score-compose/.github/workflows/ci.yaml at main · score-spec/score-compose · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: ci
on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
      - ready_for_review
  push:
    branches:
      - main
permissions:
  contents: read
jobs:
  test-code:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit
      - name: checkout code in current PR branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - name: Fetch all tags
        run: git fetch --force --tags
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: 'go.mod'
      - name: Run Go Vet
        run: go vet ./...
      - name: Run Go Tests
        run: go test ./... -cover -race
      - name: Build binary
        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
        with:
          distribution: goreleaser
          version: '~> v2'
          args: build --snapshot
      - name: Install license check tool
        run: go install github.com/google/addlicense@dc31ac9ffcca99c9457226366135701794b128c0
      - name: Check licenses
        run: addlicense -l apache -check -v -ignore '**/*.yaml' -c 'The Score Authors' ./cmd ./internal/
  test-multi-arch-build:
    uses: docker/github-builder/.github/workflows/build.yml@073833262a23a17675c95c4541ab063b7646756b # v1.9.0
    if: ${{ !github.event.pull_request.head.repo.fork }}
    with:
      output: image
      push: false
      platforms: linux/amd64,linux/arm64
      sbom: true
      cache: true
      context: .
      set-meta-labels: true
      set-meta-annotations: true
      meta-images: |
        score-compose
      meta-tags: |
        type=ref,event=pr
    secrets:
      registry-auths: |
        - username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
  test-container:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    if: ${{ !github.event.pull_request.head.repo.fork }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit
      - name: checkout code in current PR branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - name: Set up Docker
        uses: docker/setup-docker-action@b2189fbf2a6592b51fee7cdd93ee2bfaeba733db # v5.1.0
        with:
          daemon-config: |
            {
              "debug": true,
              "features": {
                "containerd-snapshotter": true
              }
            }
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: latest
      - name: docker login docker.io
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
      - name: docker login dhi.io
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: dhi.io
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
      - name: Build container image from PR branch
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: .
          push: false
          load: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          provenance: mode=max
          sbom: true
          tags: score-compose:pr-${{ github.event.number }}
      - name: docker images
        run: |
          docker images
      - name: checkout code in main branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: main
      - name: Build container image from main branch
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: .
          push: false
          load: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          provenance: mode=max
          sbom: true
          tags: score-compose:main
      - name: docker images
        run: |
          docker images
      - name: Docker Scout Comparison between main branch and current PR branch
        uses: docker/scout-action@cd72f264beff1cd72735de31148b9d3244a0234a # v1.21.0
        with:
          command: compare
          image: local://score-compose:pr-${{ github.event.number }}
          to: local://score-compose:main
          write-comment: true
          github-token: ${{ secrets.GITHUB_TOKEN }}
          organization: ${{ secrets.DOCKER_HUB_ORG }}
      - name: Test docker image built in PR branch
        run: |
          mkdir test
          sudo chown -R 65532:65532 test/
          cd test
          docker run --rm score-compose:pr-${{ github.event.number }} --version
          docker run -v .:/score-compose --rm score-compose:pr-${{ github.event.number }} init
          cat score.yaml