Updates dependencies and enhances security compliance #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Integration | |
| on: | |
| push: | |
| branches: ["main", "develop"] | |
| pull_request: | |
| branches: ["main", "develop"] | |
| env: | |
| GO_VERSION: "1.25.3" | |
| GOLANGCI_LINT_VERSION: "v2.5.0" | |
| jobs: | |
| lint: | |
| name: Lint and Vet | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Cache Go modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Run go vet | |
| run: go vet ./... | |
| - name: Run golangci-lint | |
| uses: golangci/golangci-lint-action@v8 | |
| with: | |
| version: ${{ env.GOLANGCI_LINT_VERSION }} | |
| args: --timeout=5m | |
| - name: Check code formatting | |
| run: | | |
| if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then | |
| echo "The following files are not formatted:" | |
| gofmt -s -l . | |
| exit 1 | |
| fi | |
| - name: Run security scan with govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck ./... | |
| - name: Run gosec security scanner | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| gosec -fmt sarif -out gosec.sarif ./... | |
| continue-on-error: true | |
| - name: Upload gosec results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: gosec.sarif | |
| test: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Cache Go modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Run unit tests | |
| run: make test | |
| - name: Generate test coverage | |
| run: | | |
| go test -coverprofile=coverage.out ./... | |
| go tool cover -html=coverage.out -o coverage.html | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v5 | |
| with: | |
| files: ./coverage.out | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: false | |
| build: | |
| name: Build and Verify | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Cache Go modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Generate code | |
| run: make generate | |
| - name: Generate manifests | |
| run: make manifests | |
| - name: Verify generated code | |
| run: | | |
| if ! git diff --quiet; then | |
| echo "Generated code is out of date. Please run 'make generate' and 'make manifests'" | |
| git diff | |
| exit 1 | |
| fi | |
| - name: Build operator binary | |
| run: | | |
| CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -o manager cmd/main.go | |
| - name: Verify binary | |
| run: | | |
| ./manager --help || true | |
| ls -la manager | |
| docker-build: | |
| name: Docker Build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| run: | | |
| make docker-build IMG=ghcr.io/helios-operator/helios-operator:ci-${{ github.sha }} | |
| - name: Verify Docker image | |
| run: | | |
| docker images | grep helios-operator | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run Gosec Security Scanner | |
| uses: securego/gosec@master | |
| with: | |
| args: "-fmt sarif -out gosec.sarif ./..." | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: gosec.sarif | |
| helm-lint: | |
| name: Helm Chart Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: "v4.3.1" | |
| - name: Lint Helm chart | |
| run: | | |
| helm lint helm/helios-operator/ | |
| - name: Template Helm chart | |
| run: | | |
| helm template helios-operator helm/helios-operator/ --dry-run | |
| - name: Package Helm chart | |
| run: | | |
| helm package helm/helios-operator/ | |
| e2e-tests: | |
| name: End-to-End Tests | |
| runs-on: ubuntu-latest | |
| needs: [lint, test, build, docker-build] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Set up kubectl | |
| uses: azure/setup-kubectl@v4 | |
| with: | |
| version: "v4.0.1" | |
| - name: Set up Minikube | |
| uses: medyagh/setup-minikube@latest | |
| with: | |
| driver: docker | |
| memory: 4096 | |
| cpus: 2 | |
| - name: Install dependencies | |
| run: | | |
| # Install Tekton | |
| kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml | |
| kubectl apply -f https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml | |
| # Install ArgoCD | |
| helm repo add argo https://argoproj.github.io/argo-helm | |
| helm repo update | |
| helm upgrade --install argocd argo/argo-cd --namespace argocd --create-namespace --wait | |
| - name: Run E2E tests | |
| run: | | |
| make test-e2e | |
| - name: Collect logs on failure | |
| if: failure() | |
| run: | | |
| kubectl get pods --all-namespaces | |
| kubectl describe pods --all-namespaces | head -1000 | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Cache Go modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Build operator | |
| run: make build | |
| - name: Build Docker image | |
| run: | | |
| docker build -t helios-operator:latest . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "helios-operator:latest" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| release: | |
| name: Create Release | |
| runs-on: ubuntu-latest | |
| needs: | |
| [lint, test, build, docker-build, helm-lint, e2e-tests, security-scan] | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Generate changelog | |
| id: changelog | |
| run: | | |
| if [ -f CHANGELOG.md ]; then | |
| echo "changelog<<EOF" >> $GITHUB_OUTPUT | |
| head -50 CHANGELOG.md >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| else | |
| echo "changelog=No changelog available" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: v${{ github.run_number }} | |
| name: Release v${{ github.run_number }} | |
| body: ${{ steps.changelog.outputs.changelog }} | |
| draft: false | |
| prerelease: false |