-
Notifications
You must be signed in to change notification settings - Fork 82
74 lines (69 loc) · 2.54 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: CI
on:
push:
branches: [ 'v8' ]
paths-ignore:
- '**.md' # Don't run CI on markdown changes.
pull_request:
branches: [ 'v8', 'feat/**' ]
paths-ignore:
- '**.md'
jobs:
go-versions:
uses: ./.github/workflows/go-versions.yml
# Runs the common tasks (unit tests, lint, benchmarks, installation test)
# against each Go version in the matrix.
go-matrix:
name: ${{ format('Go {0}', matrix.go-version) }}
needs: go-versions
strategy:
# Let jobs fail independently, in case it's a single version that's broken.
fail-fast: false
matrix:
go-version: ${{ fromJSON(needs.go-versions.outputs.matrix) }}
uses: ./.github/workflows/common_ci.yml
with:
go-version: ${{ matrix.go-version }}
# Integration tests run only on the latest Go version since they are more
# time intensive, and we'd likely be rate-limited by LaunchDarkly SaaS if we
# ran them in parallel for multiple Go versions.
integration-test:
needs: go-versions
uses: ./.github/workflows/integration-test.yml
with:
environment: 'staging'
go-version: ${{ needs.go-versions.outputs.latest }}
security-scan:
needs: go-versions
runs-on: ubuntu-latest
name: "Trivy Scan of Docker Image"
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: 'true'
- name: Setup Go ${{ inputs.go-version }}
uses: actions/setup-go@v4
with:
go-version: ${{ needs.go-versions.outputs.latest }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386
- name: Build Docker Images
run: make products-for-release
- name: Get current Relay version
id: image-tag
run:
echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT
- uses: aquasecurity/trivy-action@master
with:
# Using an explicit tag rather than ld-relay:latest to ensure we're scanning the local image that we just built.
# It's not clear why, but it seems goreleaser doesn't create the :latest tag when skipping the publish step
# as we do for CI, so the scan will end up checking the public image instead of the one we just built.
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64
format: 'table'
exit-code: '1'
ignore-unfixed: true