diff --git a/.github/workflows/test-and-build.yml b/.github/workflows/test-and-build.yml new file mode 100644 index 0000000..89721df --- /dev/null +++ b/.github/workflows/test-and-build.yml @@ -0,0 +1,70 @@ +--- + +name: test-and-build +on: + push: + branches: ['*'] + tags: ['v*'] + +permissions: + contents: write + +jobs: + test-and-build: + defaults: + run: + shell: bash + + container: + image: luzifer/archlinux + env: + CGO_ENABLED: 0 + GOPATH: /go + + runs-on: ubuntu-latest + + steps: + - name: Enable custom AUR package repo + run: echo -e "[luzifer]\nSigLevel = Never\nServer = https://archrepo.hub.luzifer.io/\$arch" >>/etc/pacman.conf + + - name: Install required packages + run: | + pacman -Syy --noconfirm \ + awk \ + git \ + go \ + golangci-lint-bin \ + make \ + tar \ + trivy \ + zip + + - uses: actions/checkout@v3 + + - name: Marking workdir safe + run: git config --global --add safe.directory /__w/mqttcli/mqttcli + + - name: Build release + run: make publish + env: + FORCE_SKIP_UPLOAD: 'true' + MOD_MODE: readonly + NO_TESTS: 'true' + PACKAGES: '.' + + - name: Execute Trivy scan + run: make trivy + + - name: Extract changelog + run: 'awk "/^#/ && ++c==2{exit}; /^#/f" "History.md" | tail -n +2 >release_changelog.md' + + - name: Release + uses: ncipollo/release-action@v1 + if: startsWith(github.ref, 'refs/tags/') + with: + artifacts: '.build/*' + bodyFile: release_changelog.md + draft: false + generateReleaseNotes: false + +... diff --git a/.repo-runner.yaml b/.repo-runner.yaml deleted file mode 100644 index a9ef466..0000000 --- a/.repo-runner.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- - -image: "reporunner/golang-alpine" -checkout_dir: /go/src/github.com/Luzifer/mqttcli - -commands: - - make publish - -environment: - CGO_ENABLED: 0 - DRAFT: 'false' - GO111MODULE: on diff --git a/Makefile b/Makefile index 9338123..bf84a5b 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,16 @@ publish: curl -sSLo golang.sh https://raw.githubusercontent.com/Luzifer/github-publish/master/golang.sh bash golang.sh + +# -- Vulnerability scanning -- + +trivy: + trivy fs . \ + --dependency-tree \ + --exit-code 1 \ + --format table \ + --ignore-unfixed \ + --quiet \ + --scanners config,license,secret,vuln \ + --severity HIGH,CRITICAL \ + --skip-dirs docs