Merge pull request #33 from esnet/develop/docs #69
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ['v*'] | |
| pull_request: | |
| branches: [main] | |
| env: | |
| GO_VERSION: '1.26' | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libpcsclite-dev | |
| - name: Setup dev environment | |
| run: make dev | |
| - name: Check formatting | |
| run: | | |
| UNFORMATTED=$(gofmt -l .) | |
| if [ -n "$UNFORMATTED" ]; then | |
| echo "The following files are not properly formatted:" | |
| echo "$UNFORMATTED" | |
| exit 1 | |
| fi | |
| - name: Run staticcheck | |
| run: | | |
| go install honnef.co/go/tools/cmd/staticcheck@latest | |
| staticcheck ./... | |
| - name: Run go vet | |
| run: go vet ./... | |
| test: | |
| name: Run unit tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libpcsclite-dev | |
| - name: Run tests | |
| run: | | |
| make dev | |
| go test -v -race ./... | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libpcsclite-dev | |
| - name: Setup dev environment | |
| run: make dev | |
| - name: Run gosec | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| gosec -exclude-dir .build -severity high ./... | |
| - name: Run govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck -C ./externalcas ./... | |
| build: | |
| name: Build (${{ matrix.os }}_${{ matrix.arch }}) | |
| runs-on: ubuntu-latest | |
| needs: [lint, security-scan, test] | |
| strategy: | |
| matrix: | |
| include: | |
| - os: linux | |
| arch: amd64 | |
| goarch: amd64 | |
| - os: linux | |
| arch: arm64 | |
| goarch: arm64 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libpcsclite-dev pkg-config | |
| - name: Build binary | |
| env: | |
| GOOS: ${{ matrix.os }} | |
| GOARCH: ${{ matrix.goarch }} | |
| CGO_ENABLED: ${{ matrix.arch == 'arm64' && '0' || '1' }} | |
| MATRIX_OS: ${{ matrix.os }} | |
| MATRIX_ARCH: ${{ matrix.arch }} | |
| run: | | |
| make build | |
| mv step-ca "step-ca_${MATRIX_OS}_${MATRIX_ARCH}" | |
| echo "Built step-ca_${MATRIX_OS}_${MATRIX_ARCH}" | |
| - name: Upload binary artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: step-ca_${{ matrix.os }}_${{ matrix.arch }} | |
| path: step-ca_${{ matrix.os }}_${{ matrix.arch }} | |
| container-build-and-push: | |
| name: Build and Push Container | |
| runs-on: ubuntu-latest | |
| needs: [lint, security-scan, test] | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=sha | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| permissions: | |
| contents: write | |
| id-token: write # required for keyless cosign signing via OIDC | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download all build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: dist | |
| pattern: step-ca_* | |
| merge-multiple: true | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Sign binaries | |
| run: | | |
| for bin in dist/step-ca_*; do | |
| cosign sign-blob --yes --bundle="${bin}.bundle" "$bin" | |
| done | |
| - name: Get version | |
| id: version | |
| run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| name: Release ${{ steps.version.outputs.VERSION }} | |
| generate_release_notes: true | |
| files: | | |
| dist/step-ca_* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |