forked from open-policy-agent/opa
-
Notifications
You must be signed in to change notification settings - Fork 0
190 lines (163 loc) · 6.24 KB
/
nightly.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
name: Nightly
on:
workflow_dispatch: {} # Allow for manual triggers
schedule:
- cron: '0 8 * * 0-4' # Sun-Thu, at 8:00 UTC
permissions:
contents: read
jobs:
race-detector:
name: Go Race Detector
runs-on: ubuntu-22.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Test with Race Detector
run: CGO_ENABLED=1 make ci-go-race-detector
- name: Slack Notification
uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
with:
status: ${{ job.status }}
fields: repo,workflow
native-fuzzer:
name: Go Fuzzer (native)
runs-on: ubuntu-22.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- id: go_version
name: Read go version
run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT
- name: Install Go (${{ steps.go_version.outputs.go_version }})
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: ${{ steps.go_version.outputs.go_version }}
- name: go test -fuzz
run: go test ./ast -fuzz FuzzParseStatementsAndCompileModules -fuzztime 1h -v -run '^$'
- name: Dump crashers
if: ${{ failure() }}
run: find ast/testdata/fuzz ! -name '*.stmt' ! -type d -print -exec cat {} \;
- name: Slack Notification
uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
with:
status: ${{ job.status }}
fields: repo,workflow
go-perf:
name: Go Perf
runs-on: ubuntu-22.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Benchmark Test Golang
run: make ci-go-perf
timeout-minutes: 45
env:
DOCKER_RUNNING: 0
- name: Slack Notification
uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
with:
status: ${{ job.status }}
fields: repo,workflow
go-proxy-check:
name: Go mod check
runs-on: ubuntu-22.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Vendor without proxy
run: make check-go-module
timeout-minutes: 30
- name: Slack Notification
uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
with:
status: ${{ job.status }}
fields: repo,workflow
trivy-scan-image:
name: Trivy security scan image
runs-on: ubuntu-22.04
steps:
- name: Checkout code # needed for .trivyignore file
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: "docker pull openpolicyagent/opa:edge-static"
# Equivalent to:
# $ trivy image openpolicyagent/opa:edge-static
- name: Run Trivy scan on image
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
image-ref: 'openpolicyagent/opa:edge-static'
format: table
exit-code: '1'
ignore-unfixed: true
vuln-type: os,library
severity: CRITICAL,HIGH
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Slack Notification
uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
with:
status: ${{ job.status }}
fields: repo,workflow
trivy-scan-repo:
name: Trivy security scan repo
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# Equivalent to:
# $ trivy fs .
- name: Run Trivy scan on repo
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: fs
format: table
exit-code: '1'
ignore-unfixed: true
skip-dirs: vendor/,internal/gqlparser/validator/imported/
severity: CRITICAL,HIGH
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Slack Notification
uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
with:
status: ${{ job.status }}
fields: repo,workflow
govulncheck:
name: Go vulnerability check
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- id: go_version
name: Read go version
run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT
- name: Install Go (${{ steps.go_version.outputs.go_version }})
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: ${{ steps.go_version.outputs.go_version }}
- run: go install golang.org/x/vuln/cmd/govulncheck@latest
- run: govulncheck ./...
- name: Slack Notification
uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
with:
status: ${{ job.status }}
fields: repo,workflow