Skip to content
Lint, Test, Build, and Publish

Dockerfile: Bump golang from fcdb3e4 to 5f3787b in /nexus/openapi-generator #3887

Sign in to view logs

Dockerfile: Bump golang from fcdb3e4 to 5f3787b in /nexus/openapi-generator

Dockerfile: Bump golang from fcdb3e4 to 5f3787b in /nexus/openapi-generator #3887

Workflow file for this run

.github/workflows/lint-test-build-publish.yml at 91dbe3f
# SPDX-FileCopyrightText: 2026 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
---
name: Lint, Test, Build, and Publish
on:
# Allow manually triggering the workflow
workflow_dispatch: {}
# Run on all commits that are pushed to the main branch
push:
branches:
- main
# Trigger workflow on PRs to all branches
pull_request:
branches:
- "*"
types:
- opened
- synchronize
- reopened
# Trigger workflow when enqueued to a merge group
merge_group:
# Only run at most 1 workflow concurrently per PR or per branch to keep costs down
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
pre-merge:
if: github.event_name == 'pull_request'
permissions:
contents: read
uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
with:
run_version_check: false
run_build: false
run_lint: false
run_test: false
bootstrap_tools: ""
trivy_config_path: trivy.yaml
lint-go:
permissions:
contents: read
name: Lint Go
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup asdf and install dependencies
uses: open-edge-platform/orch-ci/.github/actions/setup-asdf@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Download Go modules recursively
run: find . -name "go.mod" -execdir go mod download -x \;
- name: Run lint
run: mage lint:golang
lint-helm:
permissions:
contents: read
name: Lint Helm Charts
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup asdf and install dependencies
uses: open-edge-platform/orch-ci/.github/actions/setup-asdf@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
- name: Run lint
run: mage lint:helm
lint-yaml:
permissions:
contents: read
name: Lint YAML
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup asdf and install dependencies
uses: open-edge-platform/orch-ci/.github/actions/setup-asdf@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
- name: Run lint
run: mage lint:yaml
lint-dockerfile:
permissions:
contents: read
name: Lint Dockerfiles
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup asdf and install dependencies
uses: open-edge-platform/orch-ci/.github/actions/setup-asdf@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
- name: Lint Dockerfiles using hadolint
run: mage lint:dockerfiles
check-license:
permissions:
contents: read
name: Check License
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: REUSE Compliance Check
uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0
version-check:
permissions:
contents: read
name: Version Check
runs-on: ubuntu-latest
timeout-minutes: 10
env:
BASEDIR: .
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Checkout action repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: open-edge-platform/orch-ci
path: ci
ref: main
persist-credentials: false
- name: Run Version Check
shell: bash
run: |
./ci/scripts/version-check.sh
version-tag:
permissions:
contents: read
name: Version Tag
runs-on: ubuntu-latest
timeout-minutes: 10
needs:
- build-containers
- build-helm-charts
env:
BASEDIR: .
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-tags: true
fetch-depth: 0
persist-credentials: false
- name: Checkout action repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: open-edge-platform/orch-ci
path: ci
ref: main
persist-credentials: false
- name: Setup asdf and install dependencies
uses: open-edge-platform/orch-ci/.github/actions/setup-asdf@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
# TODO: This is a temporary solution for buildall script
# We need to find a long term solution that leverages orch-ci workflow
- name: Run Version Tag
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.SYS_EMF_GH_TOKEN }}
run: |
# Tag the helm charts
pushd charts
for chart in *; do
echo $chart
if [ -d "$chart" ]; then
pushd "$chart"
name=$(yq .name Chart.yaml)
"$GITHUB_WORKSPACE"/ci/scripts/version-tag-param.sh "chart/${name}/v"
popd
fi
done
popd
# Tag the containers
containers=( $(mage listTaggedContainers | yq -r '.images | keys | .[]') )
for container in "${containers[@]}"; do
version=$(yq .appVersion charts/${container}/Chart.yaml)
tag="${container}/v${version}"
if git ls-remote --exit-code --tags origin $tag > /dev/null; then
echo "Tag $tag already exists in remote, skipping."
else
git tag $tag
git push origin $tag
fi
done
test-go:
permissions:
contents: read
name: Test Go
runs-on: ubuntu-latest
timeout-minutes: 20
needs:
- lint-go
- check-license
- version-check
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup asdf and install dependencies
uses: open-edge-platform/orch-ci/.github/actions/setup-asdf@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Download Go modules recursively
run: find . -name "go.mod" -execdir go mod download -x \;
- name: Run tests
run: make ginkgo
build-containers:
permissions:
contents: read
name: Build and publish containers
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
matrix:
version:
[
authService,
awsSmProxy,
certSynchronizer,
componentStatus,
secretsConfig,
squidProxy,
tokenFS,
tenancyAPIMapping,
tenancyInit,
tenancyManager,
tenancyDatamodel,
nexusAPIGateway,
keycloakTenantController,
nexusCompiler,
openAPIGenerator,
]
needs:
- lint-yaml
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup asdf and install dependencies
uses: open-edge-platform/orch-ci/.github/actions/setup-asdf@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Download Go modules recursively
run: find . -name "go.mod" -execdir go mod download -x \;
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Build container artifacts
run: |
mage build:${{ matrix.version }}
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
with:
aws-access-key-id: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
aws-secret-access-key: ${{ secrets.NO_AUTH_ECR_PUSH_PASSWD }}
aws-region: us-west-2
- name: Login to ECR
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: 080137407410.dkr.ecr.us-west-2.amazonaws.com
- name: Push container artifacts to ECR
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
# Images that already exist in the registry will be skipped
mage push:${{ matrix.version }}
build-helm-charts:
permissions:
contents: read
name: Build and publish Helm charts
runs-on: ubuntu-latest
timeout-minutes: 10
needs:
- lint-helm
- lint-yaml
- check-license
- version-check
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup asdf and install dependencies
uses: open-edge-platform/orch-ci/.github/actions/setup-asdf@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
- name: Build Helm charts
run: mage ChartsBuild
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
aws-access-key-id: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
aws-secret-access-key: ${{ secrets.NO_AUTH_ECR_PUSH_PASSWD }}
aws-region: us-west-2
- name: Login to Amazon ECR
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2.0.2
with:
registries: "080137407410"
- name: Push Helm chart artifacts to ECR
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
# Charts that already exist in the registry will be skipped
mage push:charts
post-merge:
permissions:
contents: read
security-events: write
actions: read
id-token: write
if: github.event_name == 'push' && ( github.ref == 'refs/heads/main' || github.ref == 'refs/heads/main-pass-validation' )
uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@d40dfda9598df896aa20cb1dc2c950d6444e8fa7 # 2026.0.19
with:
run_build: false
run_version_tag: true
secrets:
SYS_EMF_GH_TOKEN: ${{ secrets.SYS_EMF_GH_TOKEN }}
NO_AUTH_ECR_PUSH_USERNAME: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
NO_AUTH_ECR_PUSH_PASSWD: ${{ secrets.NO_AUTH_ECR_PUSH_PASSWD }}
MSTEAMS_WEBHOOK: ${{ secrets.TEAMS_WEBHOOK }}