-
Notifications
You must be signed in to change notification settings - Fork 48
143 lines (130 loc) · 5.26 KB
/
pushes.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: GHA Build
# The `name:` here is also used in badge.svg rendering as the left-hand-side
permissions:
# Control the GITHUB_TOKEN permissions.
# By having this block, all permissions not listed here are set to none.
# Available permissions listed at:
# <https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token>
# Which API calls need which permissions at what level, listed at:
# <https://docs.github.com/en/rest/reference/permissions-required-for-github-apps>
#
contents: read
checks: write
statuses: write
on:
push:
branches-ignore:
- 'exp'
- 'exp/*'
- 'exp-*'
- 'exp_*'
- 'wip'
- 'wip/*'
- 'wip-*'
- 'wip_*'
pull_request:
jobs:
test:
runs-on: ${{ matrix.os }}
continue-on-error: ${{ matrix.experimental || false }}
strategy:
# Debugging multi-platform builds, let them all complete (for now)
fail-fast: false
matrix:
# It's called a matrix but in practice I'm just listing out the precise combinations we want, via include.
# The canonical entry is the only one where we run vet/lint/style checks.
# `experimental: true` entries do not cause the tests to fail.
include:
- go: '1.21.x'
os: ubuntu-latest
canonical: true
- go: '1.21.x'
os: windows-latest
canonical: false
- go: '1.21.x'
os: macos-latest
canonical: false
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: ${{ matrix.go }}
# We're not doing releases, just checks, so we can live without check-latest here
- name: Export Go environment to Actions outputs
id: go-settings
run: |
echo "::set-output name=arch::$(go env GOARCH)"
echo "::set-output name=hostarch::$(go env GOHOSTARCH)"
echo "::set-output name=os::$(go env GOOS)"
echo "::set-output name=hostos::$(go env GOHOSTOS)"
echo "::set-output name=go-version::$(go env GOVERSION)"
# Use with:
# ${{ steps.go-settings.outputs.go-version }}
# which will look like `go1.17.1` if matrix `1.17.x` matches `1.17.1`.
# These are independent of how the matrix is setup, or if a matrix is even used.
#
# You can see the individual values in the "Set up Go" output, collapsed inside a "go env" group at the end.
- name: Install additional check/lint tools
id: tools-install
run: |
go install github.com/mattn/goveralls@latest
go install github.com/wadey/gocovmerge@latest
go install honnef.co/go/tools/cmd/[email protected]
if: matrix.canonical
- name: Basic Go integrity checks
id: integrity
run: |
go vet ./...
if: matrix.canonical
- name: Run Tests (with coverage enabled)
id: coverage
run: |
mkdir cov
echo "::group::Coverage of ./cmd"
go test -v -failfast -covermode=atomic -coverprofile=./cov/cmd.out ./cmd
echo "::endgroup::"
echo "::group::Coverage of ./cmd/store"
go test -v -failfast -covermode=atomic -coverprofile=./cov/store.out ./cmd/store
echo "::endgroup::"
if: runner.os != 'Windows'
- name: Run Tests (Windows)
id: wintest
# nb2: if we use the coverage approach on Windows, the -coverprofile flag appears to be looked for as a package, and I've no idea why (am not a Windows dev)
# cannot find package "github.com/nats-io/nsc/cov/cmd.out" in any of:
# C:\hostedtoolcache\windows\go\1.16.13\x64\src\github.com\nats-io\nsc\cov\cmd.out (from $GOROOT)
# D:\a\nsc\nsc\go\src\github.com\nats-io\nsc\cov\cmd.out (from $GOPATH)
run: |
echo "::group::Testing of ./cmd"
go test -v -failfast ./cmd
echo "::endgroup::"
echo "::group::Testing of ./cmd/store"
go test -v -failfast ./cmd/store
echo "::endgroup::"
if: runner.os == 'Windows'
- name: Upload coverage results
id: coverage-upload
run: |
gocovmerge ./cov/*.out > coverage.out
goveralls -coverprofile=coverage.out -service=github
env:
COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: matrix.canonical
- name: Bad versions creep defense
id: go-module-versions
# The go.mod includes tests, and some of our tests explicitly pull in jwtv1, which is unmaintained and has security issues.
# It's only in the tests, so that's not critical enough to need to rewrite things at this time.
# But we don't want the _binary_ to link against v1. So we want to check what the actual binary links against.
# Add whatever other checks we care about here.
run: |
go build
go version -m ./nsc > versions
if grep -qsE '^[[:space:]]+dep[[:space:]]+github\.com/nats-io/jwt[[:space:]]' versions; then
echo "::error title=Bad dependency in binary::JWT library v1 detected"
exit 1
fi
if: matrix.canonical
#EOF