Update GitHub Actions to pinned versions #744
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: MIT | |
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - feature/** | |
| paths-ignore: | |
| - '**.md' | |
| - '.gitignore' | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| GORELEASER_VERSION: '~> v2' | |
| TASK_VERSION: 3.x | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| local-build: | |
| name: Local build | |
| runs-on: ubuntu-24.04 | |
| permissions: {} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: './go.mod' | |
| - name: Setup Task | |
| uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0 | |
| with: | |
| version: ${{ env.TASK_VERSION }} | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup GoReleaser | |
| uses: goreleaser/goreleaser-action@026299872805cb2db698e02dd7fb506a4da5122d # v6.2.0 | |
| with: | |
| install-only: true | |
| - name: Setup container-structure-test | |
| run: | | |
| set -euo pipefail | |
| curl -fsSLo /usr/local/bin/container-structure-test https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 | |
| chmod +x /usr/local/bin/container-structure-test | |
| container-structure-test version | |
| - name: Check release config | |
| run: | | |
| task goreleaser:check | |
| - name: Build with GoReleaser | |
| run: | | |
| task goreleaser:build | |
| - name: Create snapshot release | |
| run: | | |
| task goreleaser:snapshot | |
| - name: Build | |
| run: | | |
| task build | |
| - name: Test | |
| run: | | |
| task test | |
| release-dry-run: | |
| name: GoReleaser release (dry run) | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| actions: read | |
| checks: write | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: './go.mod' | |
| - name: Set environment variables | |
| run: | | |
| set -euo pipefail | |
| echo "SNAPSHOT_VERSION=$(./scripts/version)" >>"${GITHUB_ENV}" | |
| IMAGE_BASE_NAME_DISTROLESS="$(sed -n "s/^FROM \(.*\)/\1/p" build/package/Dockerfile | tail -n 1)" | |
| echo "IMAGE_BASE_NAME_DISTROLESS=${IMAGE_BASE_NAME_DISTROLESS}" >>"${GITHUB_ENV}" | |
| echo "IMAGE_BASE_DIGEST_DISTROLESS=$(docker pull "${IMAGE_BASE_NAME_DISTROLESS}" | sed -n "s/^Digest: \(.*\)$/\1/p")" >>"${GITHUB_ENV}" | |
| - name: Check release config | |
| uses: goreleaser/goreleaser-action@026299872805cb2db698e02dd7fb506a4da5122d # v6.2.0 | |
| with: | |
| version: ${{ env.GORELEASER_VERSION }} | |
| args: check --config build/package/.goreleaser.yaml | |
| - name: Create snapshot release | |
| uses: goreleaser/goreleaser-action@026299872805cb2db698e02dd7fb506a4da5122d # v6.2.0 | |
| with: | |
| version: ${{ env.GORELEASER_VERSION }} | |
| args: release --config build/package/.goreleaser.yaml --snapshot --skip=publish --clean | |
| - name: Container structure test (distroless) | |
| uses: docker://gcr.io/gcp-runtimes/container-structure-test:latest | |
| with: | |
| args: 'test --image ghcr.io/ffurrer2/semver:latest --config test/semver_container_test.yml' | |
| - name: Run Trivy vulnerability scanner (distroless) | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 | |
| with: | |
| image-ref: 'ghcr.io/ffurrer2/semver:latest' | |
| exit-code: '1' | |
| vuln-type: 'os,library' | |
| severity: 'HIGH,CRITICAL' | |
| format: 'sarif' | |
| output: 'trivy-results-distroless.sarif' | |
| github-pat: '${{ secrets.GITHUB_TOKEN }}' | |
| - name: Inspect Trivy SARIF report (distroless) | |
| run: | | |
| cat trivy-results-distroless.sarif | |
| if: ${{ !cancelled() }} | |
| - name: Upload Trivy scan results to GitHub Security tab (distroless) | |
| uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 | |
| with: | |
| sarif_file: 'trivy-results-distroless.sarif' | |
| category: trivy-results-distroless | |
| if: ${{ !cancelled() }} | |
| - name: Run Anchore image scanner (distroless) | |
| uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0 | |
| id: anchore-distroless | |
| with: | |
| image: 'ghcr.io/ffurrer2/semver:latest' | |
| fail-build: true | |
| severity-cutoff: high | |
| if: ${{ !cancelled() }} | |
| - name: Inspect Anchore SARIF report (distroless) | |
| run: | | |
| cat ${{ steps.anchore-distroless.outputs.sarif }} | |
| if: ${{ !cancelled() }} | |
| - name: Upload Anchore scan results to GitHub Security tab (distroless) | |
| uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 | |
| with: | |
| sarif_file: ${{ steps.anchore-distroless.outputs.sarif }} | |
| if: ${{ !cancelled() }} |