rolesetter/.github/workflows/test.yaml at main · mchmarny/rolesetter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: test

on:
  workflow_call: {}

permissions:
  contents: read

jobs:

  test:
    timeout-minutes: 15
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      id-token: write
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

    - name: Load versions
      id: versions
      uses: ./.github/actions/load-versions

    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417  # v6.3.0
      with:
        go-version: ${{ steps.versions.outputs.go }}
        cache: true
        cache-dependency-path: go.sum

    - name: Tidy
      run: go mod tidy

    - name: Test
      run: |
        go test -count=1 -covermode=atomic -coverprofile=coverage.out ./...
        go tool cover -func=coverage.out

    - name: Coverage
      uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
      with:
        fail_ci_if_error: true
        use_oidc: true

    - name: Lint Go
      uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20  # v9.2.0
      with:
        version: ${{ steps.versions.outputs.golangci_lint }}

    - name: Lint YAML
      uses: karancode/yamllint-github-action@4052d365f09b8d34eb552c363d1141fd60e2aeb2  # v3.0.0
      with:
        yamllint_config_filepath: .yamllint

    - name: Install Trivy
      run: |
        sudo apt-get install -y wget apt-transport-https gnupg
        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
        echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
        sudo apt-get update
        sudo apt-get install -y trivy
        trivy --version

    - name: Scan
      run: |
        trivy fs . \
          --ignore-unfixed \
          --format sarif \
          --output trivy-results.sarif \
          --severity ${{ steps.versions.outputs.scan_severity }} \
          --exit-code 1

    - name: Upload Scan Results
      if: always()
      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98  # v4.32.6
      with:
        sarif_file: trivy-results.sarif