# Copyright 2021 OpenSSF Scorecard Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: build permissions: contents: read on: push: branches: - main pull_request: branches: - main env: PROTOC_VERSION: 3.17.3 GO_VERSION: 1.21 jobs: unit-test: name: unit-test runs-on: ubuntu-latest permissions: contents: read steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true cache: false # we manually manage caches below - id: go-cache-paths run: | echo "go-build=$(go env GOCACHE)" >> "$GITHUB_OUTPUT" echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2 with: path: | ${{ steps.go-cache-paths.outputs.go-build }} ${{ steps.go-cache-paths.outputs.go-mod }} key: ${{ runner.os }}-go-tests-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go-tests- - name: Prepare test env run: | go mod download - name: Run unit-tests run: make unit-test - name: Upload codecoverage uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 3.1.4 with: files: ./unit-coverage.out verbose: true - name: Run PAT Token E2E #using retry because the GitHub token is being throttled. uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }} env: GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }} with: max_attempts: 3 retry_on: error timeout_minutes: 30 command: make e2e-pat - name: codecov uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 2.1.0 if: ${{ github.event_name != 'pull_request' || github.actor != 'dependabot[bot]' }} with: files: "*e2e-coverage.out" verbose: true generate-mocks: name: generate-mocks runs-on: ubuntu-latest permissions: contents: read steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Install Protoc uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 with: version: ${{ env.PROTOC_VERSION }} repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ~/go/pkg/mod ~/.cache/go-build ~/Library/Caches/go-build %LocalAppData%\go-build key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Clone the code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Setup Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true cache: true - name: generate mocks uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 with: max_attempts: 3 retry_on: error timeout_minutes: 30 command: | go env -w GOFLAGS=-mod=mod make install make generate-mocks generate-docs: name: generate-docs runs-on: ubuntu-latest permissions: contents: read steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true cache: true - name: generate docs uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0 with: max_attempts: 3 retry_on: error timeout_minutes: 30 command: | go env -w GOFLAGS=-mod=mod make generate-docs - name: ensure checks.yaml and checks.md match run: git diff --exit-code build-proto: name: build-proto runs-on: ubuntu-latest permissions: contents: read steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Install Protoc uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 with: version: ${{ env.PROTOC_VERSION }} repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Clone the code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Setup Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true cache: true - name: build-proto uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 with: max_attempts: 3 retry_on: error timeout_minutes: 30 command: | go env -w GOFLAGS=-mod=mod make build-proto build-matrix: strategy: matrix: target: - 'build-scorecard' - 'build-controller' - 'build-worker' - 'build-cii-worker' - 'build-shuffler' - 'build-bq-transfer' - 'build-github-server' - 'build-webhook' - 'build-add-script' - 'build-validate-script' name: ${{ matrix.target }} runs-on: ubuntu-latest needs: build-proto permissions: contents: read steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ~/go/pkg/mod ~/.cache/go-build ~/Library/Caches/go-build %LocalAppData%\go-build key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Clone the code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true cache: true - name: Run build uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0 with: max_attempts: 3 retry_on: error timeout_minutes: 30 command: | go env -w GOFLAGS=-mod=mod make ${{ matrix.target }} validate-docs: name: validate-docs runs-on: ubuntu-latest permissions: contents: read steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ~/go/pkg/mod ~/.cache/go-build ~/Library/Caches/go-build %LocalAppData%\go-build key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Clone the code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Setup Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true cache: true - name: Run build uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 with: max_attempts: 3 retry_on: error timeout_minutes: 30 command: | go env -w GOFLAGS=-mod=mod make validate-docs add-projects: name: add-projects runs-on: ubuntu-latest needs: build-proto permissions: contents: read steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Install Protoc uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 with: version: ${{ env.PROTOC_VERSION }} repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: | ~/go/pkg/mod ~/.cache/go-build ~/Library/Caches/go-build %LocalAppData%\go-build key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Clone the code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Setup Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true cache: true - name: Run build uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 with: max_attempts: 3 retry_on: error timeout_minutes: 30 command: | go env -w GOFLAGS=-mod=mod make add-projects validate-projects: name: validate-projects runs-on: ubuntu-latest permissions: contents: read steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Install Protoc uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 with: version: ${{ env.PROTOC_VERSION }} repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Clone the code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Setup Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true cache: true - name: Run build uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 with: max_attempts: 3 retry_on: error timeout_minutes: 30 command: | go env -w GOFLAGS=-mod=mod make validate-projects license-check: name: license boilerplate check runs-on: ubuntu-latest permissions: contents: read steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true cache: true - name: Check license headers run: | go env -w GOFLAGS=-mod=mod go install github.com/google/addlicense@2fe3ee94479d08be985a84861de4e6b06a1c7208 addlicense -ignore "**/script-empty.sh" -ignore "testdata/**" -ignore "**/testdata/**" -l apache -c 'OpenSSF Scorecard Authors' -v * git diff --exit-code