chore(deps): update dependency go to v1.23.3 (#214) #57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# cid-workflow-version: 0.0.24 | |
# This file is generated by the CID Workflow GitHub App. | |
# DO NOT EDIT! | |
# name | |
name: CID - DefaultBranch | |
# triggers | |
on: | |
workflow_dispatch: | |
inputs: | |
loglevel: | |
description: Log level | |
required: true | |
default: info | |
type: choice | |
options: | |
- debug | |
- info | |
- warn | |
- error | |
push: | |
branches: | |
- main | |
tags: | |
- v*.*.* | |
paths-ignore: | |
- README.md | |
- LICENSE | |
- .gitignore | |
- .editorconfig | |
- renovate.json | |
# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps | |
permissions: | |
actions: read # detection of GitHub Actions environment | |
checks: none | |
contents: read | |
deployments: none | |
id-token: none | |
issues: none | |
packages: none | |
pages: none | |
pull-requests: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
# cancel in progress when a new run starts | |
concurrency: | |
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
cancel-in-progress: true | |
env: | |
CID_WORKFLOW: main | |
CID_VERSION: latest | |
CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }} | |
# allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. | |
EGRESS_POLICY: block | |
# allowed endpoints for egress traffic if egress-policy is set to 'block'. | |
EGRESS_POLICY_ALLOWED_ENDPOINTS: >- | |
api.github.com:443 | |
cdn01.quay.io:443 | |
cdn02.quay.io:443 | |
cdn03.quay.io:443 | |
codeload.github.com:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
proxy.golang.org:443 | |
quay.io:443 | |
raw.githubusercontent.com:443 | |
storage.googleapis.com:443 | |
sum.golang.org:443 | |
uploads.github.com:443 | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- | |
api.sonarcloud.io:443 | |
scanner.sonarcloud.io:443 | |
semgrep.dev:443 | |
sonarcloud.io:443 | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- | |
# jobs | |
jobs: | |
# info | |
info: | |
name: Info | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
timeout-minutes: 30 | |
if: ${{ github.event.inputs.loglevel == 'debug' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: info | |
env: | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
run: | | |
echo "> project modules" | |
cid --log-level=${CID_LOGLEVEL:-info} module ls | |
echo "> catalog" | |
cid --log-level=${CID_LOGLEVEL:-info} catalog list | |
echo "> workflows" | |
cid --log-level=${CID_LOGLEVEL:-info} workflow ls | |
# build | |
build: | |
name: Build | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
permissions: | |
id-token: write # provenance signing | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: build | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build | |
- name: upload artifacts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: build-${{ github.run_id }} | |
path: .dist | |
retention-days: 1 | |
if-no-files-found: ignore | |
# test | |
test: | |
name: Test | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: test | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test | |
- name: upload artifacts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: test-${{ github.run_id }} | |
path: .dist | |
retention-days: 1 | |
if-no-files-found: ignore | |
# scan | |
scan: | |
name: Scan | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
needs: [build, test] | |
permissions: | |
security-events: write | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: download artifacts > build | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-${{ github.run_id }} | |
path: .dist | |
continue-on-error: true | |
- name: download artifacts > test | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: test-${{ github.run_id }} | |
path: .dist | |
continue-on-error: true | |
- name: scan | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} | |
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan | |
# package | |
package: | |
name: Package | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
needs: [build] | |
permissions: | |
id-token: write # provenance signing | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: download artifacts > build | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-${{ github.run_id }} | |
path: .dist | |
continue-on-error: true | |
- name: package | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package | |
- name: upload artifacts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: package-${{ github.run_id }} | |
path: .dist | |
retention-days: 1 | |
if-no-files-found: ignore | |
# publish | |
publish: | |
name: Publish | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
needs: [package, scan] | |
permissions: | |
# create release | |
contents: write | |
# publish packages | |
packages: write | |
if: startsWith(github.ref, 'refs/pull/') == false | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: download artifacts > package | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: package-${{ github.run_id }} | |
path: .dist | |
continue-on-error: true | |
- name: publish | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
MAVEN_REPO_URL: ${{ secrets.MAVEN_REPO_URL }} | |
MAVEN_REPO_USERNAME: ${{ secrets.MAVEN_REPO_USERNAME }} | |
MAVEN_REPO_PASSWORD: ${{ secrets.MAVEN_REPO_PASSWORD }} | |
MAVEN_GPG_SIGN_PRIVATEKEY: ${{ secrets.MAVEN_GPG_SIGN_PRIVATEKEY }} | |
MAVEN_GPG_SIGN_PASSWORD: ${{ secrets.MAVEN_GPG_SIGN_PASSWORD }} | |
MAVEN_GPG_SIGN_KEYID: ${{ secrets.MAVEN_GPG_SIGN_KEYID }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage publish |