- Updated to Go 1.21.9 to address CVE-2023-45288 #78
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release Build | |
on: | |
push: | |
tags: | |
- 'v[0-9].[0-9]+.[0-9]+' | |
env: | |
GO_VERSION: 1.21.9 | |
jobs: | |
cache-deps: | |
name: cache-deps (linux) | |
runs-on: ubuntu-20.04 | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Setup dep cache | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Pull go deps | |
run: go mod download | |
lint: | |
name: lint (linux) | |
runs-on: ubuntu-20.04 | |
needs: cache-deps | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Setup build tool cache | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: .build | |
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }} | |
- name: Lint | |
run: make lint | |
- name: Tidy check | |
run: make tidy-check | |
- name: Generate check | |
run: make generate-check | |
- name: Shell check | |
run: shellcheck .github/workflows/scripts/*.sh | |
unit-test: | |
strategy: | |
matrix: | |
OS: [ubuntu-20.04, macos-latest] | |
runs-on: ${{ matrix.OS }} | |
needs: cache-deps | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Run unit tests | |
run: ./.github/workflows/scripts/run_unit_tests.sh | |
unit-test-race-detector: | |
name: unit-test (linux with race detection) | |
runs-on: ubuntu-20.04 | |
needs: cache-deps | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Run unit tests | |
run: ./.github/workflows/scripts/run_unit_tests_under_race_detector.sh | |
artifacts: | |
name: artifacts (linux) | |
runs-on: ubuntu-20.04 | |
needs: [cache-deps, images] | |
timeout-minutes: 30 | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Install regctl | |
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main | |
- name: Download archived images | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: images | |
path: . | |
- name: Expand archived images | |
run: | | |
tar xvf images.tar.gz | |
- name: Build artifacts | |
run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }} | |
- name: Archive artifacts | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 | |
with: | |
name: binaries-linux | |
path: ./artifacts/ | |
images: | |
name: images (linux) | |
runs-on: ubuntu-20.04 | |
needs: [cache-deps] | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Load cached build tools | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: .build | |
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }} | |
- name: Build images | |
run: TAG=${GITHUB_REF##refs/tags/v} make images-no-load | |
- name: Export images | |
run: tar -czvf images.tar.gz *-image.tar | |
- name: Archive images | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 | |
with: | |
name: images | |
path: images.tar.gz | |
images-windows: | |
name: images (windows) | |
runs-on: windows-2022 | |
needs: artifacts-windows | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Load cached executables | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ./bin/ | |
key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }} | |
- name: Build images | |
run: make images-windows | |
- name: Export images | |
run: | | |
docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar | |
gzip images-windows.tar | |
- name: Archive images | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 | |
with: | |
name: images-windows | |
path: images-windows.tar.gz | |
build-matrix: | |
name: Build matrix | |
runs-on: ubuntu-20.04 | |
needs: [cache-deps] | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- id: set-matrix | |
name: Collect versions | |
run: | | |
json_array=$(bash ./.github/workflows/scripts/find_k8s.sh) | |
echo "test=$json_array" >> $GITHUB_OUTPUT | |
echo "Collected tests: $json_array" | |
outputs: | |
test: ${{ steps.set-matrix.outputs.test }} | |
integration: | |
name: integration (linux) | |
runs-on: ubuntu-20.04 | |
needs: [cache-deps, images] | |
permissions: | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
num_runners: [5] | |
runner_id: [1, 2, 3, 4, 5] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
with: | |
# The "upgrade" integration test needs the history to ensure | |
# that the version number in the source code has been bumped as | |
# expected. This action does not fetch tags unless we supply a | |
# fetch depth of zero. | |
fetch-depth: 0 | |
# Even though we've just checked out the code, checkout@v2 has a bug | |
# where it overwrites the local annotated tag, dropping the annotation. | |
# The "upgrade" integration test is designed to only consider annotated | |
# tags as version tags. We don't really want to soften this stance, so | |
# instead we'll re-fetch the tags. | |
# | |
# See https://github.com/actions/checkout/issues/290 | |
- name: Fix tag annotations | |
run: git fetch --tags --force | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Install regctl | |
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Load cached build tools | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: .build | |
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }} | |
- name: Download archived images | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: images | |
path: . | |
- name: Load archived images | |
run: | | |
tar xvf images.tar.gz | |
make load-images | |
- name: Run integration tests | |
env: | |
NUM_RUNNERS: ${{ matrix.num_runners }} | |
THIS_RUNNER: ${{ matrix.runner_id }} | |
TERM: dumb | |
# We don't need to specify CICD_TARGET_BRANCH since the upgrade | |
# integration test will detect the annotated tag for version checking. | |
# CICD_TARGET_BRANCH: | |
run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh | |
integration-k8s: | |
name: integration-k8s | |
runs-on: ubuntu-20.04 | |
needs: [cache-deps, images, build-matrix] | |
timeout-minutes: 45 | |
permissions: | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
num_runners: [1] | |
runner_id: [1] | |
#Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion] | |
test: ${{ fromJson(needs.build-matrix.outputs.test) }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
with: | |
# The "upgrade" integration test needs the history to ensure | |
# that the version number in the source code has been bumped as | |
# expected. This action does not fetch tags unless we supply a | |
# fetch depth of zero. | |
fetch-depth: 0 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Install regctl | |
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Load cached build tools | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: .build | |
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }} | |
- name: Download archived images | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: images | |
path: . | |
- name: Load archived images | |
run: | | |
tar xvf images.tar.gz | |
make load-images | |
- name: Run k8s integration | |
env: | |
NUM_RUNNERS: ${{ matrix.num_runners }} | |
THIS_RUNNER: ${{ matrix.runner_id }} | |
KUBECTLVERSION: ${{ matrix.test[0] }} | |
K8SIMAGE: ${{ matrix.test[1] }} | |
KINDVERSION: ${{ matrix.test[2] }} | |
TERM: dumb | |
CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }} | |
run: ./.github/workflows/scripts/split_k8s.sh | xargs ./test/integration/test-k8s.sh | |
integration-windows: | |
name: integration (windows) | |
runs-on: windows-2022 | |
needs: images-windows | |
permissions: | |
contents: read | |
defaults: | |
run: | |
shell: msys2 {0} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Load cached build tools | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: .build | |
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }} | |
- name: Install msys2 | |
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0 | |
with: | |
msystem: MINGW64 | |
update: true | |
path-type: inherit | |
install: >- | |
git base-devel mingw-w64-x86_64-toolchain unzip | |
- name: Download archived images | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: images-windows | |
path: . | |
- name: Load archived images | |
run: docker load -i images-windows.tar.gz | |
- name: Run integration tests | |
# Run all tests for now | |
run: make integration-windows | |
cache-deps-windows: | |
name: cache-deps (windows) | |
runs-on: windows-2022 | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Setup dep cache | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Pull go deps | |
run: go mod download | |
lint-windows: | |
name: lint (windows) | |
runs-on: windows-2022 | |
needs: cache-deps-windows | |
permissions: | |
contents: read | |
defaults: | |
run: | |
shell: msys2 {0} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Setup build tool cache | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: .build | |
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }} | |
- name: Install msys2 | |
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0 | |
with: | |
msystem: MINGW64 | |
update: true | |
install: >- | |
git base-devel mingw-w64-x86_64-toolchain unzip | |
- name: Lint | |
run: make lint-code | |
- name: Tidy check | |
run: make tidy-check | |
- name: Generate check | |
run: make generate-check | |
unit-test-windows: | |
name: unit-test (windows) | |
runs-on: windows-2022 | |
needs: cache-deps-windows | |
permissions: | |
contents: read | |
defaults: | |
run: | |
shell: msys2 {0} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Install msys2 | |
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0 | |
with: | |
msystem: MINGW64 | |
update: true | |
install: >- | |
git base-devel mingw-w64-x86_64-toolchain unzip | |
- name: Run unit tests | |
run: ./.github/workflows/scripts/run_unit_tests.sh | |
artifacts-windows: | |
name: artifacts (windows) | |
runs-on: windows-2022 | |
needs: cache-deps-windows | |
permissions: | |
contents: read | |
defaults: | |
run: | |
shell: msys2 {0} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Setup go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Load cached deps | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Load cached build tools | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: .build | |
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }} | |
- name: Install msys2 | |
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0 | |
with: | |
msystem: MINGW64 | |
update: true | |
install: >- | |
git base-devel mingw-w64-x86_64-toolchain zip unzip | |
- name: Build binaries | |
run: make build | |
- name: Build artifacts | |
run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }} | |
- name: Setup executables cache | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: ./bin/ | |
key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }} | |
- name: Archive artifacts | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 | |
with: | |
name: binaries-windows | |
path: ./artifacts/ | |
publish-artifacts: | |
runs-on: ubuntu-20.04 | |
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows] | |
permissions: | |
contents: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Download archived Linux artifacts | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: binaries-linux | |
path: ./artifacts/ | |
- name: Download archived Windows artifacts | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: binaries-windows | |
path: ./artifacts/ | |
- name: Create Release | |
env: | |
# GH_REPO is required for older releases of `gh`. Until we're | |
# reasonably confident that that the gh release is new enough, | |
# set GH_REPO to the repository to create the release in. | |
# | |
# See https://github.com/cli/cli/issues/3556 | |
GH_REPO: ${{ github.repository }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# Create the release using the version number as the title | |
run: gh release create "${GITHUB_REF#refs/tags/}" ./artifacts/*.zip ./artifacts/*.tar.gz ./artifacts/*.txt --title "${GITHUB_REF#refs/tags/}" | |
publish-images: | |
runs-on: ubuntu-20.04 | |
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows] | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Install cosign | |
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 | |
with: | |
cosign-release: v2.2.3 | |
- name: Install regctl | |
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main | |
- name: Download archived images | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: images | |
path: . | |
- name: Log in to GHCR | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push images | |
run: | | |
tar xzvf images.tar.gz | |
./.github/workflows/scripts/push-images.sh "${GITHUB_REF}" |