chore(deps): bump tailscale.com from 1.68.0 to 1.90.6 #192
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| GO_VERSION: '1.24' | |
| PYTHON_VERSION: '3.12' | |
| jobs: | |
| lint-and-format: | |
| name: Lint and Format Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install toolchains | |
| run: | | |
| python -m pip install --upgrade pip | |
| make install-tools | |
| - name: Format check | |
| run: make ci-format-check | |
| - name: Lint | |
| run: make lint | |
| test: | |
| name: Run Tests | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:16 | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: app_test | |
| options: >- | |
| --health-cmd="pg_isready -U postgres -d app_test" | |
| --health-interval=2s | |
| --health-timeout=2s | |
| --health-retries=20 | |
| ports: | |
| - 5432:5432 | |
| env: | |
| DATABASE_URL: postgresql://postgres:[email protected]:5432/app_test | |
| PGUSER: postgres | |
| PGPASSWORD: postgres | |
| PGHOST: 127.0.0.1 | |
| PGPORT: "5432" | |
| PGDATABASE: app_test | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install Python dependencies | |
| run: | | |
| pip install --upgrade pip | |
| pip install -r app/requirements.txt | |
| make install-tools | |
| - name: Wait for database | |
| run: | | |
| for i in {1..30}; do | |
| pg_isready -h 127.0.0.1 -p 5432 -U postgres -d app_test && exit 0 | |
| sleep 1 | |
| done | |
| echo "Postgres did not become ready" >&2 | |
| exit 1 | |
| - name: Run test suite | |
| run: make test | |
| - name: Test OPA policies | |
| run: make opa-test | |
| security-scan: | |
| name: Security Scanning | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Prepare tooling | |
| run: | | |
| python -m pip install --upgrade pip | |
| make install-tools | |
| - name: Run security checks | |
| run: make security | |
| - name: Run gosec with SARIF output | |
| run: gosec -fmt sarif -out gosec.sarif ./... | |
| - name: Upload gosec results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| continue-on-error: true | |
| with: | |
| sarif_file: gosec.sarif | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| continue-on-error: true | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| build: | |
| name: Build and Test Docker Images | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build authz service | |
| run: docker build -t keep/authz -f services/authz/Dockerfile . | |
| - name: Build inventory service | |
| run: docker build -t keep/inventory -f services/inventory/Dockerfile . | |
| - name: Build Flask app | |
| run: docker build -t keep/app -f app/Dockerfile . | |
| - name: Test Docker Compose build | |
| run: docker compose -f docker-compose.secure.yml build | |
| - name: Run basic smoke test | |
| run: | | |
| # Generate test certificates | |
| ./scripts/generate-root-ca.sh ./test-certs | |
| # Set minimal environment | |
| cat > .env << EOF | |
| POSTGRES_PASSWORD=test-password | |
| GOOGLE_CLIENT_ID=test-client-id.apps.googleusercontent.com | |
| AUTHZ_ROOT_CA_CERT=./test-certs/keep-root.pem | |
| AUTHZ_ROOT_CA_KEY=./test-certs/keep-root-key.pem | |
| EOF | |
| # Start services briefly to test startup | |
| timeout 30s docker compose -f docker-compose.secure.yml up --abort-on-container-exit || true | |
| opa-policy-test: | |
| name: Test OPA Policies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Setup OPA | |
| uses: open-policy-agent/setup-opa@v2 | |
| - name: Run policy tests | |
| run: make opa-test |