ci: full clone

jippi · jippi · commit 532eb2cb653d · 2024-05-09T15:03:49.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -2,8 +2,11 @@ name: "CodeQL"
 
 on:
   push:
+    tags:
+      - v*
     branches:
       - main
+  pull_request:
 
 jobs:
   # ------------------------------
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -2,10 +2,10 @@ name: Gitleaks
 
 on:
   push:
-    branches:
-      - "main"
     tags:
-      - "v*"
+      - v*
+    branches:
+      - main
   pull_request:
 
 permissions:
@@ -20,6 +20,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: gitleaks/gitleaks-action@v2
         env:
diff --git a/.github/workflows/grype.yml b/.github/workflows/grype.yml
@@ -2,10 +2,10 @@ name: Grype
 
 on:
   push:
-    branches:
-      - "main"
     tags:
-      - "v*"
+      - v*
+    branches:
+      - main
   pull_request:
 
 jobs:
@@ -22,6 +22,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: anchore/scan-action@v3
         with:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -26,6 +26,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: actions/setup-go@v5
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,8 +19,6 @@ jobs:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
       - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
 
       - uses: arduino/setup-task@v2
         with:
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,63 @@
+name: Security
+
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  # ------------------------------
+
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: setup
+        run: task setup
+
+      - name: install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: run govulncheck
+        run: govulncheck ./...
+
+  # ------------------------------
+
+  semgrep:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/checkout@v4
+        with:
+          repository: dgryski/semgrep-go
+          path: rules
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: semgrep
+        run: semgrep scan --error --enable-nosem -f ./rules .
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,59 @@
+name: Test
+
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: setup-tparse
+        run: go install github.com/mfridman/tparse@latest
+
+      - uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: setup
+        run: |
+          task setup
+          task build
+
+      - name: test
+        run: ./scripts/test.sh
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Ensure scm-engine binary work
+        run: ./scm-engine -h
+
+      - name: Test scm-engine against test GitLab project
+        run: ./scm-engine evaluate 1
+        env:
+          SCM_ENGINE_TOKEN: "${{ secrets.GITLAB_INTEGRATION_TEST_API_TOKEN }}"
+          SCM_ENGINE_CONFIG_FILE: ".scm-engine.example.yml"
+          GITLAB_PROJECT: "jippi/scm-engine-schema-test"
+          GITLAB_BASEURL: https://gitlab.com/
+
+      - name: Show any diff that may be in the project
+        run: git diff
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -20,12 +20,12 @@ tasks:
 
   build:
     desc: Build the binary
+    cmds:
+      - go build -o scm-engine .
     sources:
       - ./**/*.go
     generates:
       - ./scm-engine
-    cmds:
-      - go build -o scm-engine .
 
   test:
     desc: Run tests
