bumps #666
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: GHA Build | |
# The `name:` here is also used in badge.svg rendering as the left-hand-side | |
permissions: | |
# Control the GITHUB_TOKEN permissions. | |
# By having this block, all permissions not listed here are set to none. | |
# Available permissions listed at: | |
# <https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token> | |
# Which API calls need which permissions at what level, listed at: | |
# <https://docs.github.com/en/rest/reference/permissions-required-for-github-apps> | |
# | |
contents: read | |
checks: write | |
statuses: write | |
on: | |
push: | |
branches-ignore: | |
- "exp" | |
- "exp/*" | |
- "exp-*" | |
- "exp_*" | |
- "wip" | |
- "wip/*" | |
- "wip-*" | |
- "wip_*" | |
pull_request: | |
jobs: | |
test: | |
runs-on: ${{ matrix.os }} | |
continue-on-error: ${{ matrix.experimental || false }} | |
strategy: | |
# Debugging multi-platform builds, let them all complete (for now) | |
fail-fast: false | |
matrix: | |
# It's called a matrix but in practice I'm just listing out the precise combinations we want, via include. | |
# The canonical entry is the only one where we run vet/lint/style checks. | |
# `experimental: true` entries do not cause the tests to fail. | |
include: | |
- go: "stable" | |
os: ubuntu-latest | |
canonical: true | |
- go: "stable" | |
os: windows-latest | |
canonical: false | |
- go: "stable" | |
os: macos-latest | |
canonical: false | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ matrix.go }} | |
# We're not doing releases, just checks, so we can live without check-latest here | |
- name: Install additional check/lint tools | |
id: tools-install | |
run: | | |
go install honnef.co/go/tools/cmd/[email protected] | |
if: matrix.canonical | |
- name: Basic Go integrity checks | |
id: integrity | |
run: | | |
go vet ./... | |
if: matrix.canonical | |
- name: Run Tests (with coverage enabled) | |
id: coverage | |
run: | | |
go test -v -failfast -coverpkg=./... -coverprofile=./coverage.out ./... | |
if: runner.os != 'Windows' | |
- name: Run Tests (windows) | |
run: | | |
go test -v -failfast ./... | |
if: runner.os == 'Windows' | |
- name: Upload coverage | |
uses: coverallsapp/github-action@v2 | |
continue-on-error: true | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
flag-name: ${{ matrix.module }} | |
file: ./coverage.out | |
if: runner.os != 'Windows' | |
- name: Bad versions creep defense | |
id: go-module-versions | |
# The go.mod includes tests, and some of our tests explicitly pull in jwtv1, which is unmaintained and has security issues. | |
# It's only in the tests, so that's not critical enough to need to rewrite things at this time. | |
# But we don't want the _binary_ to link against v1. So we want to check what the actual binary links against. | |
# Add whatever other checks we care about here. | |
run: | | |
go build | |
go version -m ./nsc > versions | |
if grep -qsE '^[[:space:]]+dep[[:space:]]+github\.com/nats-io/jwt[[:space:]]' versions; then | |
echo "::error title=Bad dependency in binary::JWT library v1 detected" | |
exit 1 | |
fi | |
if: matrix.canonical | |
#EOF |