-
Notifications
You must be signed in to change notification settings - Fork 12
103 lines (93 loc) · 3.54 KB
/
safer-golangci-lint.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# Copyright © 2021-2023 Montgomery Edwards⁴⁴⁸ (github.com/x448).
# This file is licensed under MIT License.
#
# Safer GitHub Actions Workflow for golangci-lint.
# https://github.com/x448/safer-golangci-lint
#
# safer-golangci-lint.yml
#
# This workflow downloads, verifies, and runs golangci-lint in a
# deterministic, reviewable, and safe manner.
#
# To use:
# Step 1. Copy this file into [your_github_repo]/.github/workflows/
# Step 2. There's no step 2 if you like the default settings.
#
# See golangci-lint docs for more info at
# https://github.com/golangci/golangci-lint
#
# 100% of the script for downloading, installing, and running golangci-lint
# is embedded in this file. The embedded SHA-256 digest is used to verify the
# downloaded golangci-lint tarball (golangci-lint-1.xx.x-linux-amd64.tar.gz).
#
# The embedded SHA-256 digest matches golangci-lint-1.xx.x-checksums.txt at
# https://github.com/golangci/golangci-lint/releases
#
# To use a newer version of golangci-lint, change these values:
# 1. GOLINTERS_VERSION
# 2. GOLINTERS_TGZ_DGST
#
# Release v1.52.2 (May 14, 2023)
# - Bump Go to 1.20
# - Bump actions/setup-go to v4
# - Bump golangci-lint to 1.52.2
# - Hash of golangci-lint-1.52.2-linux-amd64.tar.gz
# - SHA-256: c9cf72d12058a131746edd409ed94ccd578fbd178899d1ed41ceae3ce5f54501
# This SHA-256 digest matches golangci-lint-1.52.2-checksums.txt at
# https://github.com/golangci/golangci-lint/releases
#
name: linters
# Remove default permissions and grant only what is required in each job.
permissions: {}
on:
workflow_dispatch:
pull_request:
push:
branches: [main, master]
env:
GO_VERSION: '1.20'
GOLINTERS_VERSION: 1.52.2
GOLINTERS_ARCH: linux-amd64
GOLINTERS_TGZ_DGST: c9cf72d12058a131746edd409ed94ccd578fbd178899d1ed41ceae3ce5f54501
GOLINTERS_TIMEOUT: 15m
OPENSSL_DGST_CMD: openssl dgst -sha256 -r
CURL_CMD: curl --proto =https --tlsv1.2 --location --silent --show-error --fail
jobs:
main:
name: Lint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout source
uses: actions/checkout@v3
with:
fetch-depth: 1
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Install golangci-lint
run: |
GOLINTERS_URL_PREFIX="https://github.com/golangci/golangci-lint/releases/download/v${GOLINTERS_VERSION}/"
GOLINTERS_TGZ="golangci-lint-${GOLINTERS_VERSION}-${GOLINTERS_ARCH}.tar.gz"
GOLINTERS_EXPECTED_DGST="${GOLINTERS_TGZ_DGST} *${GOLINTERS_TGZ}"
DGST_CMD="${OPENSSL_DGST_CMD} ${GOLINTERS_TGZ}"
cd $(mktemp -d /tmp/golinters.XXXXX)
${CURL_CMD} "${GOLINTERS_URL_PREFIX}${GOLINTERS_TGZ}" --output ${GOLINTERS_TGZ}
GOLINTERS_GOT_DGST=$(${DGST_CMD})
if [ "${GOLINTERS_GOT_DGST}" != "${GOLINTERS_EXPECTED_DGST}" ]
then
echo "Digest of tarball is not equal to expected digest."
echo "Expected digest: " "${GOLINTERS_EXPECTED_DGST}"
echo "Got digest: " "${GOLINTERS_GOT_DGST}"
exit 1
fi
tar --no-same-owner -xzf "${GOLINTERS_TGZ}" --strip-components 1
install golangci-lint $(go env GOPATH)/bin
shell: bash
# Run required linters enabled in .golangci.yml (or default linters if yml doesn't exist)
- name: Run golangci-lint
run: $(go env GOPATH)/bin/golangci-lint run --timeout="${GOLINTERS_TIMEOUT}"
shell: bash