fix(deps): update module github.com/spf13/cobra to v1.9.1 - autoclosed #66
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Go Build & Docker Build | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "*" | |
| paths: | |
| - src/**/* | |
| - .github/workflows/** | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| branches: | |
| - main | |
| paths: | |
| - src/**/* | |
| - .github/workflows/** | |
| permissions: | |
| contents: write | |
| packages: write | |
| issues: write | |
| id-token: write | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| quality: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout code | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Set up Go environment | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "src/go.mod" | |
| cache: true | |
| cache-dependency-path: "**/*.sum" | |
| - uses: actions/setup-python@v3 | |
| - uses: pre-commit/[email protected] | |
| test: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout code | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Set up Go environment | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "src/go.mod" | |
| cache: true | |
| cache-dependency-path: "**/*.sum" | |
| - name: Run tests | |
| working-directory: "src/" | |
| run: go test -race -cover -coverprofile=coverage.txt ./... | |
| - name: Archive code coverage results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: code-coverage | |
| path: "**/coverage.txt" | |
| code_coverage: | |
| name: "Code coverage report" | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| needs: test | |
| permissions: | |
| contents: read | |
| actions: read # to download code coverage results from "test" job | |
| pull-requests: write # write permission needed to comment on PR | |
| steps: | |
| - uses: fgrosse/[email protected] | |
| with: | |
| root-package: "github.com/${{ github.repository }}/src" | |
| coverage-artifact-name: "code-coverage" | |
| coverage-file-name: "src/coverage.txt" | |
| prepare: | |
| name: Prepare build steps | |
| runs-on: ubuntu-latest | |
| outputs: | |
| goreleaser_extra_args: ${{ steps.set.outputs.goreleaser_extra_args }} | |
| arch_matrix: ${{ steps.set.outputs.arch_matrix }} | |
| steps: | |
| - id: set | |
| run: | | |
| if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then | |
| echo "goreleaser_extra_args=" >> "$GITHUB_OUTPUT" | |
| echo "arch_matrix=[{\"platform\":\"linux/arm64\",\"os\":\"linux\",\"arch\":\"arm64\"},{\"platform\":\"linux/amd64\",\"os\":\"linux\",\"arch\":\"amd64\"}]" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "goreleaser_extra_args=--snapshot" >> "$GITHUB_OUTPUT" | |
| echo "arch_matrix=[{\"platform\":\"linux/arm64\",\"os\":\"linux\",\"arch\":\"arm64\"}]" >> "$GITHUB_OUTPUT" | |
| fi | |
| goreleaser: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| - quality | |
| - prepare | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "src/go.mod" | |
| cache-dependency-path: "**/*.sum" | |
| cache: true | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| args: release --clean --config .goreleaser.yaml ${{ needs.prepare.outputs.goreleaser_extra_args }} | |
| workdir: src/ | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload arm64 build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: tailscale-k8s-auth-linux-arm64 | |
| path: src/dist/server_linux_arm64_v8.0/tailscale-k8s-auth | |
| if-no-files-found: error | |
| - name: Upload amd64 build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: tailscale-k8s-auth-linux-amd64 | |
| path: src/dist/server_linux_amd64_v1/tailscale-k8s-auth | |
| if-no-files-found: error | |
| docker-build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - goreleaser | |
| - prepare | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.prepare.outputs.arch_matrix) }} | |
| steps: | |
| - name: set environment variables | |
| run: | | |
| platform=${{ matrix.platform }} | |
| echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
| image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" | |
| image="$(echo $image | tr '[:upper:]' '[:lower:]')" | |
| echo "FULL_IMAGE_NAME=${image}" >> $GITHUB_ENV | |
| - name: Setup Docker buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Pull in platform artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: tailscale-k8s-auth-linux-${{ matrix.arch }} | |
| - name: mark artifact as executable | |
| run: | | |
| chmod +x tailscale-k8s-auth | |
| - name: Build and push by digest | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: ${{ matrix.platform }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| outputs: type=image,name=${{ env.FULL_IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: image-digest-${{ env.PLATFORM_PAIR }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| docker-publish: | |
| name: Docker Publish | |
| runs-on: ubuntu-latest | |
| needs: | |
| - docker-build | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # Required for Cosign to use GitHub OIDC | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Set environment variables | |
| run: | | |
| image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" | |
| image="$(echo $image | tr '[:upper:]' '[:lower:]')" | |
| echo "FULL_IMAGE_NAME=${image}" >> $GITHUB_ENV | |
| - name: Download digests | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: /tmp/digests | |
| pattern: image-digest-* | |
| merge-multiple: true | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.FULL_IMAGE_NAME }} | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create manifest list and push | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf '${{ env.FULL_IMAGE_NAME }}@sha256:%s ' *) | |
| - name: Sign image manifest with Cosign | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: | | |
| echo "Signing image: ${{ env.FULL_IMAGE_NAME }}:${{ steps.meta.outputs.version }}" | |
| cosign sign --yes "${{ env.FULL_IMAGE_NAME }}:${{ steps.meta.outputs.version }}" | |
| - name: Inspect image | |
| run: | | |
| docker buildx imagetools inspect "${{ env.FULL_IMAGE_NAME }}:${{ steps.meta.outputs.version }}" | |
| - name: Verify image signature | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: | | |
| tag="${{ steps.meta.outputs.version }}" | |
| cosign verify \ | |
| --certificate-identity-regexp "https://github.com/${{ github.repository }}/.github/workflows/.*" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| "${FULL_IMAGE_NAME}:${tag}" |