ci: overhaul pipeline — caching, GoReleaser, govulncheck
- Add module + build cache to CI (was only caching go-build, not go/pkg/mod) - Declare explicit Alpine container instead of relying on runner image - Drop redundant go vet (already in golangci-lint) - Add govulncheck job for dependency CVE scanning - Add GoReleaser config for Gitea-native binary releases + checksums - Replace .github/workflows/docker.yml with .gitea/workflows/release.yml - Docker multiarch (amd64+arm64) via buildx in release workflow - Dockerfile: add --mount=type=cache for mod/build, add -trimpath
This commit is contained in:
+27
-9
@@ -5,30 +5,33 @@ on:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
|
||||
env:
|
||||
GO_VERSION: "1.24"
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: golang:1.24-alpine3.21
|
||||
defaults:
|
||||
run:
|
||||
shell: sh
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: "1.24"
|
||||
|
||||
- uses: actions/cache@v4
|
||||
with:
|
||||
path: ~/.cache/go-build
|
||||
key: go-build-${{ hashFiles('**/*.go', 'go.sum') }}
|
||||
restore-keys: go-build-
|
||||
path: |
|
||||
/go/pkg/mod
|
||||
/root/.cache/go-build
|
||||
key: go-${{ hashFiles('go.sum') }}
|
||||
restore-keys: go-
|
||||
|
||||
- name: Install build tools
|
||||
run: apk add --no-cache gcc musl-dev
|
||||
|
||||
- name: Vet
|
||||
run: go vet ./...
|
||||
- name: Download modules
|
||||
run: go mod download
|
||||
|
||||
- name: Test
|
||||
run: CGO_ENABLED=1 go test -race -timeout 120s ./...
|
||||
@@ -45,3 +48,18 @@ jobs:
|
||||
- uses: golangci/golangci-lint-action@v7
|
||||
with:
|
||||
version: v2.11.2
|
||||
|
||||
vulncheck:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: "1.24"
|
||||
|
||||
- name: Install govulncheck
|
||||
run: go install golang.org/x/vuln/cmd/govulncheck@latest
|
||||
|
||||
- name: Run govulncheck
|
||||
run: govulncheck ./...
|
||||
|
||||
@@ -0,0 +1,68 @@
|
||||
name: Release
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- "[0-9]*"
|
||||
|
||||
jobs:
|
||||
release:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: "1.24"
|
||||
|
||||
- uses: actions/cache@v4
|
||||
with:
|
||||
path: |
|
||||
~/go/pkg/mod
|
||||
~/.cache/go-build
|
||||
key: release-go-${{ hashFiles('go.sum') }}
|
||||
restore-keys: release-go-
|
||||
|
||||
- name: Run GoReleaser
|
||||
uses: goreleaser/goreleaser-action@v7
|
||||
with:
|
||||
distribution: goreleaser
|
||||
version: "~> v2"
|
||||
args: release --clean
|
||||
env:
|
||||
GORELEASER_FORCE_TOKEN: gitea
|
||||
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
|
||||
|
||||
docker:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [release]
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
|
||||
- name: Log in to Docker Hub
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||
|
||||
- name: Build and push
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
context: .
|
||||
push: true
|
||||
platforms: linux/amd64,linux/arm64
|
||||
tags: |
|
||||
lerkolabs/uptop:${{ github.ref_name }}
|
||||
lerkolabs/uptop:latest
|
||||
build-args: |
|
||||
VERSION=${{ github.ref_name }}
|
||||
COMMIT=${{ github.sha }}
|
||||
BUILD_DATE=${{ github.event.head_commit.timestamp }}
|
||||
Reference in New Issue
Block a user