Potential fix for code scanning alert no. 1: Workflow does not contai… #133
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Go Build & Docker Build | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| tags-ignore: | |
| - "*" | |
| paths: | |
| - src/**/* | |
| - .github/workflows/** | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| branches: | |
| - main | |
| paths: | |
| - src/**/* | |
| - .github/workflows/** | |
| permissions: | |
| contents: write | |
| packages: write | |
| issues: write | |
| id-token: write | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| quality: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout code | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Set up Go environment | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "src/go.mod" | |
| cache: true | |
| cache-dependency-path: "**/*.sum" | |
| - name: GolangCI Lint | |
| uses: golangci/golangci-lint-action@v8 | |
| with: | |
| working-directory: src/ | |
| version: latest | |
| - name: StaticCheck | |
| uses: dominikh/staticcheck-action@v1 | |
| with: | |
| working-directory: src/ | |
| version: latest | |
| - name: Run format-check | |
| working-directory: "src/" | |
| run: | | |
| UNFORMATTED=$(gofmt -l .) | |
| if [ -n "$UNFORMATTED" ]; then | |
| echo "The following files are not formatted according to gofmt:" | |
| echo "$UNFORMATTED" | |
| exit 1 | |
| fi | |
| test: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout code | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Set up Go environment | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "src/go.mod" | |
| cache: true | |
| cache-dependency-path: "**/*.sum" | |
| - name: Run tests | |
| working-directory: "src/" | |
| run: go test -race -cover -coverprofile=coverage.txt ./... | |
| - name: Archive code coverage results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: code-coverage | |
| path: "**/coverage.txt" | |
| code_coverage: | |
| name: "Code coverage report" | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| needs: test | |
| permissions: | |
| contents: read | |
| actions: read # to download code coverage results from "test" job | |
| pull-requests: write # write permission needed to comment on PR | |
| steps: | |
| - uses: fgrosse/go-coverage-report@v1.2.0 | |
| with: | |
| root-package: "github.com/${{ github.repository }}/src" | |
| coverage-artifact-name: "code-coverage" | |
| coverage-file-name: "src/coverage.txt" | |
| goreleaser: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| - quality | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "src/go.mod" | |
| cache-dependency-path: "**/*.sum" | |
| cache: true | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| args: release --snapshot --clean --config .goreleaser.ci.yaml | |
| workdir: src/ | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload arm64 build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: CalendarAPI-linux-arm64 | |
| path: src/dist/CalendarAPI_linux_arm64_v8.0/calendarapi | |
| if-no-files-found: error | |
| - name: Upload amd64 build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: CalendarAPI-linux-amd64 | |
| path: src/dist/CalendarAPI_linux_amd64_v1/calendarapi | |
| if-no-files-found: error | |
| docker-build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - goreleaser | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: linux/amd64 | |
| os: linux | |
| arch: amd64 | |
| - platform: linux/arm64 | |
| os: linux | |
| arch: arm64 | |
| steps: | |
| - name: set environment variables | |
| run: | | |
| platform=${{ matrix.platform }} | |
| echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
| image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" | |
| image="$(echo $image | tr '[:upper:]' '[:lower:]')" | |
| echo "FULL_IMAGE_NAME=${image}" >> $GITHUB_ENV | |
| - name: Setup Docker buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Pull in platform artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: CalendarAPI-linux-${{ matrix.arch }} | |
| - name: mark artifact as executable | |
| run: | | |
| chmod +x calendarapi | |
| - name: Build and push by digest | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: ${{ matrix.platform }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| outputs: type=image,name=${{ env.FULL_IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true,annotation-index.org.opencontainers.image.description=CalendarAPI is a service that parses iCal files and exposes their content via gRPC or a REST API. | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: image-digest-${{ env.PLATFORM_PAIR }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| docker-publish: | |
| name: Docker Publish | |
| runs-on: ubuntu-latest | |
| needs: | |
| - docker-build | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: set environment variables | |
| run: | | |
| image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" | |
| image="$(echo $image | tr '[:upper:]' '[:lower:]')" | |
| echo "FULL_IMAGE_NAME=${image}" >> $GITHUB_ENV | |
| - name: Download digests | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: /tmp/digests | |
| pattern: image-digest-* | |
| merge-multiple: true | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.FULL_IMAGE_NAME }} | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create manifest list and push | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf '${{ env.FULL_IMAGE_NAME }}@sha256:%s ' *) | |
| - name: Inspect image | |
| run: | | |
| docker buildx imagetools inspect ${{ env.FULL_IMAGE_NAME }}:${{ steps.meta.outputs.version }} |