build(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.0 #2058
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR | |
on: | |
pull_request: | |
push: | |
jobs: | |
pr-short-tests: | |
name: Run short go tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: Ensure go version | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: run tests | |
run: make test | |
- name: Annotate tests | |
if: always() | |
uses: guyarb/[email protected] | |
with: | |
test-results: test.json | |
pr-check-docs-links: | |
name: Check docs for incorrect links | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Link Checker | |
uses: lycheeverse/lychee-action@7cd0af4c74a61395d455af97419279d86aafaede | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
with: | |
args: --verbose --no-progress '*.md' '*.yaml' '*/*/*.go' --exclude-link-local | |
fail: true | |
# This should not be made a mandatory test | |
# It is only used to make us aware of any potential security failure, that | |
# should trigger a bump of the image in build/. | |
pr-vuln-scan: | |
name: Build image and scan it against known vulnerabilities | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Ensure go version | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Setup GoReleaser | |
run: make bootstrap-tools | |
- name: Find current tag version | |
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
id: tags | |
- name: Build image | |
run: VERSION="${{ steps.tags.outputs.sha_short }}" DH_ORG="${{ github.repository_owner }}" make image | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 | |
with: | |
image-ref: 'ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }}' | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
# This ensures the latest code works with the manifests built from tree. | |
# It is useful for two things: | |
# - Test manifests changes (obviously), ensuring they don't break existing clusters | |
# - Ensure manifests work with the latest versions even with no manifest change | |
# (compared to helm charts, manifests cannot easily template changes based on versions) | |
# Helm charts are _trailing_ releases, while manifests are done during development. | |
# This test uses the "command" reboot-method. | |
e2e-manifests: | |
name: End-to-End test with kured with code and manifests from HEAD | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
testname: | |
- "TestE2EWithCommand" | |
- "TestE2EWithSignal" | |
- "TestE2EConcurrentWithCommand" | |
kubernetes_version: | |
- "previous" | |
- "current" | |
- "next" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Ensure go version | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Setup GoReleaser | |
run: make bootstrap-tools | |
- name: Find current tag version | |
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
id: tags | |
- name: Install kind | |
uses: helm/[email protected] | |
with: | |
install_only: true | |
version: v0.22.0 | |
- name: Run specific e2e tests | |
run: make e2e-test ARGS="-run ^${{ matrix.testname }}/${{ matrix.kubernetes_version }}" | |
e2e-tests-singleversion: | |
name: End-to-End test targetting a single version of kubernetes | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
testname: | |
- "TestCordonningIsKept/concurrency1" | |
- "TestCordonningIsKept/concurrency2" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Ensure go version | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Setup GoReleaser | |
run: make bootstrap-tools | |
- name: Find current tag version | |
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
id: tags | |
- name: Install kind | |
uses: helm/[email protected] | |
with: | |
install_only: true | |
version: v0.22.0 | |
- name: Run specific e2e tests | |
run: make e2e-test ARGS="-run ^${{ matrix.testname }}" |