STAC-0: get cli to build with nix #283
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
tags: | |
- v* | |
# Allows to run this via the Actions tab | |
workflow_dispatch: | |
jobs: | |
setup: | |
name: Prepare CI image | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Compute Image Checksum | |
run: echo "NIX_CHECKSUM=$(cat flake.* | md5sum | awk '{print $1}')" >> $GITHUB_ENV | |
- name: Cache Image | |
id: cache-image | |
uses: actions/cache@v3 | |
with: | |
path: result | |
key: cli-ci-image-${{ env.NIX_CHECKSUM }} | |
- name: Install Nix | |
if: steps.cache-image.outputs.cache-hit != 'true' | |
uses: nixbuild/nix-quick-install-action@v17 | |
with: | |
nix_conf: | |
experimental-features = nix-command flakes | |
- name: Run Nix | |
if: steps.cache-image.outputs.cache-hit != 'true' | |
run: | | |
nix profile install nixpkgs#docker | |
nix build .#ci-image | |
- name: Publish base image | |
if: steps.cache-image.outputs.cache-hit != 'true' | |
env: | |
DOCKER_TLS_CERTDIR: "" | |
CI_BASE_IMAGE_PUSH: quay.io/stackstate/stackstate-cli:stackstate-cli2-${{ env.NIX_CHECKSUM }} | |
run: | | |
echo "${{ secrets.QUAY_PASSWORD }}" | docker login --username=${{ secrets.QUAY_USER }} --password-stdin quay.io | |
docker load < result | |
docker tag stackstate-cli2-ci:latest $CI_BASE_IMAGE_PUSH | |
docker push $CI_BASE_IMAGE_PUSH | |
outputs: | |
nixChecksum: ${{ env.NIX_CHECKSUM }} | |
ciImageName: quay.io/stackstate/stackstate-cli:stackstate-cli2-${{ env.NIX_CHECKSUM }} | |
lint: | |
name: Linter | |
needs: setup | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
env: | |
QUAY_USER: ${{ secrets.QUAY_USER }} | |
QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Lint | |
uses: ./.github/actions/gobase | |
with: | |
image: ${{ needs.setup.outputs.ciImageName }} | |
run: ./scripts/lint.sh | |
check-open-api: | |
name: OpenAPI check | |
needs: setup | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
env: | |
QUAY_USER: ${{ secrets.QUAY_USER }} | |
QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} | |
steps: | |
- uses: actions/checkout@v3 | |
# TODO Needs the open-api repo to be available. | |
- name: Check StackState API up to date | |
if: false | |
uses: ./.github/actions/gobase | |
with: | |
image: ${{ needs.setup.outputs.ciImageName }} | |
run: ./scripts/check_stackstate_api_up-to-date.sh | |
check-license: | |
name: License scan | |
needs: setup | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
env: | |
REPORT_FILE: gl-license-scanning-report.json | |
steps: | |
- uses: actions/checkout@v3 | |
- name: License scanning | |
continue-on-error: true | |
id: run-scan | |
uses: addnab/docker-run-action@v3 | |
with: | |
registry: registry.gitlab.com | |
image: registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 | |
options: -v ${{ github.workspace }}:/workspace -e LM_REPORT_VERSION=2.1 -e CI_PROJECT_DIR=/workspace -e LM_REPORT_FILE=${{ env.REPORT_FILE }} | |
run: | | |
git config --global --add safe.directory ${CI_PROJECT_DIR} | |
/run.sh analyze | |
- name: Save license scan report | |
if: steps.run-scan.outcome == 'success' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: license_scanning | |
path: ${{ env.REPORT_FILE }} | |
check-dependencies: | |
name: Dependency scan | |
needs: setup | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
env: | |
REPORT_FILE: gl-dependency-scanning-report.json | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Dependency scanning | |
continue-on-error: true | |
id: run-scan | |
uses: addnab/docker-run-action@v3 | |
with: | |
registry: registry.gitlab.com | |
image: registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2 | |
options: -v ${{ github.workspace }}:/workspace -e CI_PROJECT_DIR=/workspace | |
run: | | |
git config --global --add safe.directory ${CI_PROJECT_DIR} | |
/analyzer run | |
- name: Save dependency scan report | |
if: steps.run-scan.outcome == 'success' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: dependency_scanning | |
path: ${{ env.REPORT_FILE }} | |
check-go-releaser: | |
name: Go releaser check | |
needs: setup | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
env: | |
QUAY_USER: ${{ secrets.QUAY_USER }} | |
QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Go releaser check | |
uses: ./.github/actions/gobase | |
with: | |
image: ${{ needs.setup.outputs.ciImageName }} | |
run: goreleaser check | |
test: | |
name: Tests | |
needs: | |
- setup | |
- lint | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
env: | |
QUAY_USER: ${{ secrets.QUAY_USER }} | |
QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Compile test | |
uses: ./.github/actions/gobase | |
with: | |
image: ${{ needs.setup.outputs.ciImageName }} | |
run: ./scripts/test.sh | |
publish: | |
name: Publish the release | |
if: ${{ github.ref_type == 'tag' }} | |
needs: | |
- setup | |
- test | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
env: | |
QUAY_USER: ${{ secrets.QUAY_USER }} | |
QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} | |
TAG: ${{ github.ref_name }} | |
S3_BUCKET: "s3://cli-dl.stackstate.com/stackstate-cli/" | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Generate release notes | |
uses: ./.github/actions/quay | |
with: | |
image: quay.io/stackstate/go-rk:v0.2.4 | |
options: > | |
-e RK_JIRA_PROJECT=STAC | |
-e RK_JIRA_URL=https://stackstate.atlassian.net | |
-e RK_JIRA_USER=${{ secrets.JIRA_USER }} | |
-e RK_JIRA_TOKEN=${{ secrets.JIRA_TOKEN }} | |
entrypoint: go-rk | |
run: > | |
release-notes | |
--fix-version cli2-${{ env.TAG }} | |
--output-file /workspace/release-notes.md | |
--title "CLI ${{ env.TAG }}" | |
- name: Save release notes | |
uses: actions/upload-artifact@v3 | |
with: | |
name: release-notes | |
path: release-notes.md | |
- name: Generate JSON release notes | |
uses: ./.github/actions/quay | |
with: | |
image: quay.io/stackstate/go-rk:v0.2.4 | |
options: > | |
-e RK_JIRA_PROJECT=STAC | |
-e RK_JIRA_URL=https://stackstate.atlassian.net | |
-e RK_JIRA_USER=${{ secrets.JIRA_USER }} | |
-e RK_JIRA_TOKEN=${{ secrets.JIRA_TOKEN }} | |
entrypoint: go-rk | |
run: > | |
release-notes | |
--fix-version cli2-${{ env.TAG }} | |
-o json | |
--output-file /workspace/release-notes.json | |
--title "CLI ${{ env.TAG }}" | |
- name: Save JSON release notes | |
uses: actions/upload-artifact@v3 | |
with: | |
name: release-notes-json | |
path: release-notes.json | |
- name: Go releaser publish | |
uses: ./.github/actions/gobase | |
with: | |
image: ${{ needs.setup.outputs.ciImageName }} | |
options: > | |
-e GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
-e AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} | |
-e AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
-e AWS_DEFAULT_REGION=${{ secrets.AWS_DEFAULT_REGION }} | |
run: | | |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login --username=${{ secrets.DOCKER_USER }} --password-stdin docker.io | |
goreleaser release --release-notes release-notes.md | |
mkdir -p dist | |
echo "${{ env.TAG }}" > dist/LATEST_VERSION | |
- name: Publish latest version to S3 | |
uses: keithweaver/[email protected] | |
with: | |
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws_region: ${{ secrets.AWS_DEFAULT_REGION }} | |
command: cp | |
source: dist/LATEST_VERSION | |
destination: ${{ env.S3_BUCKET }} | |
- name: Publish installers to S3 | |
uses: keithweaver/[email protected] | |
with: | |
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID}} | |
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws_region: ${{ secrets.AWS_DEFAULT_REGION }} | |
command: cp | |
source: scripts/publish/installers/ | |
destination: ${{ env.S3_BUCKET }} | |
flags: --recursive |