ci: run secscan on release for security scanning and SBOM generation … #64
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - v* | |
| permissions: {} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| binaries: | |
| name: Build concierge | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out the code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: "go.mod" | |
| cache: false | |
| - name: Run tests | |
| run: | | |
| go test -v -race ./... | |
| - name: Setup goreleaser | |
| run: | | |
| sudo snap install --classic goreleaser | |
| - name: Build concierge | |
| id: build | |
| run: | | |
| goreleaser build --snapshot --clean | |
| cp dist/concierge_linux_amd64_v1/concierge . | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload binary artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: binary | |
| path: ./concierge | |
| define-matrix: | |
| name: Define spread matrix | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| suites: ${{ steps.suites.outputs.suites }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| cache: false | |
| - name: Install | |
| run: | | |
| go install github.com/canonical/spread/cmd/spread@a3a44a96b6d00a72b0476756c70e3fb6610e7b48 # 2026-03-26 | |
| - name: Generate matrix list | |
| id: suites | |
| run: | | |
| list="$(spread -list github-ci | sed "s|github-ci:ubuntu-24.04:tests/||g" | jq -r -ncR '[inputs | select(length>0)]')" | |
| # Skip provider-microk8s test due to upstream MicroK8s bootstrap timeouts. | |
| skip='{ | |
| "provider-microk8s": "Uses microk8s snap." | |
| }' | |
| echo "Skipping these tests:" | |
| echo "$skip" | jq | |
| list=$(echo "$list" | jq --compact-output --argjson skip "$skip" 'map(select(. as $item | $skip | has($item) | not))') | |
| echo "suites=$list" | |
| echo "suites=$list" >> $GITHUB_OUTPUT | |
| spread-test: | |
| name: Spread (${{ matrix.suite }}) | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| - binaries | |
| - define-matrix | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| suite: ${{ fromJSON(needs.define-matrix.outputs.suites) }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Download binary artifact | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: binary | |
| - name: Setup Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: "go.mod" | |
| cache: false | |
| - name: Install | |
| run: | | |
| go install github.com/canonical/spread/cmd/spread@a3a44a96b6d00a72b0476756c70e3fb6610e7b48 # 2026-03-26 | |
| - name: Run integration tests | |
| env: | |
| SUITE: ${{ matrix.suite }} | |
| run: | | |
| spread -v "github-ci:ubuntu-24.04:tests/${SUITE}" | |
| release: | |
| name: Release concierge | |
| runs-on: ubuntu-latest | |
| environment: main | |
| permissions: | |
| contents: write | |
| needs: | |
| - spread-test | |
| steps: | |
| - name: Check out the code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: "go.mod" | |
| cache: false | |
| - name: Setup goreleaser | |
| run: | | |
| sudo snap install --classic goreleaser | |
| - name: Setup Snapcraft | |
| run: | | |
| sudo snap install snapcraft --channel=8.x/stable --classic | |
| mkdir -p $HOME/.cache/snapcraft/download | |
| mkdir -p $HOME/.cache/snapcraft/stage-packages | |
| - name: Release concierge | |
| id: build | |
| run: | | |
| goreleaser release --clean --verbose | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.STORE_TOKEN }} | |
| sbom-secscan: | |
| name: SBOM and secscan | |
| needs: | |
| - release | |
| uses: ./.github/workflows/sbom-secscan.yaml |