mirror of
https://github.com/hashicorp/vault.git
synced 2025-12-25 03:11:40 +01:00
ce5885279b
As the Vault pipeline and release processes evolve over time, so too must the tooling that drives them. Historically we've utilized a combination of CI features and shell scripts that are wrapped into make targets to drive our CI. While this approach has worked, it requires careful consideration of what features to use (bash in CI almost never matches bash in developer machines, etc.) and often requires a deep understanding of several CLI tools (jq, etc). `make` itself also has limitations in user experience, e.g. passing flags. As we're all in on Github Actions as our pipeline coordinator, continuing to utilize and build CLI tools to perform our pipeline tasks makes sense. This PR adds a new CLI tool called `pipeline` which we can use to build new isolated tasks that we can string together in Github Actions. We intend to use this utility as the interface for future release automation work, see VAULT-27514. For the first task in this new `pipeline` tool, I've chosen to build two small sub-commands: * `pipeline releases list-versions` - Allows us to list Vault versions between a range. The range is configurable either by setting `--upper` and/or `--lower` bounds, or by using the `--nminus` to set the N-X to go back from the current branches version. As CE and ENT do not have version parity we also consider the `--edition`, as well as none-to-many `--skip` flags to exclude specific versions. * `pipeline generate enos-dynamic-config` - Which creates dynamic enos configuration based on the branch and the current list of release versions. It takes largely the same flags as the `release list-versions` command, however it also expects a `--dir` for the enos directory and a `--file` where the dynamic configuration will be written. This allows us to dynamically update and feed the latest versions into our sampling algorithm to get coverage over all supported prior versions. We then integrate these new tools into the pipeline itself and cache the dynamic config on a weekly basis. We also cache the pipeline tool itself as it will likely become a repository for pipeline specific tooling. The caching strategy for the `pipeline` tool itself will make most workflows that require it super fast. Signed-off-by: Ryan Cragun <me@ryan.ec>
103 lines
3.2 KiB
YAML
103 lines
3.2 KiB
YAML
name: Run linters
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
push:
|
|
branches:
|
|
- main
|
|
- release/**
|
|
|
|
concurrency:
|
|
group: ${{ github.head_ref || github.run_id }}-lint
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
setup:
|
|
name: Setup
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
- name: Ensure Go modules are cached
|
|
uses: ./.github/actions/set-up-go
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
no-restore: true # don't download them on a cache hit
|
|
|
|
deprecations:
|
|
name: Deprecated functions
|
|
runs-on: ubuntu-latest
|
|
needs: setup
|
|
if: github.base_ref == 'main'
|
|
steps:
|
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
with:
|
|
fetch-depth: 0
|
|
- uses: ./.github/actions/set-up-go
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
- uses: ./.github/actions/install-external-tools # for staticcheck
|
|
- run: make ci-deprecations
|
|
name: Check deprecations
|
|
|
|
codechecker:
|
|
name: Code checks
|
|
runs-on: ubuntu-latest
|
|
needs: setup
|
|
if: github.base_ref == 'main'
|
|
steps:
|
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
with:
|
|
fetch-depth: 0
|
|
- uses: ./.github/actions/set-up-go
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
- uses: ./.github/actions/install-external-tools # for buf
|
|
# Note: if there is a function we want to ignore the nilnil check for,
|
|
# You can add 'ignore-nil-nil-function-check' somewhere in the
|
|
# godoc for the function.
|
|
- run: make ci-vet-codechecker
|
|
name: Check custom linters
|
|
- run: make protolint
|
|
name: Protobuf lint
|
|
|
|
generate-delta:
|
|
name: Protobuf generate delta
|
|
runs-on: ubuntu-latest
|
|
needs: setup
|
|
steps:
|
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
- uses: ./.github/actions/set-up-go
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
- uses: ./.github/actions/install-external-tools # for buf and protoc-*
|
|
- name: Check generate delta
|
|
run: make prep check-proto-delta
|
|
|
|
format:
|
|
name: Format
|
|
runs-on: ubuntu-latest
|
|
needs: setup
|
|
steps:
|
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
- uses: ./.github/actions/set-up-go
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
- uses: ./.github/actions/install-external-tools # for buf and gofumpt
|
|
- name: Go format
|
|
run: make prep check-go-fmt
|
|
- name: Protobuf format
|
|
run: |
|
|
echo "Using buf version $(buf --version)"
|
|
make check-proto-fmt
|
|
|
|
semgrep:
|
|
name: Semgrep
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: returntocorp/semgrep@sha256:cfad18cfb6536aa48ad5a71017207a10320b4e17e3b2bd7b7de27b42dc9651e7 #v1.58
|
|
steps:
|
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
- name: Run Semgrep Rules
|
|
run: semgrep ci --include '*.go' --config 'tools/semgrep/ci'
|