build(deps): bump github.com/securego/gosec/v2 from 2.21.3 to 2.22.0 in /internal/tools #155
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Integration | |
| concurrency: | |
| # For pushes, this lets concurrent runs happen, so each push gets a result. | |
| # But for other events (e.g. PRs), we can cancel the previous runs. | |
| group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.sha || github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| install-tools: | |
| name: Install Tools | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version-file: go.mod | |
| cache: false | |
| - name: Cache Go and Tools | |
| id: cache | |
| timeout-minutes: 5 | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: | | |
| ~/go/bin | |
| ~/go/pkg/mod | |
| ~/.cache/go-build | |
| ./.tools | |
| key: go-cache-${{ hashFiles('**/go.sum') }} | |
| - name: Make install-tools | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| run: make install-tools | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| needs: install-tools | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version-file: go.mod | |
| cache: false | |
| - name: Cache Go | |
| timeout-minutes: 5 | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: | | |
| ~/go/bin | |
| ~/go/pkg/mod | |
| ~/.cache/go-build | |
| ./.tools | |
| key: go-cache-${{ hashFiles('**/go.sum') }} | |
| fail-on-cache-miss: true | |
| - name: Check packages are up-to-date | |
| run: | | |
| make tidy-all | |
| git diff -s --exit-code || (echo 'Packages are out of date. Run make tidy-all and commit the changes' && git --no-pager diff && exit 1) | |
| - name: Check Code Generation | |
| run: | | |
| make generate | |
| git diff -s --exit-code || (echo 'Generated code is out of date. Run make generate and commit the changes' && git --no-pager diff && exit 1) | |
| - name: Check crosslink run | |
| run: | | |
| make crosslink | |
| git diff -s --exit-code || (echo 'Replace statements not updated. Run make crosslink and commit the changes' && git --no-pager diff && exit 1) | |
| - name: Check formatting | |
| run: | | |
| make fmt-all | |
| git diff -s --exit-code || (echo 'Code is not formatted. Run make fmt-all and commit the changes' && git --no-pager diff && exit 1) | |
| - name: Check dependabot config | |
| run: | | |
| make gendependabot | |
| git diff -s --exit-code || (echo 'Dependabot config is out of date. Run make gendependabot and commit the changes' && git --no-pager diff && exit 1) | |
| - name: Make lint-all | |
| run: make lint-all | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| needs: install-tools | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version-file: go.mod | |
| cache: false | |
| - name: Cache Go | |
| timeout-minutes: 5 | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: | | |
| ~/go/bin | |
| ~/go/pkg/mod | |
| ~/.cache/go-build | |
| ./.tools | |
| key: go-cache-${{ hashFiles('**/go.sum') }} | |
| fail-on-cache-miss: true | |
| - name: Make test-all | |
| run: make test-all | |
| build-and-push: | |
| name: Build & push | |
| runs-on: ubuntu-latest | |
| needs: | |
| - lint | |
| - test | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - name: Push to GAR | |
| uses: grafana/shared-workflows/actions/push-to-gar-docker@main | |
| with: | |
| # Only push to GAR on main branch pushes | |
| push: ${{ github.event_name == 'push' && github.ref_name == 'main' && 'true' || 'false' }} | |
| tags: |- | |
| ${{ github.sha }} | |
| "latest" | |
| context: "." | |
| image_name: "grafana-ci-otel-collector" | |
| environment: "dev" | |
| - name: Export GHA URL | |
| if: ${{ github.event_name == 'push' && github.ref_name == 'main' && true || false }} | |
| id: export-gha-url | |
| shell: bash | |
| run: | | |
| GHA_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| echo "gha_url=${GHA_URL}" >> "${GITHUB_OUTPUT}" | |
| - name: Get Vault secrets | |
| if: ${{ github.event_name == 'push' && github.ref_name == 'main' && true || false }} | |
| uses: grafana/shared-workflows/actions/get-vault-secrets@main | |
| with: | |
| common_secrets: | | |
| GITHUB_APP_ID=updater-app:app-id | |
| GITHUB_APP_INSTALLATION_ID=updater-app:app-installation-id | |
| GITHUB_APP_PRIVATE_KEY=updater-app:private-key | |
| - name: Authenticate to GAR | |
| uses: grafana/shared-workflows/actions/login-to-gar@main | |
| with: | |
| environment: prod # logging in to prod to pull the updater image from grafanalabs-global | |
| - name: Update jsonnet (dev) | |
| if: ${{ github.event_name == 'push' && github.ref_name == 'main' && true || false }} | |
| run: | | |
| set -e -o pipefail | |
| cat << EOF > config.json | |
| { | |
| "destination_branch": "master", | |
| "git_author_email": "119986603+updater-for-ci[bot]@users.noreply.github.com", | |
| "git_author_name": "updater-for-ci[bot]", | |
| "git_committer_email": "119986603+updater-for-ci[bot]@users.noreply.github.com", | |
| "git_committer_name": "updater-for-ci[bot]", | |
| "pull_request_branch_prefix": "auto-merge/cicd-o11y/update-images/", | |
| "pull_request_enabled": true, | |
| "pull_request_existing_strategy": "replace", | |
| "pull_request_message": "Created by scheduled GHA build ${{ steps.export-gha-url.outputs.gha_url }}\n", | |
| "pull_request_title": "[Auto Merge]CI/CD O11y: Update dev image", | |
| "repo_name": "deployment_tools", | |
| "repo_owner": "grafana", | |
| "update_jsonnet_attribute_configs": [ | |
| { | |
| "file_path": "ksonnet/environments/cicd-o11y/images/dev.libsonnet", | |
| "jsonnet_key": "image", | |
| "jsonnet_value": "us-docker.pkg.dev/grafanalabs-dev/docker-grafana-ci-otel-collector-dev/grafana-ci-otel-collector:${{ github.sha }}" | |
| } | |
| ] | |
| } | |
| EOF | |
| docker run --rm \ | |
| -e GITHUB_APP_ID="$GITHUB_APP_ID" \ | |
| -e GITHUB_APP_INSTALLATION_ID="$GITHUB_APP_INSTALLATION_ID" \ | |
| -e GITHUB_APP_PRIVATE_KEY="$GITHUB_APP_PRIVATE_KEY" \ | |
| -e CONFIG_JSON="$(cat config.json)" us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/updater |& tee updater-output.log | |
| - name: Update jsonnet (ops) | |
| if: ${{ github.event_name == 'push' && github.ref_name == 'main' && true || false }} | |
| run: | | |
| set -e -o pipefail | |
| cat << EOF > config.json | |
| { | |
| "destination_branch": "master", | |
| "git_author_email": "119986603+updater-for-ci[bot]@users.noreply.github.com", | |
| "git_author_name": "updater-for-ci[bot]", | |
| "git_committer_email": "119986603+updater-for-ci[bot]@users.noreply.github.com", | |
| "git_committer_name": "updater-for-ci[bot]", | |
| "pull_request_branch_prefix": "cicd-o11y/update-images/", | |
| "pull_request_enabled": true, | |
| "pull_request_existing_strategy": "replace", | |
| "pull_request_message": "Created by scheduled GHA build ${{ steps.export-gha-url.outputs.gha_url }}\n", | |
| "pull_request_title": "CI/CD O11y: Update ops image", | |
| "repo_name": "deployment_tools", | |
| "repo_owner": "grafana", | |
| "update_jsonnet_attribute_configs": [ | |
| { | |
| "file_path": "ksonnet/environments/cicd-o11y/images/ops.libsonnet", | |
| "jsonnet_key": "image", | |
| "jsonnet_value": "us-docker.pkg.dev/grafanalabs-dev/docker-grafana-ci-otel-collector-dev/grafana-ci-otel-collector:${{ github.sha }}" | |
| } | |
| ] | |
| } | |
| EOF | |
| docker run --rm \ | |
| -e GITHUB_APP_ID="$GITHUB_APP_ID" \ | |
| -e GITHUB_APP_INSTALLATION_ID="$GITHUB_APP_INSTALLATION_ID" \ | |
| -e GITHUB_APP_PRIVATE_KEY="$GITHUB_APP_PRIVATE_KEY" \ | |
| -e CONFIG_JSON="$(cat config.json)" us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/updater |& tee updater-output.log |