Skip to content
build

Lineage pull request for: skeleton #768

Sign in to view logs

Lineage pull request for: skeleton

Lineage pull request for: skeleton #768

Workflow file for this run

.github/workflows/build.yml at ca84384
---
name: build
on: # yamllint disable-line rule:truthy
merge_group:
types:
- checks_requested
pull_request:
push:
repository_dispatch:
types:
- apb
# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
# nounset, errexit, and pipefail. The `-x` will print all commands as they are
# run. Please see the GitHub Actions documentation for more information:
# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
defaults:
run:
shell: bash -Eueo pipefail -x {0}
env:
PIP_CACHE_DIR: ~/.cache/pip
PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
RUN_TMATE: ${{ secrets.RUN_TMATE }}
TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers
TERRAFORM_DOCS_REPO_DEPTH: 1
TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git
jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- name: Apply standard cisagov job preamble
uses: cisagov/action-job-preamble@v1
with:
check_github_status: "true"
# This functionality is poorly implemented and has been
# causing problems due to the MITM implementation hogging or
# leaking memory. As a result we disable it by default. If
# you want to temporarily enable it, simply set
# monitor_permissions equal to "true".
#
# TODO: Re-enable this functionality when practical. See
# cisagov/skeleton-generic#207 for more details.
monitor_permissions: "false"
output_workflow_context: "true"
# Use a variable to specify the permissions monitoring
# configuration. By default this will yield the
# configuration stored in the cisagov organization-level
# variable, but if you want to use a different configuration
# then simply:
# 1. Create a repository-level variable with the name
# ACTIONS_PERMISSIONS_CONFIG.
# 2. Set this new variable's value to the configuration you
# want to use for this repository.
#
# Note in particular that changing the permissions
# monitoring configuration *does not* require you to modify
# this workflow.
permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
lint:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
runs-on: ubuntu-latest
steps:
- name: Apply standard cisagov job preamble
uses: cisagov/action-job-preamble@v1
with:
# This functionality is poorly implemented and has been
# causing problems due to the MITM implementation hogging or
# leaking memory. As a result we disable it by default. If
# you want to temporarily enable it, simply set
# monitor_permissions equal to "true".
#
# TODO: Re-enable this functionality when practical. See
# cisagov/skeleton-generic#207 for more details.
monitor_permissions: "false"
# Use a variable to specify the permissions monitoring
# configuration. By default this will yield the
# configuration stored in the cisagov organization-level
# variable, but if you want to use a different configuration
# then simply:
# 1. Create a repository-level variable with the name
# ACTIONS_PERMISSIONS_CONFIG.
# 2. Set this new variable's value to the configuration you
# want to use for this repository.
#
# Note in particular that changing the permissions
# monitoring configuration *does not* require you to modify
# this workflow.
permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ steps.setup-env.outputs.python-version }}
# We need the Go version and Go cache location for the actions/cache step,
# so the Go installation must happen before that.
- id: setup-go
uses: actions/setup-go@v5
with:
# There is no expectation for actual Go code so we disable caching as
# it relies on the existence of a go.sum file.
cache: false
go-version: ${{ steps.setup-env.outputs.go-version }}
- id: go-cache
name: Lookup Go cache directory
run: |
echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
- uses: actions/cache@v4
env:
BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
go${{ steps.setup-go.outputs.go-version }}-\
packer${{ steps.setup-env.outputs.packer-version }}-\
tf${{ steps.setup-env.outputs.terraform-version }}-
with:
key: ${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements-test.txt') }}-\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('**/.pre-commit-config.yaml') }}
# Note that the .terraform directory IS NOT included in the
# cache because if we were caching, then we would need to use
# the `-upgrade=true` option. This option blindly pulls down the
# latest modules and providers instead of checking to see if an
# update is required. That behavior defeats the benefits of caching.
# so there is no point in doing it for the .terraform directory.
path: |
${{ env.PIP_CACHE_DIR }}
${{ env.PRE_COMMIT_CACHE_DIR }}
${{ steps.go-cache.outputs.dir }}
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- uses: hashicorp/setup-packer@v3
with:
version: ${{ steps.setup-env.outputs.packer-version }}
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install go-critic
env:
PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install goimports
env:
PACKAGE_URL: golang.org/x/tools/cmd/goimports
PACKAGE_VERSION: ${{ steps.setup-env.outputs.goimports-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install gosec
env:
PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install staticcheck
env:
PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
# TODO: https://github.com/cisagov/skeleton-generic/issues/165
# We are temporarily using @mcdonnnj's forked branch of terraform-docs
# until his PR: https://github.com/terraform-docs/terraform-docs/pull/745
# is approved. This temporary fix will allow for ATX header support when
# terraform-docs is run during linting.
- name: Clone ATX headers branch from terraform-docs fork
run: |
git clone \
--branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \
--depth $TERRAFORM_DOCS_REPO_DEPTH \
--single-branch \
$TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs
- name: Build and install terraform-docs binary
run: |
go build \
-C /tmp/terraform-docs \
-o $(go env GOPATH)/bin/terraform-docs
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install --upgrade --requirement requirements-test.txt
- name: Set up pre-commit hook environments
run: pre-commit install-hooks
- name: Run pre-commit on all files
run: pre-commit run --all-files
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE