Update #13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| release: | |
| types: [ created ] | |
| permissions: | |
| contents: read | |
| security-events: write # Required for SARIF upload | |
| jobs: | |
| # ============ BUILD & TEST ============ | |
| build-test: | |
| name: Build & Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22' | |
| cache: true | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Run go vet | |
| run: go vet ./... | |
| - name: Run tests | |
| run: go test ./... -v -race -coverprofile=coverage.out -covermode=atomic | |
| - name: Upload coverage | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.out | |
| - name: Build binary | |
| run: make build | |
| # ============ LINT ============ | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22' | |
| cache: true | |
| - name: Run golangci-lint | |
| uses: golangci/golangci-lint-action@v4 | |
| with: | |
| version: latest | |
| # ============ SECURITY SCAN (Dogfooding - DragonSec scanning itself) ============ | |
| security-scan: | |
| name: Security Scan (DragonSec) | |
| runs-on: ubuntu-latest | |
| needs: build-test | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22' | |
| cache: true | |
| - name: Build DragonSec | |
| run: make build | |
| - name: Scan with DragonSec (SARIF output) | |
| run: | | |
| ./bin/drogonsec scan . \ | |
| --format sarif \ | |
| --output drogonsec.sarif \ | |
| --severity MEDIUM \ | |
| --no-ai | |
| - name: Upload SARIF to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: drogonsec.sarif | |
| continue-on-error: true | |
| # ============ RELEASE ============ | |
| release: | |
| name: Release Binaries | |
| runs-on: ubuntu-latest | |
| needs: [ build-test, lint ] | |
| if: github.event_name == 'release' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22' | |
| - name: Build all platforms | |
| run: make release | |
| - name: Create checksums | |
| run: | | |
| cd bin | |
| sha256sum drogonsec-* > SHA256SUMS.txt | |
| - name: Upload release assets | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| bin/drogonsec-linux-amd64 | |
| bin/drogonsec-darwin-amd64 | |
| bin/drogonsec-darwin-arm64 | |
| bin/drogonsec-windows-amd64.exe | |
| bin/SHA256SUMS.txt | |
| # ============ DOCKER ============ | |
| docker: | |
| name: Build & Push Docker | |
| runs-on: ubuntu-latest | |
| needs: [ build-test ] | |
| if: github.ref == 'refs/heads/main' || github.event_name == 'release' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| tags: | | |
| ghcr.io/${{ github.repository }}:latest | |
| ghcr.io/${{ github.repository }}:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |