Merge pull request #918 from google/dependabot/go_modules/github.com/… #1375
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
tags: | |
- v* | |
branches: | |
- main | |
pull_request: | |
merge_group: | |
env: | |
GOPROXY: "https://proxy.golang.org" | |
permissions: | |
# none-all, which doesn't exist, but | |
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow | |
# implies that the token still gets created. Elsewhere we learn that any | |
# permission not mentioned here gets turned to `none`. | |
actions: none | |
jobs: | |
test: | |
strategy: | |
matrix: | |
# macos-latest is slow and has weird test failures with unixgram message sizes, so it's been disabled. | |
# Sync with matrix in ci-done.yml | |
runs-on: [ubuntu-latest, windows-latest] | |
runs-on: ${{ matrix.runs-on }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
cache: true | |
- name: install deps | |
run: go mod download | |
- name: build | |
run: make --debug all | |
- name: test | |
run: | | |
mkdir -p test-results | |
# Don't use GITHUB_SHA as we need the head of the branch, not the | |
# secret merge commit of the PR itself. https://help.github.com/en/actions/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-event-pull_request | |
if [[ ${{ github.event_name }} == 'pull_request' ]]; then | |
echo ${{ github.event.pull_request.head.sha }} > test-results/sha-number | |
else | |
echo ${{ github.sha }} > test-results/sha-number | |
fi | |
make --debug junit-regtest TESTCOVERPROFILE=coverprofile | |
shell: bash | |
- uses: codecov/codecov-action@v4 | |
if: always() | |
with: | |
file: coverprofile | |
- uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: test-results-${{ matrix.runs-on }} | |
path: test-results/ | |
container: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # so that we get tags | |
- run: make --debug container | |
gosec: | |
runs-on: ubuntu-latest | |
# gosec is regularly broken and reporting false positives, don't let it interfere | |
continue-on-error: true | |
permissions: | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: securego/gosec@master | |
with: | |
# we let the report trigger content trigger a failure using the GitHub Security features. | |
args: '-no-fail -exclude-generated -fmt sarif -out results.sarif -tags fuzz ./...' | |
- uses: github/codeql-action/upload-sarif@v3 | |
with: | |
# Path to SARIF file relative to the root of the repository | |
sarif_file: results.sarif | |
fuzz: | |
runs-on: ubuntu-latest | |
container: | |
image: gcr.io/oss-fuzz-base/base-builder | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: '^1.x' | |
- uses: actions/cache@v4 | |
id: cache | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: install deps | |
if: steps.cache.output.cache-hit != 'true' | |
run: make --debug install_deps | |
- name: local fuzz regtest | |
run: make --debug CXX=clang LIB_FUZZING_ENGINE=-fsanitize=fuzzer fuzz-regtest |