ci: integrate pr-title-lint into ci #9

Workflow file for this run

	# CI: proto and commitlint; fan-out Go (fmt, lint, unit-tests) \|\| UI (ui-lint, ui-test);
	# then build (gitops, gitops-server). On tag: image, chart, goreleaser.
	#
	# Flow: pr-title-lint (if PR; else skipped) -> conventional-commits (if !tag;
	# runs when pr-title-lint success or skipped) -> proto (make proto, git diff)
	# in parallel with ui-lint, ui-test. Then go-fmt,
	# go-lint, go-unit-tests (need proto). Then build
	# (make gitops, make gitops-server). Tag jobs (image, chart, goreleaser) need build.
	# No make clean (each run is a fresh checkout).
	#
	# On tag (v*): build-push-gitops-server (provenance, SBOM, cosign), build-and-push-chart
	# (cosign), goreleaser (binaries, cosign, brew for non-rc). Fork-friendly.

	name: CI

	on:
	push:
	branches: [main, feature/re-implement-workflows]
	tags: ["v*"]
	pull_request:
	branches: [main, feature/re-implement-workflows]
	workflow_dispatch:

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: ${{ github.event_name == 'pull_request' }}

	permissions:
	contents: read
	pull-requests: read

	env:
	PYTHON_VERSION: "3.12"

	jobs:
	pr-title-lint:
	name: Validate PR title
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request'
	permissions:
	pull-requests: write
	steps:
	- uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
	id: lint_pr_title
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
	if: always() && (steps.lint_pr_title.outputs.error_message != null)
	with:
	header: pr-title-lint-error
	message: \|
	Hey there and thank you for opening this pull request! :wave:

	We require pull request titles to follow the
	[Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/)
	and it looks like your proposed title needs to be adjusted.

	We use the pull request title in automated release changelog updates, and would like our
	changelogs to look nice.

	Details:

	```
	${{ steps.lint_pr_title.outputs.error_message }}
	```

	- if: ${{ steps.lint_pr_title.outputs.error_message == null }}
	uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
	with:
	header: pr-title-lint-error
	delete: true

	conventional-commits:
	name: Conventional Commits
	needs: [pr-title-lint]
	runs-on: ubuntu-latest
	if: always() && (needs.pr-title-lint.result == 'success' \|\| needs.pr-title-lint.result == 'skipped') && !startsWith(github.ref, 'refs/tags/')
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- uses: wagoid/commitlint-github-action@v5

	proto:
	name: Proto (generate + git diff)
	needs: [conventional-commits]
	if: always() && (needs.conventional-commits.result == 'success' \|\| needs.conventional-commits.result == 'skipped')
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- name: Install buf and add to PATH
	run: \|
	go install github.com/bufbuild/buf/cmd/buf@v1.48.0
	echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
	- run: make proto
	- run: git diff --no-ext-diff --exit-code

	go-fmt:
	name: Go fmt
	needs: [proto]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- run: make fmt

	go-lint:
	name: Go lint
	needs: [proto]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- run: make lint

	go-unit-tests:
	name: Go unit-tests
	needs: [proto]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- run: make unit-tests

	ui-lint:
	name: UI lint
	needs: [conventional-commits]
	if: always() && (needs.conventional-commits.result == 'success' \|\| needs.conventional-commits.result == 'skipped')
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-node@v4
	with:
	node-version-file: package.json
	cache: yarn
	- run: make node_modules
	- run: make ui-lint
	# Re-enable after workflow re-org when ui-audit errors are fixed
	- name: UI audit (skipped)
	if: false
	run: make ui-audit

	ui-test:
	name: UI test
	needs: [conventional-commits]
	if: always() && (needs.conventional-commits.result == 'success' \|\| needs.conventional-commits.result == 'skipped')
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-node@v4
	with:
	node-version-file: package.json
	cache: yarn
	- run: make node_modules
	- run: make ui-test

	build:
	name: Build (gitops, gitops-server)
	needs: [go-fmt, go-lint, go-unit-tests, ui-lint, ui-test]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- run: make gitops
	- run: make gitops-server

	# --- Tag-only: image, chart, goreleaser ---
	build-push-gitops-server:
	name: Build and push gitops-server image
	needs: [build]
	if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && needs.build.result == 'success'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	with:
	ref: ${{ github.ref }}

	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Set build env
	run: \|
	TAG_VER="${GITHUB_REF#refs/tags/v}"
	echo "LDFLAGS=$(make echo-ldflags CHART_VERSION=$TAG_VER)" >> $GITHUB_ENV
	echo "FLUX_VERSION=$(make echo-flux-version)" >> $GITHUB_ENV

	- uses: docker/setup-buildx-action@v3
	- uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build and push gitops-server
	id: build
	uses: docker/build-push-action@v5
	with:
	context: .
	file: gitops-server.dockerfile
	build-args: \|
	LDFLAGS=${{ env.LDFLAGS }}
	GIT_COMMIT=${{ github.sha }}
	push: true
	provenance: "mode=max"
	sbom: true
	tags: \|
	ghcr.io/${{ github.repository }}/gitops-server:${{ github.ref_name }}
	ghcr.io/${{ github.repository }}/gitops-server:latest
	cache-from: type=gha
	cache-to: type=gha,mode=max
	platforms: linux/amd64,linux/arm64

	- name: Install cosign
	uses: sigstore/cosign-installer@v4

	- name: Keyless signing of image
	run: \|
	cosign sign --yes ghcr.io/${{ github.repository }}/gitops-server@${{ steps.build.outputs.digest }}

	- name: Verify the image signing
	run: \|
	cosign verify ghcr.io/${{ github.repository }}/gitops-server@${{ steps.build.outputs.digest }} \
	--certificate-identity "https://github.com/${{ github.workflow_ref }}" \
	--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \| jq .

	build-and-push-chart:
	name: Build and push Helm chart
	needs: [build]
	if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && needs.build.result == 'success'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	with:
	ref: ${{ github.ref }}

	- uses: azure/setup-helm@v4
	with:
	version: "v3.17.0"

	- name: Helm registry login
	run: \|
	echo ${{ secrets.GITHUB_TOKEN }} \| helm registry login ghcr.io -u ${{ github.actor }} --password-stdin

	- name: Package and push chart
	id: push-chart
	run: \|
	helm package charts/gitops-server -d /tmp
	CHART=$(ls /tmp/weave-gitops-*.tgz)
	helm push "$CHART" oci://ghcr.io/${{ github.repository_owner }} 2>&1 \| tee /tmp/push.log
	CHART_DIGEST=$(awk '/Digest: /{print $2}' /tmp/push.log)
	[ -n "$CHART_DIGEST" ] \|\| { echo "Could not parse digest from helm push"; cat /tmp/push.log; exit 1; }
	echo "digest=$CHART_DIGEST" >> $GITHUB_OUTPUT

	- name: Install cosign
	uses: sigstore/cosign-installer@v4

	- name: Keyless signing of chart
	run: \|
	cosign sign --yes ghcr.io/${{ github.repository_owner }}/weave-gitops@${{ steps.push-chart.outputs.digest }}

	- name: Verify the chart signing
	run: \|
	cosign verify ghcr.io/${{ github.repository_owner }}/weave-gitops@${{ steps.push-chart.outputs.digest }} \
	--certificate-identity "https://github.com/${{ github.workflow_ref }}" \
	--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \| jq .

	goreleaser:
	name: Goreleaser (gitops CLI)
	needs: [build]
	if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && needs.build.result == 'success'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	id-token: write
	env:
	FLUX_VERSION: "2.7.2"
	steps:
	- uses: actions/checkout@v4
	with:
	ref: ${{ github.ref }}
	fetch-depth: 0

	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- uses: fluxcd/flux2/action@4a15fa6a023259353ef750acf1c98fe88407d4d0

	- name: Set CHART_VERSION from tag
	run: echo "CHART_VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV

	- name: Include brew publishing
	if: "!contains(github.ref_name, '-')"
	run: cat .goreleaser.brew.yml >> .goreleaser.yml

	- name: Install cosign
	uses: sigstore/cosign-installer@v4

	- uses: goreleaser/goreleaser-action@v6
	with:
	distribution: goreleaser
	version: "v2"
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	FLUX_VERSION: ${{ env.FLUX_VERSION }}
	CHART_VERSION: ${{ env.CHART_VERSION }}
	BRANCH: ${{ github.ref_name }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: integrate pr-title-lint into ci #9

Workflow file

ci: integrate pr-title-lint into ci #9

Uh oh!

Workflow file for this run