Skip to content
CI

CI #369

Sign in to view logs

CI

CI #369

Workflow file for this run

.github/workflows/ci.yml at 6db005a
name: CI
on:
push:
branches: [ main, 'release-please--branches--main' ]
pull_request:
workflow_run:
workflows: ["Auto Format"]
types:
- completed
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
test:
name: Test
runs-on: ubuntu-latest
if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.workflow_run.head_branch || github.ref }}
sha: ${{ github.event.workflow_run.head_sha || github.sha }}
- name: Set up Go 1.25
uses: actions/setup-go@v6
with:
go-version: '1.25'
- name: Install dependencies
run: go mod download
- name: Run tests
run: go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
with:
files: ./coverage.txt
flags: unittests
name: codecov-umbrella
lint:
name: Lint
runs-on: ubuntu-latest
if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.workflow_run.head_branch || github.ref }}
sha: ${{ github.event.workflow_run.head_sha || github.sha }}
- name: Run linting using Makefile
run: make lint-only
build:
name: Build
runs-on: ubuntu-latest
needs: [test]
if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.workflow_run.head_branch || github.ref }}
sha: ${{ github.event.workflow_run.head_sha || github.sha }}
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '1.25'
- name: Build
run: |
go build -v -ldflags="-s -w" -o ghcr-exporter ./cmd
- name: Upload build artifacts
uses: actions/upload-artifact@v5
with:
name: ghcr-exporter
path: ghcr-exporter
retention-days: 30
security:
name: Security Scan
runs-on: ubuntu-latest
if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.workflow_run.head_branch || github.ref }}
sha: ${{ github.event.workflow_run.head_sha || github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH'
check-build-needed:
name: Check if build is needed
runs-on: ubuntu-latest
needs: [test]
if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
outputs:
should-build: ${{ steps.check.outputs.should-build }}
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.workflow_run.head_branch || github.ref }}
sha: ${{ github.event.workflow_run.head_sha || github.sha }}
- name: Check if build should be skipped
id: check
run: |
# Only check for push and workflow_run events (dev-build only runs on these)
if [ "${{ github.event_name }}" != "push" ] && [ "${{ github.event_name }}" != "workflow_run" ]; then
echo "should-build=false" >> $GITHUB_OUTPUT
exit 0
fi
# Get the current commit SHA
CURRENT_SHA="${{ github.event.workflow_run.head_sha || github.sha }}"
# Get commit message from git log (works for both push and workflow_run)
COMMIT_MSG=$(git log -1 --format="%s" "$CURRENT_SHA" 2>/dev/null || echo "")
echo "Checking commit: $CURRENT_SHA"
echo "Commit message: $COMMIT_MSG"
# Check if it's a release commit (pattern: "chore(main): release" or similar)
if echo "$COMMIT_MSG" | grep -qiE "^(chore|release|version).*(release|version|changelog)"; then
echo "Skip reason: Release commit detected"
echo "should-build=false" >> $GITHUB_OUTPUT
exit 0
fi
# For push events, check changed files against base branch
if [ "${{ github.event_name }}" = "push" ]; then
# Get the base commit (previous commit for single commits, or base of range)
BASE_SHA="${{ github.event.before }}"
HEAD_SHA="${{ github.event.after }}"
if [ -z "$BASE_SHA" ] || [ "$BASE_SHA" = "0000000000000000000000000000000000000000" ]; then
# Initial commit or no base, check all files
CHANGED_FILES=$(git ls-tree -r --name-only HEAD)
else
# Get list of changed files
CHANGED_FILES=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")
fi
else
# For workflow_run events, we need to compare against main branch
BASE_SHA="origin/main"
HEAD_SHA="$CURRENT_SHA"
git fetch origin main || true
CHANGED_FILES=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA" 2>/dev/null || git diff --name-only HEAD~1 HEAD)
fi
if [ -z "$CHANGED_FILES" ]; then
echo "No changed files detected, skipping build"
echo "should-build=false" >> $GITHUB_OUTPUT
exit 0
fi
# Documentation file patterns to ignore
DOC_PATTERNS="^README\.md$|^CHANGELOG\.md$|^docs/|\.md$|^LICENSE"
# Check if all changed files are documentation
NON_DOC_FILES=$(echo "$CHANGED_FILES" | grep -vE "$DOC_PATTERNS" || true)
if [ -z "$NON_DOC_FILES" ]; then
echo "Skip reason: Only documentation files changed"
echo "Changed files:"
echo "$CHANGED_FILES" | sed 's/^/ - /'
echo "should-build=false" >> $GITHUB_OUTPUT
else
echo "Build needed: Non-documentation files changed"
echo "Non-doc files:"
echo "$NON_DOC_FILES" | sed 's/^/ - /'
echo "should-build=true" >> $GITHUB_OUTPUT
fi
dev-build:
name: Development Build
runs-on: ubuntu-latest
needs: [test, check-build-needed]
if: needs.check-build-needed.outputs.should-build == 'true'
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.workflow_run.head_branch || github.ref }}
sha: ${{ github.event.workflow_run.head_sha || github.sha }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate dev tag
id: meta
run: |
# Create a semver-compatible dev tag with commits since last release and commit SHA
SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)
# Get the last release tag (excluding pre-release tags)
LAST_TAG=$(git describe --tags --abbrev=0 --match="v[0-9]*.[0-9]*.[0-9]*" 2>/dev/null || echo "")
if [ -z "$LAST_TAG" ]; then
# No release tags found, use 0.0.0 and count all commits
VERSION="0.0.0"
COMMIT_COUNT=$(git rev-list --count HEAD)
else
# Extract version from tag (remove 'v' prefix)
VERSION=${LAST_TAG#v}
# Count commits since last release
COMMIT_COUNT=$(git rev-list --count ${LAST_TAG}..HEAD)
fi
DEV_TAG="v${VERSION}-dev.${COMMIT_COUNT}.${SHORT_SHA}"
echo "dev_tag=${DEV_TAG}" >> $GITHUB_OUTPUT
echo "Last release tag: ${LAST_TAG:-'none'}"
echo "Base version: ${VERSION}"
echo "Commits since last release: ${COMMIT_COUNT}"
echo "Generated dev tag: ${DEV_TAG}"
- name: Extract metadata
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
${{ steps.meta.outputs.dev_tag }}
dev
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=min
build-args: |
VERSION=${{ steps.meta.outputs.dev_tag }}
COMMIT=${{ github.sha }}
BUILD_DATE=${{ github.event.head_commit.timestamp }}