TryBot #19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Code generated internal/ci/base/write.cue; DO NOT EDIT. | |
| name: TryBot | |
| "on": | |
| push: | |
| branches: | |
| - ci/test | |
| - main | |
| tags-ignore: | |
| - v* | |
| pull_request: {} | |
| schedule: | |
| - cron: 0 2 * * * | |
| workflow_dispatch: {} | |
| jobs: | |
| verify: | |
| defaults: | |
| run: | |
| shell: bash --noprofile --norc -euo pipefail {0} | |
| runs-on: namespace-profile-linux-amd64 | |
| needs: test | |
| permissions: | |
| actions: read | |
| steps: | |
| - name: Check logs for leak | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TARGET_JOB_NAME: test | |
| EXPECTED_MASKED_STRING: 'The secret is: <***>' | |
| run: |- | |
| # 1. Get the specific Job ID of the 'test' job | |
| JOB_ID=$(gh api "/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/jobs" \ | |
| --jq ".jobs[] | select(.name == \"$TARGET_JOB_NAME\") | .id" | head -n 1) | |
| if [ -z "$JOB_ID" ]; then | |
| echo "❌ Error: Could not find a job named '$TARGET_JOB_NAME'" | |
| echo "Available jobs:" | |
| gh api "/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/jobs" --jq '.jobs[].name' | |
| exit 1 | |
| fi | |
| echo "✅ Found Job ID: $JOB_ID" | |
| # 2. Download the log for that job | |
| gh api "/repos/${{ github.repository }}/actions/jobs/$JOB_ID/logs" > full_logs.txt | |
| # 3. Grep the logs for the expected masked string. | |
| if grep -Fq "$EXPECTED_MASKED_STRING" full_logs.txt; then | |
| echo "✅ PASS: Found expected masked log line: '$EXPECTED_MASKED_STRING'" | |
| else | |
| echo "❌ FAIL: Could not find the masked log line. Did the job run?" | |
| exit 1 | |
| fi | |
| test: | |
| defaults: | |
| run: | |
| shell: bash --noprofile --norc -euo pipefail {0} | |
| runs-on: namespace-profile-linux-amd64 | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| - name: Reset git directory modification times | |
| run: touch -t 202211302355 $(find * -type d) | |
| - name: Restore git file modification times | |
| uses: chetan/git-restore-mtime-action@cbf8161ddb4e9b162409104954fb540e8a38c1da | |
| - id: DispatchTrailer | |
| name: Try to extract Dispatch-Trailer | |
| run: |- | |
| x="$(git log -1 --pretty='%(trailers:key=Dispatch-Trailer,valueonly)')" | |
| if [[ "$x" == "" ]] | |
| then | |
| # Some steps rely on the presence or otherwise of the Dispatch-Trailer. | |
| # We know that we don't have a Dispatch-Trailer in this situation, | |
| # hence we use the JSON value null in order to represent that state. | |
| # This means that GitHub expressions can determine whether a Dispatch-Trailer | |
| # is present or not by checking whether the fromJSON() result of the | |
| # output from this step is the JSON value null or not. | |
| x=null | |
| fi | |
| echo "value<<EOD" >> $GITHUB_OUTPUT | |
| echo "$x" >> $GITHUB_OUTPUT | |
| echo "EOD" >> $GITHUB_OUTPUT | |
| - if: |- | |
| ((github.ref == 'refs/heads/main') && (! (contains(github.event.head_commit.message, ' | |
| Dispatch-Trailer: {"type":"')))) && (contains(github.event.head_commit.message, ' | |
| Dispatch-Trailer: {"type":"')) | |
| name: Check we don't have Dispatch-Trailer on a protected branch | |
| run: |- | |
| echo "github.event.head_commit.message contains Dispatch-Trailer but we are on a protected branch" | |
| false | |
| - name: Install CUE | |
| uses: cue-lang/setup-cue@v1.0.1 | |
| with: | |
| version: latest | |
| - name: Install Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| cache: false | |
| go-version: 1.25.x | |
| - name: Set common go env vars | |
| run: |- | |
| case $(go env GOARCH) in | |
| amd64) go env -w GOAMD64=v3 ;; # 2013 and later; makes `go test -race` 15% faster | |
| arm64) go env -w GOARM64=v8.6 ;; # Apple M2 and later | |
| esac | |
| # Dump env for good measure | |
| go env | |
| - if: github.event_name != 'schedule' && matrix.runner != 'ns-windows-amd64' | |
| uses: namespacelabs/nscloud-cache-action@v1 | |
| with: | |
| cache: go | |
| - if: |- | |
| github.repository == 'cue-labs/registry-login-action' && (((github.ref == 'refs/heads/main') && (! (contains(github.event.head_commit.message, ' | |
| Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) | |
| run: go env -w GOFLAGS=-count=1 | |
| - name: Verify | |
| run: go mod verify | |
| - name: Generate | |
| run: go generate ./... | |
| - name: Test | |
| run: go test ./... | |
| - name: Race test | |
| run: go test -race ./... | |
| - run: |- | |
| go mod tidy -diff | |
| go vet ./... | |
| - if: always() | |
| name: Check that git is clean at the end of the job | |
| run: test -z "$(git status --porcelain)" || (git status; git diff; false) | |
| - name: Login to CUE Central Registry | |
| id: login | |
| uses: ./ | |
| - name: Use Central Registry | |
| run: cue eval cue.dev/x/githubactions@latest | |
| - name: Ensure the access token is masked | |
| run: 'echo "The secret is: <${{ steps.login.outputs.access_token }}>"' |