Skip to content

fix: Change semgrep to not use wrapper #283

fix: Change semgrep to not use wrapper

fix: Change semgrep to not use wrapper #283

Workflow file for this run

# This GitHub action can publish assets for release when a tag is created.
# Currently its setup to run on any tag that matches the pattern "v*" (ie. v0.1.0).
#
# This uses an action (paultyng/ghaction-import-gpg) that assumes you set your
# private key in the `GPG_PRIVATE_KEY` secret and passphrase in the `PASSPHRASE`
# secret. If you would rather own your own GPG handling, please fork this action
# or use an alternative one for key handling.
#
# You will need to pass the `--batch` flag to `gpg` in your signing step
# in `goreleaser` to indicate this is being used in a non-interactive mode.
#
name: release
on:
push:
branches:
- master
tags:
- 'v*'
paths-ignore:
- 'CHANGELOG.md'
- '.github/CLEANCHANGELOG.md'
pull_request:
paths:
- .github/workflows/release.yml
- .golangci.yml
- .goreleaser.yml
- .semgrep.yml
- interal/**
- api/**
- powershell/**
- examples/**
- docs/**
- go.sum
- GNUmakefile
- main.go
- staticcheck.conf
- website/**
env:
GO_VERSION: "1.21.5"
GO111MODULE: on
TERRAFORM_VERSION: "1.5.5"
TEST_TIME_OUT: "120s"
RELEASE_TIME_OUT: "30m"
jobs:
go_mod_download:
name: go mod download
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Cache cache-go-pkg-mod
uses: actions/[email protected]
continue-on-error: true
id: cache-go-pkg-mod
timeout-minutes: 2
with:
path: ~/go/pkg/mod
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-go-pkg-mod-${{ hashFiles('go.sum') }}
- if: steps.cache-go-pkg-mod.outputs.cache-hit != 'true' || steps.cache-go-pkg-mod.outcome == 'failure'
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- if: steps.cache-go-pkg-mod.outputs.cache-hit != 'true' || steps.cache-go-pkg-mod.outcome == 'failure'
name: go mod download
run: go mod download
go_build:
name: go build
needs: [go_mod_download]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Cache cache-terraform-plugin-dir
uses: actions/[email protected]
continue-on-error: true
id: cache-terraform-plugin-dir
timeout-minutes: 2
with:
path: terraform-plugin-dir
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-terraform-plugin-dir-${{ hashFiles('go.sum') }}-${{ hashFiles('internal/**', 'api/**', 'powershell/**') }}
- if: steps.cache-terraform-plugin-dir.outputs.cache-hit != 'true' || steps.cache-terraform-plugin-dir.outcome == 'failure'
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- if: steps.cache-terraform-plugin-dir.outputs.cache-hit != 'true' || steps.cache-terraform-plugin-dir.outcome == 'failure'
name: go env
run: |
echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_ENV
- if: steps.cache-terraform-plugin-dir.outputs.cache-hit != 'true' || steps.cache-terraform-plugin-dir.outcome == 'failure'
uses: actions/[email protected]
with:
path: ${{ env.GOCACHE }}
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-GOCACHE-${{ hashFiles('go.sum') }}-${{ hashFiles('internal/**', 'api/**', 'powershell/**') }}
- if: steps.cache-terraform-plugin-dir.outputs.cache-hit != 'true' || steps.cache-terraform-plugin-dir.outcome == 'failure'
uses: actions/[email protected]
with:
path: ~/go/pkg/mod
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-go-pkg-mod-${{ hashFiles('go.sum') }}
- if: steps.cache-terraform-plugin-dir.outputs.cache-hit != 'true' || steps.cache-terraform-plugin-dir.outcome == 'failure'
name: go build
run: go build -o terraform-plugin-dir/registry.terraform.io/hashicorp/hyperv/99.99.99/linux_amd64/terraform-provider-hyperv_v99.99.99
terraform_providers_schema:
name: terraform providers schema
needs: [go_build]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Cache cache-terraform-providers-schema
uses: actions/[email protected]
continue-on-error: true
id: cache-terraform-providers-schema
timeout-minutes: 2
with:
path: terraform-providers-schema
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-terraform-providers-schema-${{ hashFiles('go.sum') }}-${{ hashFiles('internal/**', 'api/**', 'powershell/**') }}
- if: steps.cache-terraform-providers-schema.outputs.cache-hit != 'true' || steps.cache-terraform-providers-schema.outcome == 'failure'
uses: actions/[email protected]
timeout-minutes: 2
with:
path: terraform-plugin-dir
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-terraform-plugin-dir-${{ hashFiles('go.sum') }}-${{ hashFiles('internal/**', 'api/**', 'powershell/**') }}
- if: steps.cache-terraform-providers-schema.outputs.cache-hit != 'true' || steps.cache-terraform-providers-schema.outcome == 'failure'
uses: hashicorp/[email protected]
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_wrapper: false
- if: steps.cache-terraform-providers-schema.outputs.cache-hit != 'true' || steps.cache-terraform-providers-schema.outcome == 'failure'
name: terraform init
run: |
# We need a file to initialize the provider
echo 'resource "hyperv_network_switch" "dmz_network_switch" {name = "dmz"}' > example.tf
terraform init -plugin-dir terraform-plugin-dir
- if: steps.cache-terraform-providers-schema.outputs.cache-hit != 'true' || steps.cache-terraform-providers-schema.outcome == 'failure'
name: terraform providers schema
run: |
mkdir terraform-providers-schema
terraform providers schema -json > terraform-providers-schema/schema.json
go_generate:
name: go generate
needs: [go_build]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: go env
run: |
echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_ENV
- uses: actions/[email protected]
continue-on-error: true
timeout-minutes: 2
with:
path: ${{ env.GOCACHE }}
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-GOCACHE-${{ hashFiles('go.sum') }}-${{ hashFiles('internal/**', 'api/**', 'powershell/**') }}
- uses: actions/[email protected]
continue-on-error: true
timeout-minutes: 2
with:
path: ~/go/pkg/mod
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-go-pkg-mod-${{ hashFiles('go.sum') }}
- run: go generate ./...
- name: Check for Git Differences
run: |
git diff --exit-code || \
(echo; echo "Unexpected difference in directories after code generation. Run 'go generate ./...' command and commit."; exit 1)
go_test:
name: go test
needs: [go_build]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: go env
run: |
echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_ENV
- uses: actions/[email protected]
continue-on-error: true
timeout-minutes: 2
with:
path: ${{ env.GOCACHE }}
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-GOCACHE-${{ hashFiles('go.sum') }}-${{ hashFiles('internal/**', 'api/**', 'powershell/**') }}
- uses: actions/[email protected]
continue-on-error: true
timeout-minutes: 2
with:
path: ~/go/pkg/mod
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-go-pkg-mod-${{ hashFiles('go.sum') }}
- run: go test ./... -timeout=${{ env.TEST_TIME_OUT }}
golangci-lint:
needs: [go_build]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: go env
run: |
echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_ENV
- uses: actions/[email protected]
continue-on-error: true
timeout-minutes: 2
with:
path: ${{ env.GOCACHE }}
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-GOCACHE-${{ hashFiles('go.sum') }}-${{ hashFiles('internal/**', 'api/**', 'powershell/**') }}
- uses: actions/[email protected]
continue-on-error: true
timeout-minutes: 2
with:
path: ~/go/pkg/mod
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-go-pkg-mod-${{ hashFiles('go.sum') }}
- run: go get -d github.com/golangci/golangci-lint/cmd/golangci-lint
- run: go install github.com/golangci/golangci-lint/cmd/golangci-lint
- run: golangci-lint run
semgrep:
# User definable name of this GitHub Actions job.
name: semgrep/ci
# If you are self-hosting, change the following `runs-on` value:
runs-on: ubuntu-latest
container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
with:
fetch-depth: 0
# Run the "semgrep ci" command on the command line of the docker image.
- run: semgrep ci --no-suppress-errors
env:
# Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep Cloud Platform > Settings
# and add it to your GitHub secrets.
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
goreleaser:
needs: [go_mod_download]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/[email protected]
continue-on-error: true
timeout-minutes: 2
with:
path: ~/go/pkg/mod
key: ${{ hashFiles('.github/workflows/release.yml') }}-${{ runner.os }}-go-pkg-mod-${{ hashFiles('go.sum') }}
- name: goreleaser check
continue-on-error: true
uses: goreleaser/[email protected]
with:
args: check
- name: Import GPG key
id: import_gpg
uses: crazy-max/[email protected]
if: startsWith(github.ref, 'refs/tags/v')
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
#passphrase: ${{ secrets.PASSPHRASE }}
- name: Get tag_name
id: tag_name
if: startsWith(github.ref, 'refs/tags/v')
run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
- name: goreleaser release
uses: goreleaser/[email protected]
if: startsWith(github.ref, 'refs/tags/v')
with:
version: latest
args: release --rm-dist --timeout ${{ env.RELEASE_TIME_OUT }} --release-notes=.github/CLEANCHANGELOG.md
env:
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ steps.tag_name.outputs.VERSION }}
- name: Create Changelog
id: release_number_and_changelog
uses: taliesins/conventional-changelog-action@releases/v3
if: "!(startsWith(github.ref, 'refs/tags/v'))"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
skip-version-file: 'true'
skip-on-empty: 'false'
skip-commit: 'true'
skip-tag: 'true'
dry-run: 'true'
tag-prefix: 'v'
output-file: 'CHANGELOG.md'
- name: Create clean changelog
uses: "finnp/create-file-action@master"
if: "!(startsWith(github.ref, 'refs/tags/v'))"
env:
FILE_NAME: ".github/CLEANCHANGELOG.md"
FILE_DATA: ${{ steps.release_number_and_changelog.outputs.clean_changelog }}
- name: Get release information
if: "!(startsWith(github.ref, 'refs/tags/v'))"
env:
CLEAN_CHANGELOG: ${{ steps.release_number_and_changelog.outputs.clean_changelog }}
CHANGELOG: ${{ steps.release_number_and_changelog.outputs.changelog }}
VERSION: ${{ steps.release_number_and_changelog.outputs.version }}
OLDVERSION: ${{ steps.release_number_and_changelog.outputs.old_version }}
TAG: ${{ steps.release_number_and_changelog.outputs.tag }}
SKIPPED: ${{ steps.release_number_and_changelog.outputs.skipped }}
run: |
echo "clean_changelog: $CLEAN_CHANGELOG"
echo "changelog: $CHANGELOG"
echo "version: $VERSION"
echo "old_version: $OLDVERSION"
echo "tag: $TAG"
echo "skipped: $SKIPPED"
- name: goreleaser snapshot
uses: goreleaser/[email protected]
if: "!(startsWith(github.ref, 'refs/tags/v'))"
with:
args: release --rm-dist --skip-sign --snapshot --timeout ${{ env.RELEASE_TIME_OUT }} --release-notes=.github/CLEANCHANGELOG.md
env:
GORELEASER_CURRENT_TAG: v0.0.0
GORELEASER_PREVIOUS_TAG: v0.0.0
- name: snapshot artifact naming
id: naming
if: "!(startsWith(github.ref, 'refs/tags/v'))"
run: |
case $GITHUB_REF in
refs/heads/*)
ARTIFACT="${GITHUB_REF#refs/heads/}";;
refs/pull/*)
ARTIFACT="pr-${GITHUB_REF#refs/pull/}"
ARTIFACT="${ARTIFACT%/merge}";;
*)
ARTIFACT="${GITHUB_REF}";;
esac
echo "::set-output name=artifact::$ARTIFACT-$(date -u +'%Y-%m-%dT%H-%M')"
- name: upload snapshot artifact
uses: actions/upload-artifact@v3
if: "!(startsWith(github.ref, 'refs/tags/v'))"
with:
name: ${{steps.naming.outputs.artifact}}
path: dist/*.zip