security: harden github actions #181
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run Common Setup | |
| uses: ./.github/actions/setup | |
| - name: Cache Go tools | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae #v5.0.5 | |
| with: | |
| path: | | |
| ~/go/bin/golangci-lint | |
| ~/go/bin/vacuum | |
| key: go-tools-${{ runner.os }}-${{ hashFiles('go.mod') }} | |
| restore-keys: go-tools-${{ runner.os }}- | |
| - name: Install Go tools | |
| run: | | |
| test -x ~/go/bin/golangci-lint || go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest | |
| test -x ~/go/bin/vacuum || go install github.com/daveshanley/vacuum@latest | |
| - name: Build Templates | |
| run: just build-templates | |
| - name: Run Linter | |
| run: just lint | |
| - name: Validate OpenAPI Spec | |
| run: just check-spec | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run Common Setup | |
| uses: ./.github/actions/setup | |
| - name: Build Templates | |
| run: just build-templates | |
| - name: Run Tests | |
| run: just test | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run Common Setup | |
| uses: ./.github/actions/setup | |
| - name: Build Application | |
| run: just build | |
| - name: Upload binary | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1 | |
| if: github.ref == 'refs/heads/main' | |
| with: | |
| name: pkgstatsd | |
| path: pkgstatsd | |
| retention-days: 7 | |
| deploy: | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Download binary | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1 | |
| with: | |
| name: pkgstatsd | |
| - name: Deploy | |
| env: | |
| SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }} | |
| KNOWN_HOSTS: ${{ secrets.DEPLOY_KNOWN_HOSTS }} | |
| DEPLOY_HOST: ${{ vars.DEPLOY_HOST }} | |
| DEPLOY_SSH_PORT: ${{ vars.DEPLOY_SSH_PORT }} | |
| run: | | |
| mkdir -p ~/.ssh | |
| echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 | |
| echo "$KNOWN_HOSTS" > ~/.ssh/known_hosts | |
| chmod 600 ~/.ssh/id_ed25519 | |
| chmod +x pkgstatsd | |
| rsync -e "ssh -p ${DEPLOY_SSH_PORT}" pkgstatsd pkgstatsd@${DEPLOY_HOST}:/opt/pkgstatsd/pkgstatsd.new | |
| ssh -p "${DEPLOY_SSH_PORT}" pkgstatsd@${DEPLOY_HOST} "mv /opt/pkgstatsd/pkgstatsd.new /opt/pkgstatsd/pkgstatsd" |