Go CI

Bump codecov/codecov-action from 4.6.0 to 5.0.2 #846

Workflow file for this run

	name: Go CI

	on:
	push:
	pull_request:
	types: [ opened, reopened ]
	workflow_dispatch:

	permissions:
	contents: write
	packages: write

	jobs:
	build:
	runs-on: ubuntu-22.04

	name: Continuous Integration

	steps:
	- name: Check out code
	uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5.1.0
	with:
	go-version-file: go.mod
	check-latest: true

	- name: Get dependencies
	run: go mod download

	- name: Lint
	run: \|
	result=$(make lint)
	echo $result
	[ -n "$(echo "$result" \| grep 'diff -u')" ] && exit 1 \|\| exit 0

	- name: Build
	run: make build

	- name: Test
	run: make test

	- name: Coverage
	run: make coverage-out

	- name: Upload Code Coverage
	uses: codecov/codecov-action@v5.0.2
	with:
	token: ${{ secrets.CODECOV_TOKEN }}
	files: ./coverage.out
	flags: unittests
	name: codecov-umbrella
	fail_ci_if_error: true
	verbose: true

	release:
	name: release
	needs: [build]
	runs-on: ubuntu-22.04

	outputs:
	container_digest: ${{ steps.container_info.outputs.container_digest }}
	container_tags: ${{ steps.container_info.outputs.container_tags }}
	container_repos: ${{ steps.container_info.outputs.container_repos }}

	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Set up Go
	uses: actions/setup-go@v5.1.0
	with:
	go-version-file: go.mod
	check-latest: true

	- name: Install cosign
	uses: sigstore/cosign-installer@v3.7.0
	with:
	cosign-release: 'v2.4.1'

	- name: Login to container registries
	if: startsWith(github.ref, 'refs/tags/')
	run: \|
	echo "${{ secrets.GITHUB_TOKEN }}" \| docker login -u ${{ github.actor }} --password-stdin ghcr.io

	- name: Set release variables
	id: release-vars
	run: \|
	make release-vars > /tmp/spiffe-vault-release-vars.env
	source /tmp/spiffe-vault-release-vars.env
	if [[ -n "$LDFLAGS" ]]; then
	echo "ldflags=$LDFLAGS" >> $GITHUB_OUTPUT
	fi
	if [[ -n "$GIT_HASH" ]]; then
	echo "git_hash=$GIT_HASH" >> $GITHUB_OUTPUT
	fi
	rm -f /tmp/spiffe-vault-release-vars.env

	- name: Install signing key
	run: \|
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key

	- name: Buildx builder
	run: make container-builder

	- name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') \|\| '' }}
	uses: goreleaser/goreleaser-action@v6
	with:
	version: latest
	args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') \|\| '' }}
	env:
	LDFLAGS: ${{ steps.release-vars.outputs.ldflags }}
	GIT_HASH: ${{ steps.release-vars.outputs.git_hash }}
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

	- name: Get container info
	id: container_info
	if: startsWith(github.ref, 'refs/tags/')
	run: \|
	export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }})
	echo "container_digest=$CONTAINER_DIGEST" >> $GITHUB_OUTPUT
	echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" \| paste -s -d ',' -)" >> $GITHUB_OUTPUT
	echo "container_repos=$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" \| jq --raw-input . \| jq --slurp -c)" >> $GITHUB_OUTPUT

	- name: Logout from container registries
	if: ${{ always() }}
	run: \|
	docker logout ghcr.io

	- name: Cleanup signing keys
	if: ${{ always() }}
	run: rm -f cosign.key

	provenance:
	name: Generate provenance
	runs-on: ubuntu-22.04
	needs: [release]
	if: startsWith(github.ref, 'refs/tags/')

	steps:
	- name: Generate provenance for release
	uses: philips-labs/slsa-provenance-action@v0.9.0
	with:
	command: generate
	subcommand: github-release
	arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

	- name: Install cosign
	uses: sigstore/cosign-installer@v3.7.0
	with:
	cosign-release: 'v2.4.1'

	- name: Sign provenance
	run: \|
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
	cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
	cat "${SIGNATURE}"

	curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
	curl_args+=(-H "Accept: application/vnd.github.v3+json")
	release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" \| jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" \| jq -r '.[0].id')"

	echo "Upload ${SIGNATURE} to release with id ${release_id}…"
	curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
	curl "${curl_args[@]}" \
	--data-binary @"${SIGNATURE}" \
	"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	SIGNATURE: provenance.att.sig

	container-provenance:
	name: container-provenance
	needs: [release]
	if: startsWith(github.ref, 'refs/tags/')
	runs-on: ubuntu-22.04

	strategy:
	matrix:
	repo: ${{ fromJSON(needs.release.outputs.container_repos) }}

	steps:
	- name: Install cosign
	uses: sigstore/cosign-installer@v3.7.0
	with:
	cosign-release: 'v2.4.1'

	- name: Generate provenance for ${{ matrix.repo }}
	uses: philips-labs/slsa-provenance-action@v0.9.0
	with:
	command: generate
	subcommand: container
	arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

	- name: Get slsa-provenance predicate
	run: \|
	cat provenance.att \| jq .predicate > provenance-predicate.att

	- name: Login to Container registries
	if: startsWith(github.ref, 'refs/tags/')
	run: \|
	echo "${{ secrets.GITHUB_TOKEN }}" \| docker login -u ${{ github.actor }} --password-stdin ghcr.io

	- name: Attach provenance to image
	run: \|
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
	cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

	- name: Verify attestation
	run: \|
	echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
	cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}

	- name: Logout from Container registries
	if: ${{ always() }}
	run: \|
	docker logout ghcr.io
	rm -f cosign.key

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump codecov/codecov-action from 4.6.0 to 5.0.2 #846

Workflow file

Bump codecov/codecov-action from 4.6.0 to 5.0.2 #846

Jobs

Run details

Workflow file for this run