ledger/.github/workflows/main.yml at main · formancehq/ledger · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
name: Default
on:
  merge_group:
  push:
    branches:
      - main
      - release/*
  pull_request:
    types: [ assigned, opened, synchronize, reopened, labeled ]

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  PR:
    if: github.event_name == 'pull_request'
    name: Check PR Title
    runs-on: ubuntu-latest
    permissions:
      statuses: write
    steps:
      - uses: amannn/action-semantic-pull-request@v6
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  Dirty:
    runs-on: "shipfox-4vcpu-ubuntu-2404"
    env:
      GOPATH: /tmp/go
      GOLANGCI_LINT_CACHE: /tmp/golangci-lint
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          filter: tree:0 # treeless clone, faster to clone as history and blobs are only fetched when needed.
      - name: Setup Env
        uses: ./.github/actions/default
        with:
          token: ${{ secrets.NUMARY_GITHUB_TOKEN }}
      - run: >
          nix develop --impure --command just pre-commit
        env:
          SPEAKEASY_API_KEY: ${{ secrets.SPEAKEASY_API_KEY }}
      - name: Get changed files
        id: changed-files
        shell: bash
        run: |
          hasChanged=$(git status --porcelain)
          if (( $(echo ${#hasChanged}) != 0 )); then
            git status
            echo "There are changes in the repository"
            git diff
            exit 1
          fi

  Tests:
    runs-on: "shipfox-8vcpu-ubuntu-2404"
    env:
      GOPATH: /tmp/go
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          filter: tree:0 # treeless clone, faster to clone as history and blobs are only fetched when needed.
      - name: Setup Env
        uses: ./.github/actions/default
        with:
          token: ${{ secrets.NUMARY_GITHUB_TOKEN }}
      - run: >
          nix develop --impure --command just tests
        env:
          SPEAKEASY_API_KEY: ${{ secrets.SPEAKEASY_API_KEY }}
      - name: Upload coverage reports to Codecov with GitHub Action
        uses: codecov/codecov-action@v6.0.0
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

  GoReleaser:
    runs-on: "shipfox-4vcpu-ubuntu-2404"
    permissions:
      id-token: write
      attestations: write
    if: contains(github.event.pull_request.labels.*.name, 'build-images') || github.ref == 'refs/heads/main' || github.event_name == 'merge_group'
    steps:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4
      - uses: earthly/actions-setup@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: "latest"
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          filter: tree:0 # treeless clone, faster to clone as history and blobs are only fetched when needed.
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Setup Env
        uses: ./.github/actions/default
        with:
          token: ${{ secrets.NUMARY_GITHUB_TOKEN }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: "NumaryBot"
          password: ${{ secrets.NUMARY_GITHUB_TOKEN }}
      - run: >
          nix develop --impure --command just release-ci
        env:
          GITHUB_TOKEN: ${{ secrets.NUMARY_GITHUB_TOKEN }}
          SPEAKEASY_API_KEY: ${{ secrets.SPEAKEASY_API_KEY }}
          FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

      - uses: actions/upload-artifact@v7
        with:
          name: goreleaser-metadata
          path: |
            dist/*.json
            dist/ledger_checksums.txt
          retention-days: 7
          compression-level: 0

      # TODO(@sylr): Move this to the Release workflow when proven working.
      # Generate attestations for the goreleaser output archives
      - uses: actions/attest-build-provenance@v4
        with:
          subject-checksums: ./dist/ledger_checksums.txt
      # Generate attestations for the goreleaser output binaries
      - uses: actions/attest-build-provenance@v4
        with:
          subject-path: ./dist/*/**
      # Extract image metadata from the artifacts.json file
      - run: |
          jq -r '[ .[]|select(.type=="Docker Manifest") | .extra.Digest         ] | to_entries | .[] | ( "digest"+ (.key | tostring) + "=" + .value )' < dist/artifacts.json >> "$GITHUB_OUTPUT"
          jq -r '[ .[]|select(.type=="Docker Manifest") | .name | split(":")[0] ] | to_entries | .[] | ( "name"+ (.key | tostring) + "=" + .value )'   < dist/artifacts.json >> "$GITHUB_OUTPUT"
        id: image_metadata
      # Generate attestations for docker images
      - uses: actions/attest-build-provenance@v4
        with:
          subject-digest: ${{ steps.image_metadata.outputs.digest0 }}
          subject-name: ${{ steps.image_metadata.outputs.name0 }}
          push-to-registry: true
      - uses: actions/attest-build-provenance@v4
        with:
          subject-digest: ${{ steps.image_metadata.outputs.digest1 }}
          subject-name: ${{ steps.image_metadata.outputs.name1 }}
          push-to-registry: true

  Deploy:
    runs-on: ubuntu-24.04
    if: github.ref == 'refs/heads/main'
    environment: staging
    permissions:
      id-token: write
    needs:
      - GoReleaser
      - Tests
    steps:
      - name: Tailscale
        uses: tailscale/github-action@v4
        with:
          oauth-client-id: ${{ secrets.TS_OIDC_OAUTH_CLIENT_ID }}
          audience: ${{ secrets.TS_OIDC_AUDIENCE }}
          tags: ${{ vars.TS_TAGS }}
          version: ${{ vars.TS_VERSION }}
          args: ${{ vars.TS_ARGS }}
          retry: ${{ vars.TS_RETRY }}
          timeout: ${{ vars.TS_TIMEOUT }}
          ping: ${{ vars.TS_PING }}
      - uses: earthly/actions-setup@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: "latest"
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          filter: tree:0 # treeless clone, faster to clone as history and blobs are only fetched when needed.
      - name: "Deploy in staging"
        env:
          TAG: ${{ github.sha }}
          COMPONENT: ledger
          ARGOCD_REGION_AUTH_TOKEN: ${{ secrets.ARGOCD_REGION_AUTH_TOKEN }}
        run: >
          earthly
          --no-output
          --secret AUTH_TOKEN=$ARGOCD_REGION_AUTH_TOKEN
          +deploy-staging
          --TAG=$TAG
          --COMPONENT=$COMPONENT