Skip to content
Build, Test, and Lint

Add check_approvals action to build-dev workflow #642

Sign in to view logs

Add check_approvals action to build-dev workflow

Add check_approvals action to build-dev workflow #642

Workflow file for this run

.github/workflows/build-dev.yaml at 9804745
name: Build, Test, and Lint
on:
push:
branches:
- main
- 'release-*'
pull_request:
paths:
- '.github/**'
pull_request_target:
paths-ignore:
- '.github/**'
jobs:
check_approvals:
# Run this job only if the following conditions are met:
# 1. The pull request has the 'integration-test' label.
# 2. The event is either:
# a. A 'pull_request' event where the base and head repositories are the same (internal PR).
# b. A 'pull_request_target' event where the base and head repositories are different (external PR).
if: ${{ contains(github.event.pull_request.labels.*.name, 'integration-test') && ( github.event_name == 'pull_request' && github.event.pull_request.base.repo.clone_url == github.event.pull_request.head.repo.clone_url || github.event_name == 'pull_request_target' && github.event.pull_request.base.repo.clone_url != github.event.pull_request.head.repo.clone_url ) }}
runs-on: self-hosted-nutanix-medium
outputs:
# Output the approval status for pull_request_target events, otherwise default to 'true'
check_approvals: ${{ github.event_name == 'pull_request_target' && steps.check_approvals.outputs.check_approvals || 'true' }}
# Output whether the PR is external
external_pr: ${{ github.event.pull_request.base.repo.clone_url != github.event.pull_request.head.repo.clone_url }}
steps:
- name: Check integration test allowance status
# Only run this step for pull_request_target events
if: ${{ github.event_name == 'pull_request_target' }}
id: check_approvals
# Use an external action to check if the PR has the necessary approvals
uses: nutanix-cloud-native/action-check-approvals@v1
build-container:
needs: check_approvals
runs-on: ubuntu-latest
env:
EXPORT_RESULT: true
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: "${{ github.event.pull_request.head.sha }}"
- name: Install devbox
uses: jetify-com/devbox-install-action@v0.11.0
with:
enable-cache: "true"
- uses: actions/cache@v4
with:
path: |
~/.cache/golangci-lint
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Test build
run: devbox run -- make build
- name: Run unit tests
run: devbox run -- make unit-test
# gocov-xml expects things to be properly placed under go path.
# GHA clones into /home/runner/work/repository so we create
# the directory under the right path and link it
- run: mkdir -p /home/runner/go/src/github.com/nutanix-cloud-native/ && ln -s /home/runner/work/cloud-provider-nutanix/cloud-provider-nutanix /home/runner/go/src/github.com/nutanix-cloud-native
- name: Run coverage report
run: devbox run -- make coverage
- name: Codecov
uses: codecov/codecov-action@v4.5.0
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
file: ./coverage.xml # Replace with the path to your coverage report
fail_ci_if_error: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.29.0
env:
TRIVY_DB_REPOSITORY: "ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db"
with:
scan-type: "fs"
ignore-unfixed: true
format: "table"
exit-code: "1"
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
e2e:
strategy:
matrix:
e2e-labels:
- "capx"
fail-fast: false
needs: check_approvals
uses: ./.github/workflows/e2e.yaml
with:
e2e-labels: ${{ matrix.e2e-labels }}
secrets: inherit
permissions:
contents: read
checks: write