build(deps): bump SonarSource/sonarcloud-github-action from 2.1.1 to 4.0.0 #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Checks" | |
| env: | |
| IS_RELEASE_BRANCH: ${{ startsWith(github.head_ref, 'release-please-') }} | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| merge_group: | |
| branches: | |
| - main | |
| types: | |
| - checks_requested | |
| jobs: | |
| pr: | |
| name: Validate PR title | |
| if: contains(fromJSON('["pull_request", "pull_request_target"]'), github.event_name) | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| pull-requests: read | |
| steps: | |
| - uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| # Types include: | |
| # - fix: fixes | |
| # - feat: features and enhancements | |
| # - chore: non-feature or enhancement (i.e. docs, ci, linting, automated, etc) | |
| types: | | |
| fix | |
| feat | |
| chore | |
| refactor | |
| revert | |
| # Scopes include: | |
| # - main: used for automated releases | |
| # - core: related to any core need such as the core service or monorepo | |
| # - ci: anything related to ci | |
| # - docs: anything related solely to documentation | |
| # - sdk: related to sdk changes in the /sdk directory | |
| # - policy: related to policy service changes (i.e. /service/policy) | |
| # - kas: related to key access service changes (i.e. /service/kas) | |
| # - authz: related to the authorization service changes (i.e. /service/authorization) | |
| scopes: | | |
| main | |
| core | |
| ci | |
| docs | |
| sdk | |
| policy | |
| kas | |
| authz | |
| go: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| checks: write | |
| contents: read | |
| pull-requests: read | |
| strategy: | |
| matrix: | |
| directory: | |
| - examples | |
| - sdk | |
| - service | |
| - lib/ocrypto | |
| - lib/fixtures | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 | |
| with: | |
| go-version: "1.22.3" | |
| check-latest: false | |
| cache-dependency-path: | | |
| examples/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| service/go.sum | |
| - if: env.IS_RELEASE_BRANCH == 'true' | |
| run: ./.github/scripts/work-init.sh | |
| - run: go mod download | |
| working-directory: ${{ matrix.directory }} | |
| - run: go mod verify | |
| working-directory: ${{ matrix.directory }} | |
| - run: go work use . | |
| if: env.IS_RELEASE_BRANCH == 'true' | |
| working-directory: ${{ matrix.directory }} | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc | |
| with: | |
| version: v1.58 | |
| working-directory: ${{ matrix.directory }} | |
| skip-cache: true | |
| args: --out-format=colored-line-number | |
| - name: Install softHSM | |
| if: matrix.directory == 'service' | |
| run: |- | |
| sudo apt-get install -y softhsm opensc openssl | |
| sudo chmod +x /etc/softhsm | |
| sudo chmod +r /etc/softhsm/softhsm2.conf | |
| mkdir -p $(pwd)/.tmp/tokens | |
| echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf | |
| echo "log.level = DEBUG" >> softhsm2.conf | |
| echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV" | |
| - if: matrix.directory == 'service' | |
| run: .github/scripts/init-temp-keys.sh --hsm | |
| - run: go test ./... -short | |
| working-directory: ${{ matrix.directory }} | |
| - if: matrix.directory == 'service' | |
| run: go test ./service/integration -race -failfast | |
| - name: check go fmt and go mod tidy | |
| run: |- | |
| go mod tidy | |
| go fmt ./... | |
| git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum" | |
| working-directory: ${{ matrix.directory }} | |
| - run: git diff | |
| - run: git diff-files --ignore-submodules | |
| - name: Check that files have been formatted before PR submission; see above for error details | |
| run: git diff-files --quiet --ignore-submodules | |
| if: env.IS_RELEASE_BRANCH == 'false' | |
| integration: | |
| name: integration tests | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| crypto: | |
| - standard | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 | |
| with: | |
| go-version: "1.22.3" | |
| check-latest: false | |
| cache-dependency-path: | | |
| service/go.sum | |
| examples/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| - if: env.IS_RELEASE_BRANCH == 'true' | |
| run: ./.github/scripts/work-init.sh | |
| - run: go mod download | |
| - run: go mod verify | |
| - name: Install softHSM | |
| if: matrix.crypto == 'hsm' | |
| run: |- | |
| sudo apt-get install -y softhsm opensc openssl | |
| sudo chmod +x /etc/softhsm | |
| sudo chmod +r /etc/softhsm/softhsm2.conf | |
| mkdir -p $(pwd)/.tmp/tokens | |
| echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf | |
| echo "log.level = DEBUG" >> softhsm2.conf | |
| echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV" | |
| - run: | | |
| .github/scripts/init-temp-keys.sh --hsm | |
| cp opentdf-with-hsm.yaml opentdf.yaml | |
| if: matrix.crypto == 'hsm' | |
| - run: | | |
| .github/scripts/init-temp-keys.sh | |
| cp opentdf-dev.yaml opentdf.yaml | |
| if: matrix.crypto == 'standard' | |
| - name: Added Trusted Certs | |
| run: | | |
| sudo chmod -R 777 ./keys | |
| sudo apt-get install -y ca-certificates | |
| sudo cp ./keys/localhost.crt /usr/local/share/ca-certificates | |
| sudo update-ca-certificates | |
| - run: docker compose up -d --wait --wait-timeout 240 | |
| - run: go run ./service provision keycloak | |
| - run: go run ./service provision fixtures | |
| - uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 | |
| name: start server in background | |
| with: | |
| run: | | |
| go run ${{ matrix.crypto == 'hsm' && '--tags=opentdf.hsm' || '' }} ./service start | |
| wait-on: | | |
| tcp:localhost:8080 | |
| log-output-if: true | |
| wait-for: 90s | |
| - run: go install github.com/fullstorydev/grpcurl/cmd/[email protected] | |
| - run: grpcurl -plaintext localhost:8080 list | |
| - run: grpcurl -plaintext localhost:8080 grpc.health.v1.Health.Check | |
| - run: grpcurl -plaintext localhost:8080 kas.AccessService/PublicKey | |
| - run: curl --show-error --fail --insecure localhost:8080/kas/v2/kas_public_key | |
| - run: go run ./examples encrypt "Hello Virtru" | |
| - run: go run ./examples decrypt sensitive.txt.tdf | |
| - run: go run ./examples decrypt sensitive.txt.tdf | grep "Hello Virtru" | |
| - name: create roundtrip test data and run tests | |
| run: go test ./service/rttests -v | |
| image: | |
| name: image build | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: docker/[email protected] | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: false | |
| buflint: | |
| name: Protocol Buffer Lint and Gencode Up-to-date check | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - uses: bufbuild/buf-setup-action@480a0ee8a588045b52a847b48138c6f377a89519 | |
| - uses: bufbuild/buf-lint-action@044d13acb1f155179c606aaa2e53aea304d22058 | |
| with: | |
| input: service | |
| - uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 | |
| # TODO(#212) Block on breaking changes after protos are frozen | |
| continue-on-error: true | |
| with: | |
| input: service | |
| against: "https://github.com/opentdf/platform.git#branch=main,subdir=service" | |
| - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 | |
| with: | |
| go-version: "1.22.3" | |
| check-latest: false | |
| cache-dependency-path: | | |
| service/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| examples/go.sum | |
| - run: cd service && go get github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc | |
| - run: cd service && go install github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc | |
| - run: make proto-generate | |
| - name: Restore go.mod after installing protoc-gen-doc | |
| run: git restore {service,protocol/go}/go.{mod,sum} | |
| - name: validate go mod tidy | |
| run: |- | |
| cd protocol/go | |
| go mod tidy | |
| git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum" | |
| - run: git diff | |
| - run: git diff-files --ignore-submodules | |
| - name: Check that make proto-generate has run before PR submission; see above for error details | |
| run: git diff-files --quiet --ignore-submodules | |
| ci: | |
| needs: | |
| - buflint | |
| - go | |
| - image | |
| - integration | |
| - license | |
| - pr | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - if: contains(needs.*.result, 'failure') | |
| run: echo "Failed due to ${{ contains(needs.*.result, 'failure') }}" && exit 1 | |
| license: | |
| name: license check | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 | |
| with: | |
| go-version: "1.22.3" | |
| check-latest: false | |
| cache: false | |
| - name: install go-licenses | |
| run: go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e | |
| - name: check service licenses | |
| run: > | |
| go-licenses check --disallowed_types=forbidden --include_tests | |
| ./service | |
| - name: check sdk licenses | |
| run: > | |
| go-licenses check --disallowed_types=forbidden --include_tests | |
| ./sdk | |
| - name: check examples licenses | |
| run: > | |
| go-licenses check --disallowed_types=forbidden --include_tests | |
| ./examples |