be used in production.** | |
| ### Commit Information | |
| - SHA: ${{ github.sha }} | |
| - Author: ${{ github.actor }} | |
| - Message: ${{ github.event.head_commit.message }} | |
| ### Installation | |
| Download the appropriate archive for your platform and extract the provider binary. | |
| cleanup-prereleases: | |
| name: Cleanup Old Pre-releases | |
| runs-on: ubuntu-latest | |
| needs: [pre-release] | |
| if: github.ref == 'refs/heads/main' && !startsWith(github.ref, 'refs/tags/') && github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Cleanup old pre-releases | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const { owner, repo } = context.repo; | |
| // Get all releases | |
| const releases = await github.rest.repos.listReleases({ | |
| owner, | |
| repo, | |
| per_page: 100 | |
| }); | |
| // Filter pre-releases with dev versions | |
| const preReleases = releases.data | |
| .filter(release => release.prerelease && release.tag_name.includes('-dev.')) | |
| .sort((a, b) => new Date(b.created_at) - new Date(a.created_at)); | |
| // Keep the latest 5 pre-releases | |
| const toDelete = preReleases.slice(5); | |
| console.log(`Found ${preReleases.length} pre-releases, will delete ${toDelete.length}`); | |
| // Delete old pre-releases | |
| for (const release of toDelete) { | |
| console.log(`Deleting pre-release: ${release.tag_name}`); | |
| // Delete the release | |
| await github.rest.repos.deleteRelease({ | |
| owner, | |
| repo, | |
| release_id: release.id | |
| }); | |
| // Delete the tag | |
| try { | |
| await github.rest.git.deleteRef({ | |
| owner, | |
| repo, | |
| ref: `tags/${release.tag_name}` | |
| }); | |
| } catch (error) { | |
| console.log(`Failed to delete tag ${release.tag_name}: ${error.message}`); | |
| } | |
| } | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| needs: [lint, test, build] | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Import GPG key | |
| id: import_gpg | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| version: latest | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
| - name: Generate release attestations | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: | | |
| dist/*.zip | |
| dist/*_checksums.txt | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: "fs" | |
| scan-ref: "." | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Run gosec security scanner | |
| uses: securego/gosec@master | |
| with: | |
| args: "-fmt sarif -out gosec-results.sarif ./..." | |
| - name: Upload gosec results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "gosec-results.sarif" |