gomodules: bump github.com/pulumi/pulumi/sdk/v3 from 3.142.0 to 3.148.0 #39
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Devenv | |
| # prettier-ignore | |
| on: # yamllint disable-line rule:truthy | |
| # Only run on pushes to the mainline branch. | |
| push: | |
| branches: | |
| - trunk | |
| # Only run on pull requests that target the mainline branch. | |
| pull_request: | |
| branches: | |
| - "trunk" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| packages: read | |
| pull-requests: write | |
| statuses: write | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| # GitHub | |
| PROJECT: ${{ github.repository }} | |
| BRANCH_NAME_CURRENT: ${{ github.head_ref || github.ref_name }} | |
| BRANCH_NAME_DEFAULT: ${{ github.event.repository.default_branch }} | |
| # Nix | |
| NIXPKGS_ALLOW_UNFREE: 1 | |
| # Go | |
| GO111MODULE: on | |
| GOFLAGS: -mod=readonly | |
| jobs: | |
| ################################################## | |
| # Test the Development environment shell | |
| ################################################## | |
| test: | |
| name: Test | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 60 | |
| continue-on-error: false | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| os: | |
| - ubuntu-latest | |
| steps: | |
| - id: checkout_repository | |
| name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| lfs: false | |
| submodules: recursive | |
| - id: install_nix | |
| name: "Install Nix ❄️" | |
| uses: cachix/install-nix-action@v30 | |
| with: | |
| github_access_token: ${{ secrets.GITHUB_TOKEN }} | |
| enable_kvm: true | |
| - id: cachix | |
| name: "Enable Cachix ❄️" | |
| uses: cachix/cachix-action@v15 | |
| if: vars.CACHIX_CACHE_NAME != '' | |
| with: | |
| name: ${{ vars.CACHIX_CACHE_NAME }} | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| useDaemon: true | |
| skipPush: false | |
| - id: cache | |
| name: Magic Nix cache | |
| uses: DeterminateSystems/magic-nix-cache-action@main | |
| - id: devenv_install | |
| name: Devenv install | |
| run: | | |
| nix profile install --accept-flake-config nixpkgs#devenv | |
| - id: devenv_gc | |
| name: Devenv gc | |
| run: | | |
| devenv gc | |
| - id: go_mod_download | |
| name: Go mod download | |
| shell: devenv shell --quiet bash -- -e {0} | |
| run: | | |
| go mod download | |
| - id: devenv_test | |
| name: Devenv test | |
| env: | |
| CACHIX_CACHE_NAME: ${{ env.CACHIX_CACHE_NAME }} | |
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| run: | | |
| devenv test | |
| - id: trivy_filesystem | |
| name: Trivy filesystem scan (SARIF) | |
| shell: devenv shell --quiet bash -- -e {0} | |
| run: > | |
| trivy | |
| filesystem | |
| --scanners vuln,misconfig,secret,license | |
| --format sarif | |
| --output trivy-results.sarif | |
| --exit-code 0 | |
| . | |
| - id: trivy_upload | |
| name: Trivy (upload) | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - id: nancy_sleuth_deps | |
| name: Nancy (sleuth dependencies) | |
| shell: devenv shell --quiet bash -- -e {0} | |
| run: > | |
| go list -json -deps ./... | | |
| nancy sleuth --loud | |
| - id: nancy_sleuth_mod | |
| name: Nancy (sleuth modules) | |
| shell: devenv shell --quiet bash -- -e {0} | |
| run: > | |
| go list -json -mod=readonly -m all | | |
| nancy sleuth --loud | |
| --exclude-vulnerability | |
| CVE-2024-2660 | |
| ################################################## | |
| # Status reports | |
| ################################################## | |
| - id: devenv_status | |
| name: Devenv (status) | |
| if: always() | |
| shell: devenv shell --quiet bash -- -e {0} | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if [[ ${{ steps.devenv_test.outcome }} == 'success' ]]; | |
| then | |
| RESULT="success" | |
| DESCRIPTION="Devenv test passed" | |
| else | |
| RESULT="failure" | |
| DESCRIPTION="Devenv test failed" | |
| fi | |
| gh api \ | |
| repos/${{ github.repository }}/statuses/${{ github.sha }} \ | |
| -f state=${RESULT} \ | |
| -f context="${{ github.workflow }}" \ | |
| -f description="${DESCRIPTION}" \ | |
| -f target_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" || { | |
| echo "Failed to report devenv status"; exit 1; | |
| } | |
| - id: trivy_status | |
| name: Trivy (status) | |
| if: always() | |
| shell: devenv shell --quiet bash -- -e {0} | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if [[ ${{ steps.trivy_filesystem.outcome }} == 'success' ]]; | |
| then | |
| RESULT="success" | |
| DESCRIPTION="Trivy security scan passed" | |
| else | |
| RESULT="failure" | |
| DESCRIPTION="Trivy security scan failed" | |
| fi | |
| gh api \ | |
| repos/${{ github.repository }}/statuses/${{ github.sha }} \ | |
| -f state=${RESULT} \ | |
| -f context="${{ github.workflow }}" \ | |
| -f description="${DESCRIPTION}" \ | |
| -f target_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" || { | |
| echo "Failed to report trivy status"; exit 1; | |
| } |