Skip to content

ci: run secscan on release for security scanning and SBOM generation … #64

ci: run secscan on release for security scanning and SBOM generation …

ci: run secscan on release for security scanning and SBOM generation … #64

Workflow file for this run

name: Release
on:
push:
tags:
- v*
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
binaries:
name: Build concierge
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
cache: false
- name: Run tests
run: |
go test -v -race ./...
- name: Setup goreleaser
run: |
sudo snap install --classic goreleaser
- name: Build concierge
id: build
run: |
goreleaser build --snapshot --clean
cp dist/concierge_linux_amd64_v1/concierge .
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload binary artifact
uses: actions/upload-artifact@v7
with:
name: binary
path: ./concierge
define-matrix:
name: Define spread matrix
runs-on: ubuntu-24.04
outputs:
suites: ${{ steps.suites.outputs.suites }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v6
with:
cache: false
- name: Install
run: |
go install github.com/canonical/spread/cmd/spread@a3a44a96b6d00a72b0476756c70e3fb6610e7b48 # 2026-03-26
- name: Generate matrix list
id: suites
run: |
list="$(spread -list github-ci | sed "s|github-ci:ubuntu-24.04:tests/||g" | jq -r -ncR '[inputs | select(length>0)]')"
# Skip provider-microk8s test due to upstream MicroK8s bootstrap timeouts.
skip='{
"provider-microk8s": "Uses microk8s snap."
}'
echo "Skipping these tests:"
echo "$skip" | jq
list=$(echo "$list" | jq --compact-output --argjson skip "$skip" 'map(select(. as $item | $skip | has($item) | not))')
echo "suites=$list"
echo "suites=$list" >> $GITHUB_OUTPUT
spread-test:
name: Spread (${{ matrix.suite }})
runs-on: ubuntu-24.04
needs:
- binaries
- define-matrix
strategy:
fail-fast: false
matrix:
suite: ${{ fromJSON(needs.define-matrix.outputs.suites) }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Download binary artifact
uses: actions/download-artifact@v8
with:
name: binary
- name: Setup Go
uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
cache: false
- name: Install
run: |
go install github.com/canonical/spread/cmd/spread@a3a44a96b6d00a72b0476756c70e3fb6610e7b48 # 2026-03-26
- name: Run integration tests
env:
SUITE: ${{ matrix.suite }}
run: |
spread -v "github-ci:ubuntu-24.04:tests/${SUITE}"
release:
name: Release concierge
runs-on: ubuntu-latest
environment: main
permissions:
contents: write
needs:
- spread-test
steps:
- name: Check out the code
uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
cache: false
- name: Setup goreleaser
run: |
sudo snap install --classic goreleaser
- name: Setup Snapcraft
run: |
sudo snap install snapcraft --channel=8.x/stable --classic
mkdir -p $HOME/.cache/snapcraft/download
mkdir -p $HOME/.cache/snapcraft/stage-packages
- name: Release concierge
id: build
run: |
goreleaser release --clean --verbose
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.STORE_TOKEN }}
sbom-secscan:
name: SBOM and secscan
needs:
- release
uses: ./.github/workflows/sbom-secscan.yaml