Skip to content

Commit

Permalink
chore: harden GitHub Actions workflows (#2394)
Browse files Browse the repository at this point in the history 
Signed-off-by: Hidde Beydals <[email protected]>
  • Loading branch information
@hiddeco
hiddeco authored Aug 12, 2024
1 parent df0ab08 commit c43ae31
Show file tree
Hide file tree
Showing 7 changed files with 127 additions and 115 deletions.
58 changes: 29 additions & 29 deletions .github/workflows/backport.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,32 +15,32 @@ jobs:
pull-requests: write
if: github.repository_owner == 'akuity' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport/', github.event.label.name))
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Create backport PRs
uses: korthout/backport-action@v3
# xref: https://github.com/korthout/backport-action#inputs
with:
# Use token to allow workflows to be triggered for the created PR
github_token: ${{ secrets.AKUITYBOT_PAT }}
# Match labels with pattern `backport/<target-branch>`
label_pattern: '^backport\/([^ ]+)$'
# A title which matches the linter constraints for semantic PR titles,
# while still being descriptive about the target branch
pull_title: 'chore(backport ${target_branch}): ${pull_title}'
# Simpler PR description than default
pull_description: |-
Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
# Copy any labels (excluding those starting with "backport/") to the backport PR
copy_labels_pattern: '^(?!backport\/).*'
# Copy associated people to the backport PR
copy_assignees: true
copy_requested_reviewers: true
# Skip any merge commits in the source PR
merge_commits: 'skip'
# Automatically detect "squash and merge" instead of copying all
# commits from the source PR to the backport PR
experimental: >
{
"detect_merge_method": true
}
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Create backport PRs
uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2
# xref: https://github.com/korthout/backport-action#inputs
with:
# Use token to allow workflows to be triggered for the created PR
github_token: ${{ secrets.AKUITYBOT_PAT }}
# Match labels with pattern `backport/<target-branch>`
label_pattern: '^backport\/([^ ]+)$'
# A title which matches the linter constraints for semantic PR titles,
# while still being descriptive about the target branch
pull_title: 'chore(backport ${target_branch}): ${pull_title}'
# Simpler PR description than default
pull_description: |-
Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
# Copy any labels (excluding those starting with "backport/") to the backport PR
copy_labels_pattern: '^(?!backport\/).*'
# Copy associated people to the backport PR
copy_assignees: true
copy_requested_reviewers: true
# Skip any merge commits in the source PR
merge_commits: 'skip'
# Automatically detect "squash and merge" instead of copying all
# commits from the source PR to the backport PR
experimental: >
{
"detect_merge_method": true
}
82 changes: 44 additions & 38 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,18 @@ on:
- main
- release-*

jobs:
permissions:
contents: read

jobs:
test-unit:
runs-on: ubuntu-latest
container:
image: golang:1.22.5-bookworm
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/cache@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: /go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
Expand All @@ -30,7 +32,7 @@ jobs:
grep -v .pb.go coverage.txt | grep -v zz_generated | grep -v service.connect.go > coverage.tmp
mv coverage.tmp coverage.txt
- name: Upload coverage reports
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
with:
token: ${{ secrets.CODECOV_TOKEN }}

Expand All @@ -40,19 +42,19 @@ jobs:
image: node:20.12.2
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/cache@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.pnpm-store
key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-
- name: Install pnpm
uses: pnpm/action-setup@v4
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
with:
package_json_file: ui/package.json
- name: Install nodejs
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: "22.5.1"
cache: "pnpm"
Expand All @@ -61,12 +63,14 @@ jobs:
run: make lint-ui

lint-go:
permissions:
checks: write # Used to create checks (linting comments) on PRs
runs-on: ubuntu-latest
container:
image: golang:1.22.5-bookworm
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install linter
env:
GOLANGCI_LINT_VERSION: 1.57.2
Expand All @@ -86,43 +90,45 @@ jobs:
container:
image: golang:1.22.5-bookworm
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install linter
run: |
cd /usr/local/bin
curl -sSfL https://get.helm.sh/helm-v3.10.0-linux-amd64.tar.gz \
| tar xvz linux-amd64/helm --strip-components=1
- name: Run linter
run: make lint-charts
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install linter
run: |
cd /usr/local/bin
curl -sSfL https://get.helm.sh/helm-v3.10.0-linux-amd64.tar.gz \
| tar xvz linux-amd64/helm --strip-components=1
- name: Run linter
run: make lint-charts

lint-proto:
permissions:
checks: write # Used to create checks (linting comments) on PRs
runs-on: ubuntu-latest
container:
image: golang:1.22.5-bookworm
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install linter
uses: bufbuild/buf-setup-action@v1
with:
version: "1.20.0"
- name: Run linter
env:
BUF_LINT_ERROR_FORMAT: github-actions
run: make lint-proto
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install linter
uses: bufbuild/buf-setup-action@aceb106d2419c4cff48863df90161d92decb8591 # v1.35.1
with:
version: "1.20.0"
- name: Run linter
env:
BUF_LINT_ERROR_FORMAT: github-actions
run: make lint-proto

check-codegen:
runs-on: ubuntu-latest
container:
image: golang:1.22.5-bookworm
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install tools
run: apt update && apt install unzip
- name: Install pnpm
uses: pnpm/action-setup@v4
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
with:
package_json_file: ui/package.json
- name: Install nodejs
Expand All @@ -134,18 +140,18 @@ jobs:
- name: Install nodejs dependencies
run: pnpm install --dev
working-directory: ./ui
- uses: actions/cache@v4
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: /go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Install buf
uses: bufbuild/[email protected]
uses: bufbuild/buf-setup-action@46a2967ea50b8a012e948cb23d2468b84227e1e5 # v1.29.0-1
with:
version: 1.26.1
- name: Install Protoc
uses: arduino/setup-protoc@v3
uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0
with:
version: "25.3"
- name: Install codegen tools
Expand All @@ -168,11 +174,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Build
uses: docker/build-push-action@v6
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
with:
platforms: linux/amd64,linux/arm64
push: false
Expand All @@ -186,8 +192,8 @@ jobs:
image: golang:1.22.5-bookworm
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/cache@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: /go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/governance.yml → .github/workflows/governance.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
# Documentation: https://github.com/BirthdayResearch/oss-governance-bot
name: Governance

on:
pull_request_target:
types: [ synchronize, opened, labeled, unlabeled ]
Expand All @@ -9,9 +11,13 @@ on:

jobs:
governance:
permissions:
contents: read
issues: write
pull-requests: write
name: Governance
runs-on: ubuntu-latest
steps:
- uses: BirthdayResearch/oss-governance-bot@v4
with:
config-path: .github/governance.yml
- uses: BirthdayResearch/oss-governance-bot@3abd2d1fd2376ba9990fbc795e7a4c54254e9c61 # v4.0.0
with:
config-path: .github/governance.yml
6 changes: 3 additions & 3 deletions .github/workflows/lint-pr.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ jobs:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v5
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Loading

0 comments on commit c43ae31

Please sign in to comment.