Skip to content
Build & Test

fix: Bump Go 1.26.1 to 1.26.2 for 6 stdlib CVEs (#2170) #7960

Sign in to view logs

fix: Bump Go 1.26.1 to 1.26.2 for 6 stdlib CVEs (#2170)

fix: Bump Go 1.26.1 to 1.26.2 for 6 stdlib CVEs (#2170) #7960

Workflow file for this run

.github/workflows/build.yml at 5b3fed2
name: Build & Test
on:
push:
branches: [develop, main]
tags:
- 'v*'
pull_request:
branches: [develop, main]
paths:
- '**.go'
- 'go.mod'
- 'go.sum'
- 'Dockerfile'
- 'api/proto/**'
- 'buf.yaml'
- 'buf.gen.yaml'
- 'buf.lock'
- 'Makefile'
- '.github/workflows/build.yml'
- 'scripts/check-service-coverage.sh'
permissions:
contents: read
packages: write
security-events: write # Required for SARIF upload to Security tab
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
name: Build Docker Image
runs-on: ubuntu-latest
timeout-minutes: 60
permissions:
contents: read
packages: write
security-events: write # Required for SARIF upload to Security tab
id-token: write # Required for cosign keyless signing via OIDC
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '1.26.2'
cache: true
- name: Set up buf
uses: bufbuild/buf-action@v1
with:
setup_only: true
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate protobuf files
run: buf generate
- name: Verify compilation
if: github.event_name == 'pull_request'
run: go build ./...
- name: Check per-service coverage
if: github.event_name == 'pull_request'
run: |
chmod +x scripts/check-service-coverage.sh scripts/codecov-exclude-pattern.sh
./scripts/check-service-coverage.sh
- name: Run tests
if: github.event_name != 'pull_request'
run: make test
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v6
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
id: build
uses: docker/build-push-action@v7
with:
context: .
file: ./Dockerfile
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
VERSION=${{ github.ref_name }}
COMMIT=${{ github.sha }}
BUILD_DATE=${{ github.event.head_commit.timestamp }}
- name: Install Cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign --yes \
ghcr.io/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
- name: Run Trivy vulnerability scanner (filesystem)
if: github.event_name == 'pull_request'
uses: aquasecurity/trivy-action@0.35.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-fs-results.sarif'
- name: Upload Trivy filesystem results to GitHub Security tab
if: github.event_name == 'pull_request'
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-fs-results.sarif
- name: Run Trivy vulnerability scanner (image)
if: github.event_name != 'pull_request'
uses: aquasecurity/trivy-action@0.35.0
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
format: 'sarif'
output: 'trivy-image-results.sarif'
- name: Upload Trivy image results to GitHub Security tab
if: github.event_name != 'pull_request'
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-image-results.sarif