Inspect source code for security issues #910
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test | |
| on: | |
| pull_request: | |
| paths: | |
| - '.github/workflows/test.yml' | |
| - 'cmd/**' | |
| - 'pkg/**' | |
| - 'test/**' | |
| - 'go.mod' | |
| - 'go.sum' | |
| - 'makefile' | |
| - '!**/*.md' | |
| push: | |
| branches: [ main ] | |
| workflow_call: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| jobs: | |
| lint: | |
| name: Lint | |
| timeout-minutes: 10 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: | | |
| **/go.mod | |
| **/go.sum | |
| - uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0 | |
| with: | |
| version: latest | |
| skip-cache: true | |
| args: "--verbose --print-issued-lines --print-linter-name --out-${NO_FUTURE}format colored-line-number --timeout 300s --max-issues-per-linter 0 --max-same-issues 0" | |
| format: | |
| name: Format | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| egress-policy: audit | |
| - name: Check out repository code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Install Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| check-latest: true | |
| cache-dependency-path: | | |
| **/go.mod | |
| **/go.sum | |
| - name: Check formatting | |
| run: | | |
| make format-check | |
| gosec: | |
| runs-on: ubuntu-latest | |
| env: | |
| GO111MODULE: on | |
| steps: | |
| - name: Checkout Source | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run Gosec Security Scanner | |
| uses: securego/gosec@e0cca6fe95306b7e7790d6f1bf6a7bec6d622459 # v2.22.0 | |
| with: | |
| args: 'gosec -severity high,critical -exclude-dir=test ./...' | |
| vulnerability-check: | |
| name: "Vulnerability check" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| egress-policy: audit | |
| - name: Scan for Vulnerabilities | |
| uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 | |
| with: | |
| go-version-file: go.mod | |
| check-latest: true | |
| go-package: ./... | |
| test: | |
| strategy: | |
| matrix: | |
| platform: [ubuntu-latest, windows-latest, macos-latest] | |
| include: | |
| - platform: ubuntu-latest | |
| target: linux | |
| - platform: windows-latest | |
| target: windows | |
| - platform: macos-latest | |
| target: darwin | |
| name: 'Test (${{ matrix.target }})' | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| egress-policy: audit | |
| - name: Install macos deps | |
| if: ${{ startsWith(matrix.platform, 'macos') }} | |
| run: | | |
| brew install \ | |
| ninja | |
| - name: Install linux deps | |
| if: ${{ startsWith(matrix.platform, 'ubuntu') }} | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install \ | |
| ninja-build | |
| - name: Install windows deps | |
| if: ${{ startsWith(matrix.platform, 'windows') }} | |
| run: choco install -y ninja | |
| - name: Check out repository code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Install Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| check-latest: true | |
| cache-dependency-path: | | |
| **/go.mod | |
| **/go.sum | |
| - name: Install go-junit-report | |
| run: go install github.com/jstemmer/go-junit-report/v2@latest | |
| - name: Unit testing | |
| run: | | |
| mkdir -p build | |
| go test -v ./... > build/cbuildtests-${{ matrix.target }}-amd64.txt | |
| - name: Generate JUnit test report | |
| if: always() | |
| run: | | |
| go-junit-report -set-exit-code -in build/cbuildtests-${{ matrix.target }}-amd64.txt -iocopy -out build/cbuild-testreport-${{ matrix.target }}-amd64.xml | |
| - name: Install qemu (for Linux-Arm64) | |
| if: ${{ startsWith(runner.os, 'Linux') }} | |
| run: | | |
| sudo apt update | |
| sudo apt-get install -y \ | |
| gcc-aarch64-linux-gnu \ | |
| g++-aarch64-linux-gnu \ | |
| qemu-user-binfmt | |
| - name: Unit testing (for Linux-Arm64) | |
| if: ${{ startsWith(runner.os, 'Linux') && always() }} | |
| run: | | |
| GOOS=linux GOARCH=arm64 go test -v ./... > build/cbuildtests-${{ matrix.target }}-arm64.txt | |
| - name: Generate JUnit test report (for Linux-Arm64) | |
| if: ${{ startsWith(runner.os, 'Linux') && always() }} | |
| run: | | |
| go-junit-report -set-exit-code -in build/cbuildtests-${{ matrix.target }}-arm64.txt -iocopy -out build/cbuild-testreport-${{ matrix.target }}-arm64.xml | |
| - name: Archive unit test results | |
| uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 | |
| with: | |
| name: test-results-${{ matrix.target }} | |
| path: ./build/cbuild-testreport-*.xml | |
| if-no-files-found: error | |
| publish-test-results: | |
| if: ${{ github.workflow != 'Release' }} | |
| name: "Publish Tests Results" | |
| needs: [ test ] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| checks: write | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| egress-policy: audit | |
| - name: Download Artifacts | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| path: artifacts | |
| - name: publish test results | |
| uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0 | |
| with: | |
| files: "artifacts/**/cbuild-testreport-*.xml" | |
| report_individual_runs: true | |
| coverage: | |
| if: ${{ github.workflow != 'Release' && github.repository == 'Open-CMSIS-Pack/cbuild' }} | |
| needs: [ test ] | |
| name: 'Coverage check' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| egress-policy: audit | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install \ | |
| ninja-build | |
| - name: Check out repository code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Install Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| check-latest: true | |
| cache-dependency-path: | | |
| **/go.mod | |
| **/go.sum | |
| - name: Check coverage | |
| run: | | |
| make coverage-check | |
| - name: Publish coverage report to Code Climate | |
| uses: paambaati/codeclimate-action@f429536ee076d758a24705203199548125a28ca7 # v9.0.0 | |
| env: | |
| CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }} | |
| with: | |
| debug: true | |
| coverageLocations: ./build/cover.out:gocov | |
| prefix: github.com/Open-CMSIS-Pack/cbuild/v2 |