name: CI on: push: branches: [ main ] pull_request: branches: [ main ] env: GO_VERSION: '1.20' NOMAD_VERSION: '1.4.4' CNI_VERSION: '1.1.1' jobs: compile: runs-on: ubuntu-latest env: CGO_ENABLED: 0 steps: - uses: actions/checkout@v3 - name: Set up Go uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - uses: actions/cache@v3 with: path: | ~/.cache/go-build ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Update last trim for Go build cache # Go usually trims all builds not used for at least five days. We simulate that the last trim just occurred recently. # Otherwise, the cache restored in the previous step would not be used for the build resulting in a longer workflow run. # More details: https://github.com/golang/go/blob/d60ad1e068263832c711aaf17b6ccb1b7f71b000/src/cmd/go/internal/cache/cache.go#L255-L326 run: date +%s > ~/.cache/go-build/trim.txt continue-on-error: true - name: Build run: make build-cover - name: Upload Poseidon binary uses: actions/upload-artifact@v3 with: name: poseidon path: poseidon lint: name: lint runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Set up Go uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: golangci-lint uses: golangci/golangci-lint-action@v3 with: version: latest args: --timeout=3m test: runs-on: ubuntu-latest needs: [ compile ] steps: - uses: actions/checkout@v3 - name: Set up Go uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - uses: actions/cache@v3 with: path: | ~/.cache/go-build ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Update last trim for Go build cache # Go usually trims all builds not used for at least five days. We simulate that the last trim just occurred recently. # Otherwise, the cache restored in the previous step would not be used for the build resulting in a longer workflow run. # More details: https://github.com/golang/go/blob/d60ad1e068263832c711aaf17b6ccb1b7f71b000/src/cmd/go/internal/cache/cache.go#L255-L326 run: date +%s > ~/.cache/go-build/trim.txt continue-on-error: true - name: Run tests run: make coverhtml - name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 if: ${{ success() || failure() }} with: token: ${{ secrets.CODECOV_TOKEN }} - name: Publish code coverage uses: paambaati/codeclimate-action@v3.2.0 if: ${{ success() || failure() }} env: CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }} with: prefix: github.com/openHPI/poseidon/ coverageLocations: | ${{github.workspace}}/coverage/coverage.cov:gocov - name: Upload coverage report uses: actions/upload-artifact@v3 if: ${{ success() || failure() }} with: name: coverage path: coverage/coverage_unit.html dep-scan: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write needs: [ compile ] if: github.event_name != 'push' || github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' && github.actor != 'dependabot' steps: - name: Checkout code uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@master with: scan-type: 'fs' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' severity: 'HIGH,CRITICAL' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' e2e-test: runs-on: ubuntu-latest needs: [ compile, test ] env: POSEIDON_AWS_ENABLED: false POSEIDON_AWS_ENDPOINT: ${{ secrets.POSEIDON_AWS_ENDPOINT }} POSEIDON_AWS_FUNCTIONS: "" POSEIDON_NOMAD_DISABLEFORCEPULL: true GOCOVERDIR: coverage steps: - name: Checkout repository uses: actions/checkout@v3 - name: Set up Go uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} - name: Cache Go modules uses: actions/cache@v3 with: path: | ~/.cache/go-build ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Update last trim for Go build cache # Go usually trims all builds not used for at least five days. We simulate that the last trim just occurred recently. # Otherwise, the cache restored in the previous step would not be used for the build resulting in a longer workflow run. # More details: https://github.com/golang/go/blob/d60ad1e068263832c711aaf17b6ccb1b7f71b000/src/cmd/go/internal/cache/cache.go#L255-L326 run: date +%s > ~/.cache/go-build/trim.txt continue-on-error: true - name: Cache Nomad and CNI binaries uses: actions/cache@v3 with: path: | ${{ github.workspace }}/nomad ${{ github.workspace }}/cni/bin key: ${{ runner.os }}-nomad-${{ env.NOMAD_VERSION }} restore-keys: | ${{ runner.os }}-nomad-${{ env.NOMAD_VERSION }} - name: Download Nomad binary run: | if [[ -f ./nomad ]]; then exit 0; fi wget -q "https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_linux_amd64.zip" wget -q "https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_SHA256SUMS" grep "nomad_${NOMAD_VERSION}_linux_amd64.zip" nomad_${NOMAD_VERSION}_SHA256SUMS | sha256sum -c - unzip nomad_${NOMAD_VERSION}_linux_amd64.zip - name: Download CNI binaries run: | if [[ -f ./cni/bin ]]; then exit 0; fi wget -q "https://github.com/containernetworking/plugins/releases/download/v${CNI_VERSION}/cni-plugins-linux-amd64-v${CNI_VERSION}.tgz" wget -q "https://github.com/containernetworking/plugins/releases/download/v${CNI_VERSION}/cni-plugins-linux-amd64-v${CNI_VERSION}.tgz.sha256" grep "cni-plugins-linux-amd64-v${CNI_VERSION}.tgz" cni-plugins-linux-amd64-v${CNI_VERSION}.tgz.sha256 | sha256sum -c - mkdir -p ./cni/bin tar zxvf cni-plugins-linux-amd64-v${CNI_VERSION}.tgz -C ./cni/bin - name: Set Nomad Config run: | cp ./docs/resources/secure-bridge.conflist ./cni/secure-bridge.conflist echo "server { default_scheduler_config { memory_oversubscription_enabled = true } }, client { cni_path = \"${{ github.workspace }}/cni/bin\", cni_config_dir = \"${{ github.workspace }}/cni\" }" > e2e-config.hcl - name: Download Poseidon binary uses: actions/download-artifact@v3 with: name: poseidon - name: Get current branch name id: branch-name uses: tj-actions/branch-names@v6 - name: Checkout matching branch for Dockerfiles (optional) id: checkout-dockerfiles if: steps.branch-name.outputs.is_default == 'false' uses: actions/checkout@v3 continue-on-error: true with: repository: openHPI/dockerfiles path: deploy/dockerfiles ref: ${{ steps.branch-name.outputs.current_branch }} - name: Build new e2e test image (optional) if: steps.checkout-dockerfiles.outcome == 'success' run: make e2e-test-docker-image - name: Run e2e tests run: | sudo ./nomad agent -dev -log-level=WARN -config e2e-config.hcl & until curl -s --fail http://localhost:4646/v1/agent/health ; do sleep 1; done chmod +x ./poseidon mkdir -p ${GOCOVERDIR} ./poseidon & until curl -s --fail http://localhost:7200/api/v1/health ; do sleep 1; done make e2e-test - name: Run e2e recovery tests run: | killall poseidon make e2e-test-recovery if: ${{ success() || failure() }} - name: Convert coverage reports run: make convert-run-coverage if: ${{ success() || failure() }} - name: Upload coverage reports to Codecov uses: codecov/codecov-action@v3 if: ${{ success() || failure() }} with: token: ${{ secrets.CODECOV_TOKEN }} - name: Upload coverage report uses: actions/upload-artifact@v3 if: ${{ success() || failure() }} with: name: coverage path: coverage/coverage_run.html