Skip to content

Update Go and packages to fix vulnerabilities #299

Update Go and packages to fix vulnerabilities

Update Go and packages to fix vulnerabilities #299

Workflow file for this run

on:
push:
pull_request:
types: [opened, reopened, synchronize]
workflow_dispatch:
name: CI
jobs:
build:
name: Build server image
runs-on: ubuntu-latest
services:
postgres:
image: postgres:15
env:
POSTGRES_USER: nivlheim
POSTGRES_DB: nivlheim
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd "pg_isready"
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Go tests
run: |
cd server/service
go test -v
env:
NIVLHEIM_PGHOST: localhost
NIVLHEIM_PGUSER: nivlheim
NIVLHEIM_PGPASSWORD: postgres
NIVLHEIM_PGDATABASE: nivlheim
NIVLHEIM_PGSSLMODE: disable
- name: Docker build
run: |
VERSION=`cat VERSION`
if [[ "$GITHUB_REF_NAME" != "master" ]]; then
VERSION="$VERSION-$GITHUB_REF_NAME"
fi
echo "version=$VERSION"
docker build --file ci/docker/api_Dockerfile --tag nivlheim:latest --build-arg version=$VERSION .
- name: Docker save
run: docker save nivlheim | gzip > nivlheim-image.tar.gz
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: nivlheim-image.tar.gz
path: nivlheim-image.tar.gz
buildwww:
name: Build httpd+cgi image
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker build
run: docker build --file ci/docker/Dockerfile --tag nivlheim-www:latest .
- name: Docker save
run: |
IMAGE=`docker images | head -2 | tail -1 | awk '{print $3}'`
docker inspect $IMAGE
docker save nivlheim-www | gzip > nivlheim-www.tar.gz
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: nivlheim-www.tar.gz
path: nivlheim-www.tar.gz
buildclient:
name: Build client image
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker build
run: |
cp client/client.yaml tmp_client.yaml
echo " server: localhost" >> tmp_client.yaml
docker build --file ci/docker/client_Dockerfile --tag nivlheimclient:latest .
docker save nivlheimclient | gzip > nivlheim-client.tar.gz
rm tmp_client.yaml
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: nivlheim-client.tar.gz
path: nivlheim-client.tar.gz
test-scripts:
name: Run test scripts
needs: [build, buildwww, buildclient]
runs-on: ubuntu-latest
strategy:
matrix:
test:
- cert_handling.sh
- cfengine.sh
- change_ca.sh
- client_timing.sh
- clones.sh
- powershell.sh
- homepage.sh
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download artifacts
uses: actions/download-artifact@v4
# the name input parameter is not provided, so all artifacts will be downloaded
- name: Load images
run: |
docker load --input nivlheim-www.tar.gz/nivlheim-www.tar.gz
docker load --input nivlheim-image.tar.gz/nivlheim-image.tar.gz
docker load --input nivlheim-client.tar.gz/nivlheim-client.tar.gz
- name: Start containers
run: docker compose -f "ci/docker/docker-compose.yml" up -d
- name: SSL handshake
run: openssl s_client -connect localhost:443 -prexit
continue-on-error: true
- name: Status API
run: curl -k --no-progress-meter https://localhost/api/v2/status
- name: Run one of the test scripts
run: tests/test_${{ matrix.test }}
- name: Retrieve logs from Docker
if: always()
run: docker compose -f "ci/docker/docker-compose.yml" logs
- name: Retrieve server logs
if: always()
run: |
echo "------- access_log -------------------------------"
docker exec docker-nivlheimweb-1 grep -v 127.0.0.1 /var/log/httpd/access_log || true
echo "------- error_log --------------------------------"
docker exec docker-nivlheimweb-1 cat /var/log/httpd/error_log || true
echo "------- system.log--------------------------------"
docker exec docker-nivlheimweb-1 cat /var/log/nivlheim/system.log || true
- name: Stop containers
if: always()
run: docker compose -f "ci/docker/docker-compose.yml" down
publish:
if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }}
name: Publish server image
needs: [test-scripts]
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: nivlheim-image.tar.gz
- name: Load image
run: docker load < nivlheim-image.tar.gz
- name: Log in to registry
run: >
echo "${{ secrets.GITHUB_TOKEN }}"
| docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push image
run: |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nivlheim
if [[ "$GITHUB_REF" == "refs/heads/master" ]]; then
TAG_NAME=latest
else
TAG_NAME="${GITHUB_REF#refs/tags/}"
fi
docker tag nivlheim:latest "$IMAGE_ID:$TAG_NAME"
docker push "$IMAGE_ID:$TAG_NAME"
publishwww:
if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }}
name: Publish httpd+cgi image
needs: [test-scripts]
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: nivlheim-www.tar.gz
- name: Load image
run: docker load < nivlheim-www.tar.gz
- name: Log in to registry
run: >
echo "${{ secrets.GITHUB_TOKEN }}"
| docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push image
run: |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nivlheim_www
if [[ "$GITHUB_REF" == "refs/heads/master" ]]; then
TAG_NAME=latest
else
TAG_NAME="${GITHUB_REF#refs/tags/}"
fi
docker tag nivlheim-www:latest "$IMAGE_ID:$TAG_NAME"
docker push "$IMAGE_ID:$TAG_NAME"
# cd_hook:
# name: Webhook to local builders
# needs: [test-scripts]
# runs-on: ubuntu-20.04
# continue-on-error: true
# steps:
# - name: HTTP request
# run: curl -sS "http://nivlheim-test.uio.no/hook.pl?commit=${GITHUB_SHA}&branch=${GITHUB_REF_NAME}"
release:
if: ${{ github.ref == 'refs/heads/master' }}
name: Tag and release
needs: [test-scripts]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 50
- name: Create a version tag
id: tagstep
uses: salsify/action-detect-and-tag-new-version@v2
with:
version-command: cat VERSION
- name: Generate changelog
if: steps.tagstep.outputs.tag != ''
id: changelog
uses: jaywcjlove/changelog-generator@main
with:
token: ${{ secrets.GITHUB_TOKEN }}
filter: '[R|r]elease[d]\s+[v|V]\d(\.\d+){0,2}'
- name: Create a new release
if: steps.tagstep.outputs.tag != ''
uses: softprops/action-gh-release@v1
with:
body: ${{ steps.changelog.outputs.changelog }}
draft: false
prerelease: false
tag_name: ${{ steps.tagstep.outputs.tag }}
generate_release_notes: true