Update Go and packages to fix vulnerabilities #299
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
pull_request: | |
types: [opened, reopened, synchronize] | |
workflow_dispatch: | |
name: CI | |
jobs: | |
build: | |
name: Build server image | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres:15 | |
env: | |
POSTGRES_USER: nivlheim | |
POSTGRES_DB: nivlheim | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd "pg_isready" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Run Go tests | |
run: | | |
cd server/service | |
go test -v | |
env: | |
NIVLHEIM_PGHOST: localhost | |
NIVLHEIM_PGUSER: nivlheim | |
NIVLHEIM_PGPASSWORD: postgres | |
NIVLHEIM_PGDATABASE: nivlheim | |
NIVLHEIM_PGSSLMODE: disable | |
- name: Docker build | |
run: | | |
VERSION=`cat VERSION` | |
if [[ "$GITHUB_REF_NAME" != "master" ]]; then | |
VERSION="$VERSION-$GITHUB_REF_NAME" | |
fi | |
echo "version=$VERSION" | |
docker build --file ci/docker/api_Dockerfile --tag nivlheim:latest --build-arg version=$VERSION . | |
- name: Docker save | |
run: docker save nivlheim | gzip > nivlheim-image.tar.gz | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: nivlheim-image.tar.gz | |
path: nivlheim-image.tar.gz | |
buildwww: | |
name: Build httpd+cgi image | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker build | |
run: docker build --file ci/docker/Dockerfile --tag nivlheim-www:latest . | |
- name: Docker save | |
run: | | |
IMAGE=`docker images | head -2 | tail -1 | awk '{print $3}'` | |
docker inspect $IMAGE | |
docker save nivlheim-www | gzip > nivlheim-www.tar.gz | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: nivlheim-www.tar.gz | |
path: nivlheim-www.tar.gz | |
buildclient: | |
name: Build client image | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker build | |
run: | | |
cp client/client.yaml tmp_client.yaml | |
echo " server: localhost" >> tmp_client.yaml | |
docker build --file ci/docker/client_Dockerfile --tag nivlheimclient:latest . | |
docker save nivlheimclient | gzip > nivlheim-client.tar.gz | |
rm tmp_client.yaml | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: nivlheim-client.tar.gz | |
path: nivlheim-client.tar.gz | |
test-scripts: | |
name: Run test scripts | |
needs: [build, buildwww, buildclient] | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
test: | |
- cert_handling.sh | |
- cfengine.sh | |
- change_ca.sh | |
- client_timing.sh | |
- clones.sh | |
- powershell.sh | |
- homepage.sh | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
# the name input parameter is not provided, so all artifacts will be downloaded | |
- name: Load images | |
run: | | |
docker load --input nivlheim-www.tar.gz/nivlheim-www.tar.gz | |
docker load --input nivlheim-image.tar.gz/nivlheim-image.tar.gz | |
docker load --input nivlheim-client.tar.gz/nivlheim-client.tar.gz | |
- name: Start containers | |
run: docker compose -f "ci/docker/docker-compose.yml" up -d | |
- name: SSL handshake | |
run: openssl s_client -connect localhost:443 -prexit | |
continue-on-error: true | |
- name: Status API | |
run: curl -k --no-progress-meter https://localhost/api/v2/status | |
- name: Run one of the test scripts | |
run: tests/test_${{ matrix.test }} | |
- name: Retrieve logs from Docker | |
if: always() | |
run: docker compose -f "ci/docker/docker-compose.yml" logs | |
- name: Retrieve server logs | |
if: always() | |
run: | | |
echo "------- access_log -------------------------------" | |
docker exec docker-nivlheimweb-1 grep -v 127.0.0.1 /var/log/httpd/access_log || true | |
echo "------- error_log --------------------------------" | |
docker exec docker-nivlheimweb-1 cat /var/log/httpd/error_log || true | |
echo "------- system.log--------------------------------" | |
docker exec docker-nivlheimweb-1 cat /var/log/nivlheim/system.log || true | |
- name: Stop containers | |
if: always() | |
run: docker compose -f "ci/docker/docker-compose.yml" down | |
publish: | |
if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }} | |
name: Publish server image | |
needs: [test-scripts] | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
contents: read | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: nivlheim-image.tar.gz | |
- name: Load image | |
run: docker load < nivlheim-image.tar.gz | |
- name: Log in to registry | |
run: > | |
echo "${{ secrets.GITHUB_TOKEN }}" | |
| docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
- name: Push image | |
run: | | |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nivlheim | |
if [[ "$GITHUB_REF" == "refs/heads/master" ]]; then | |
TAG_NAME=latest | |
else | |
TAG_NAME="${GITHUB_REF#refs/tags/}" | |
fi | |
docker tag nivlheim:latest "$IMAGE_ID:$TAG_NAME" | |
docker push "$IMAGE_ID:$TAG_NAME" | |
publishwww: | |
if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }} | |
name: Publish httpd+cgi image | |
needs: [test-scripts] | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
contents: read | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: nivlheim-www.tar.gz | |
- name: Load image | |
run: docker load < nivlheim-www.tar.gz | |
- name: Log in to registry | |
run: > | |
echo "${{ secrets.GITHUB_TOKEN }}" | |
| docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
- name: Push image | |
run: | | |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nivlheim_www | |
if [[ "$GITHUB_REF" == "refs/heads/master" ]]; then | |
TAG_NAME=latest | |
else | |
TAG_NAME="${GITHUB_REF#refs/tags/}" | |
fi | |
docker tag nivlheim-www:latest "$IMAGE_ID:$TAG_NAME" | |
docker push "$IMAGE_ID:$TAG_NAME" | |
# cd_hook: | |
# name: Webhook to local builders | |
# needs: [test-scripts] | |
# runs-on: ubuntu-20.04 | |
# continue-on-error: true | |
# steps: | |
# - name: HTTP request | |
# run: curl -sS "http://nivlheim-test.uio.no/hook.pl?commit=${GITHUB_SHA}&branch=${GITHUB_REF_NAME}" | |
release: | |
if: ${{ github.ref == 'refs/heads/master' }} | |
name: Tag and release | |
needs: [test-scripts] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 50 | |
- name: Create a version tag | |
id: tagstep | |
uses: salsify/action-detect-and-tag-new-version@v2 | |
with: | |
version-command: cat VERSION | |
- name: Generate changelog | |
if: steps.tagstep.outputs.tag != '' | |
id: changelog | |
uses: jaywcjlove/changelog-generator@main | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
filter: '[R|r]elease[d]\s+[v|V]\d(\.\d+){0,2}' | |
- name: Create a new release | |
if: steps.tagstep.outputs.tag != '' | |
uses: softprops/action-gh-release@v1 | |
with: | |
body: ${{ steps.changelog.outputs.changelog }} | |
draft: false | |
prerelease: false | |
tag_name: ${{ steps.tagstep.outputs.tag }} | |
generate_release_notes: true |