diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml index 58da4b9dddc..d78e5fc77dc 100644 --- a/.github/workflows/depsreview.yaml +++ b/.github/workflows/depsreview.yaml @@ -1,15 +1,12 @@ name: 'Dependency Review' on: [pull_request] - jobs: dependency-review: runs-on: ubuntu-latest - permissions: contents: read - steps: - name: 'Checkout Repository' - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v3 + uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # ratchet:actions/dependency-review-action@v3 diff --git a/.github/workflows/nightly_build.yaml b/.github/workflows/nightly_build.yaml index 7eddbd6b6d4..46ed9488b94 100644 --- a/.github/workflows/nightly_build.yaml +++ b/.github/workflows/nightly_build.yaml @@ -4,25 +4,21 @@ on: # Random minute number to avoid GH scheduler stampede - cron: '37 21 * * *' workflow_dispatch: {} - env: NIGHTLY: true - jobs: build-and-publish-images: runs-on: ubuntu-20.04 - permissions: contents: read packages: write - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Build images run: make images scratch-images - name: Log in to GCR - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2 with: registry: gcr.io username: _json_key @@ -30,7 +26,7 @@ jobs: - name: Push images run: ./.github/workflows/scripts/push-images.sh nightly - name: Log in to GHCR - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index 4bed964df63..cdd34be7b01 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -6,52 +6,46 @@ env: GO_VERSION: 1.19.4 permissions: contents: read - jobs: cache-deps: name: cache-deps (linux) runs-on: ubuntu-20.04 - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Setup dep cache - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Pull go deps run: go mod download - lint: name: lint (linux) runs-on: ubuntu-20.04 needs: cache-deps - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Setup build tool cache - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} @@ -65,77 +59,68 @@ jobs: run: make generate-check - name: Shell check run: shellcheck .github/workflows/scripts/*.sh - unit-test: strategy: matrix: OS: [ubuntu-20.04, macos-latest] runs-on: ${{ matrix.OS }} needs: cache-deps - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Run unit tests run: ./.github/workflows/scripts/run_unit_tests.sh - unit-test-race-detector: name: unit-test (linux with race detection) runs-on: ubuntu-20.04 needs: cache-deps - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Run unit tests run: ./.github/workflows/scripts/run_unit_tests_under_race_detector.sh - artifacts: name: artifacts (linux) runs-on: ubuntu-20.04 needs: [cache-deps] - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} @@ -144,33 +129,30 @@ jobs: - name: Build artifacts run: ./.github/workflows/scripts/build_artifacts.sh - name: Archive artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: binaries path: ./artifacts/ - images: name: images (linux) runs-on: ubuntu-20.04 needs: [cache-deps] - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} @@ -181,24 +163,21 @@ jobs: - name: Export images run: docker save spire-server:latest-local spire-agent:latest-local k8s-workload-registrar:latest-local oidc-discovery-provider:latest-local | gzip > images.tar.gz - name: Archive images - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: images path: images.tar.gz - images-windows: name: images (windows) runs-on: windows-2022 needs: artifact-windows - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Download artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: bin-windows path: ./bin/ @@ -209,32 +188,29 @@ jobs: docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar gzip images-windows.tar - name: Archive images - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: images-windows path: images-windows.tar.gz - scratch-images: runs-on: ubuntu-20.04 needs: [cache-deps] - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} @@ -245,19 +221,16 @@ jobs: - name: Export scratch images run: docker save spire-server-scratch:latest-local spire-agent-scratch:latest-local k8s-workload-registrar-scratch:latest-local oidc-discovery-provider-scratch:latest-local | gzip > scratch-images.tar.gz - name: Archive scratch images - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: scratch-images path: scratch-images.tar.gz - integration: name: integration (linux) runs-on: ubuntu-20.04 needs: [cache-deps, images, scratch-images] - permissions: contents: read - strategy: fail-fast: false matrix: @@ -265,7 +238,7 @@ jobs: runner_id: [1, 2, 3, 4, 5] steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 with: # The "upgrade" integration test needs the history to ensure # that the version number in the source code has been bumped as @@ -273,28 +246,28 @@ jobs: # fetch depth of zero. fetch-depth: 0 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} restore-keys: | ${{ runner.os }}-tools- - name: Download archived images - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: images path: . - name: Download archived scratch images - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: scratch-images path: . @@ -309,50 +282,44 @@ jobs: TERM: dumb CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }} run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh - integration-windows: name: integration (windows) runs-on: windows-2022 needs: images-windows - permissions: contents: read - defaults: run: shell: msys2 {0} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} restore-keys: | ${{ runner.os }}-tools- - name: Install msys2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # ratchet:msys2/setup-msys2@v2 with: msystem: MINGW64 update: true path-type: inherit install: >- - git - base-devel - mingw-w64-x86_64-toolchain - unzip + git base-devel mingw-w64-x86_64-toolchain unzip - name: Download archived images - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: images-windows path: . @@ -361,162 +328,140 @@ jobs: - name: Run integration tests # Run all tests for now run: make integration-windows - cache-deps-windows: name: cache-deps (windows) runs-on: windows-2022 - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Setup dep cache - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Pull go deps run: go mod download - lint-windows: name: lint (windows) runs-on: windows-2022 needs: cache-deps-windows - permissions: contents: read - defaults: run: shell: msys2 {0} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Setup build tool cache - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} restore-keys: | ${{ runner.os }}-tools- - name: Install msys2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # ratchet:msys2/setup-msys2@v2 with: msystem: MINGW64 update: true install: >- - git - base-devel - mingw-w64-x86_64-toolchain - unzip + git base-devel mingw-w64-x86_64-toolchain unzip - name: Lint run: make lint-code - name: Tidy check run: make tidy-check - name: Generate check run: make generate-check - unit-test-windows: name: unit-test (windows) runs-on: windows-2022 needs: cache-deps-windows - permissions: contents: read - defaults: run: shell: msys2 {0} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Install msys2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # ratchet:msys2/setup-msys2@v2 with: msystem: MINGW64 update: true install: >- - git - base-devel - mingw-w64-x86_64-toolchain - unzip + git base-devel mingw-w64-x86_64-toolchain unzip - name: Run unit tests run: ./.github/workflows/scripts/run_unit_tests.sh - artifact-windows: name: artifact (windows) runs-on: windows-2022 needs: cache-deps-windows - permissions: contents: read - defaults: run: shell: msys2 {0} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} restore-keys: | ${{ runner.os }}-tools- - name: Install msys2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # ratchet:msys2/setup-msys2@v2 with: msystem: MINGW64 update: true install: >- - git - base-devel - mingw-w64-x86_64-toolchain - zip - unzip + git base-devel mingw-w64-x86_64-toolchain zip unzip - name: Build artifacts run: ./.github/workflows/scripts/build_artifacts.sh - name: Archive binaries - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: bin-windows path: ./bin/ - name: Archive artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: binaries path: ./artifacts/ diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index 447c8e7bce0..48cec564817 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -9,47 +9,42 @@ jobs: cache-deps: name: cache-deps (linux) runs-on: ubuntu-20.04 - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Setup dep cache - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Pull go deps run: go mod download - lint: name: lint (linux) runs-on: ubuntu-20.04 needs: cache-deps - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Setup build tool cache - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} @@ -63,77 +58,68 @@ jobs: run: make generate-check - name: Shell check run: shellcheck .github/workflows/scripts/*.sh - unit-test: strategy: matrix: OS: [ubuntu-20.04, macos-latest] runs-on: ${{ matrix.OS }} needs: cache-deps - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Run unit tests run: ./.github/workflows/scripts/run_unit_tests.sh - unit-test-race-detector: name: unit-test (linux with race detection) runs-on: ubuntu-20.04 needs: cache-deps - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Run unit tests run: ./.github/workflows/scripts/run_unit_tests_under_race_detector.sh - artifacts: name: artifacts (linux) runs-on: ubuntu-20.04 needs: [cache-deps] - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} @@ -142,33 +128,30 @@ jobs: - name: Build artifacts run: ./.github/workflows/scripts/build_artifacts.sh - name: Archive artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: binaries path: ./artifacts/ - images: name: images (linux) runs-on: ubuntu-20.04 needs: [cache-deps] - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} @@ -179,24 +162,21 @@ jobs: - name: Export images run: docker save spire-server:latest-local spire-agent:latest-local k8s-workload-registrar:latest-local oidc-discovery-provider:latest-local | gzip > images.tar.gz - name: Archive images - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: images path: images.tar.gz - images-windows: name: images (windows) runs-on: windows-2022 needs: artifact-windows - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Download artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: bin-windows path: ./bin/ @@ -207,32 +187,29 @@ jobs: docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar gzip images-windows.tar - name: Archive images - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: images-windows path: images-windows.tar.gz - scratch-images: runs-on: ubuntu-20.04 needs: [cache-deps] - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} @@ -243,19 +220,16 @@ jobs: - name: Export scratch images run: docker save spire-server-scratch:latest-local spire-agent-scratch:latest-local k8s-workload-registrar-scratch:latest-local oidc-discovery-provider-scratch:latest-local | gzip > scratch-images.tar.gz - name: Archive scratch images - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: scratch-images path: scratch-images.tar.gz - integration: name: integration (linux) runs-on: ubuntu-20.04 needs: [cache-deps, images, scratch-images] - permissions: contents: read - strategy: fail-fast: false matrix: @@ -263,7 +237,7 @@ jobs: runner_id: [1, 2, 3, 4, 5] steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 with: # The "upgrade" integration test needs the history to ensure # that the version number in the source code has been bumped as @@ -280,28 +254,28 @@ jobs: - name: Fix tag annotations run: git fetch --tags --force - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} restore-keys: | ${{ runner.os }}-tools- - name: Download archived images - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: images path: . - name: Download archived scratch images - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: scratch-images path: . @@ -318,50 +292,44 @@ jobs: # integration test will detect the annotated tag for version checking. # CICD_TARGET_BRANCH: run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh - integration-windows: name: integration (windows) runs-on: windows-2022 needs: images-windows - permissions: contents: read - defaults: run: shell: msys2 {0} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} restore-keys: | ${{ runner.os }}-tools- - name: Install msys2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # ratchet:msys2/setup-msys2@v2 with: msystem: MINGW64 update: true path-type: inherit install: >- - git - base-devel - mingw-w64-x86_64-toolchain - unzip + git base-devel mingw-w64-x86_64-toolchain unzip - name: Download archived images - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: images-windows path: . @@ -370,179 +338,153 @@ jobs: - name: Run integration tests # Run all tests for now run: make integration-windows - cache-deps-windows: name: cache-deps (windows) runs-on: windows-2022 - permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Setup dep cache - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Pull go deps run: go mod download - lint-windows: name: lint (windows) runs-on: windows-2022 needs: cache-deps-windows - permissions: contents: read - defaults: run: shell: msys2 {0} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Setup build tool cache - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} restore-keys: | ${{ runner.os }}-tools- - name: Install msys2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # ratchet:msys2/setup-msys2@v2 with: msystem: MINGW64 update: true install: >- - git - base-devel - mingw-w64-x86_64-toolchain - unzip + git base-devel mingw-w64-x86_64-toolchain unzip - name: Lint run: make lint-code - name: Tidy check run: make tidy-check - name: Generate check run: make generate-check - unit-test-windows: name: unit-test (windows) runs-on: windows-2022 needs: cache-deps-windows - permissions: contents: read - defaults: run: shell: msys2 {0} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Install msys2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # ratchet:msys2/setup-msys2@v2 with: msystem: MINGW64 update: true install: >- - git - base-devel - mingw-w64-x86_64-toolchain - unzip + git base-devel mingw-w64-x86_64-toolchain unzip - name: Run unit tests run: ./.github/workflows/scripts/run_unit_tests.sh - artifact-windows: name: artifact (windows) runs-on: windows-2022 needs: cache-deps-windows - permissions: contents: read - defaults: run: shell: msys2 {0} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Load cached deps - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - name: Load cached build tools - uses: actions/cache@v3 + uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # ratchet:actions/cache@v3 with: path: .build key: ${{ runner.os }}-tools-${{ github.sha }} restore-keys: | ${{ runner.os }}-tools- - name: Install msys2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@d40200dc2db4c351366b048a9565ad82919e1c24 # ratchet:msys2/setup-msys2@v2 with: msystem: MINGW64 update: true install: >- - git - base-devel - mingw-w64-x86_64-toolchain - zip - unzip + git base-devel mingw-w64-x86_64-toolchain zip unzip - name: Build artifacts run: ./.github/workflows/scripts/build_artifacts.sh - name: Archive binaries - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: bin-windows path: ./bin/ - name: Archive artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 with: name: binaries path: ./artifacts/ - publish-artifacts: runs-on: ubuntu-20.04 - needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, - lint-windows, unit-test-windows, artifact-windows, integration-windows] - + needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifact-windows, integration-windows] permissions: contents: read - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Download archived artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: binaries path: ./artifacts/ @@ -557,25 +499,22 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Create the release using the version number as the title run: gh release create "${GITHUB_REF#refs/tags/}" ./artifacts/*.zip ./artifacts/*.tar.gz ./artifacts/*.txt --title "${GITHUB_REF#refs/tags/}" - publish-images: runs-on: ubuntu-20.04 needs: [lint, unit-test, unit-test-race-detector, artifacts, integration] - permissions: contents: read packages: write - steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3 - name: Download archived images - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: images path: . - name: Download archived scratch images - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 with: name: scratch-images path: . @@ -584,7 +523,7 @@ jobs: - name: Load archived scratch images run: zcat scratch-images.tar.gz | docker load - name: Log in to GCR - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2 with: registry: gcr.io username: _json_key @@ -592,7 +531,7 @@ jobs: - name: Push images run: ./.github/workflows/scripts/push-images.sh "${GITHUB_REF}" - name: Log in to GHCR - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }}