chore(main): release 0.9.0 (auto-release) (#76) #228
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Terraform Provider testing workflow. | |
| name: Tests | |
| # This GitHub action runs your tests for each pull request and push. | |
| # Optionally, you can turn it on using a schedule for regular testing. | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: github-hosted-small | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 | |
| with: | |
| languages: go | |
| build-mode: manual # go build must be run between this step and the analysis step | |
| queries: security-extended,security-and-quality | |
| - run: go mod download | |
| - run: go build -v . | |
| - run: go vet ./... | |
| - run: go tool staticcheck ./... | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 | |
| with: | |
| category: "/language:go" | |
| - name: Archive Build | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: build | |
| path: | | |
| terraform-provider-quicknode | |
| pr-scan: | |
| uses: circlefin/circle-public-github-workflows/.github/workflows/pr-scan.yaml@v1 | |
| trivy-scan: | |
| name: Trivy Scan | |
| runs-on: github-hosted-small | |
| permissions: | |
| actions: read | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| # setup-trivy's install.sh downloads from get.trivy.dev; some runners cannot resolve it (curl exit 6). | |
| - name: Install Trivy from GitHub releases | |
| shell: bash | |
| env: | |
| TRIVY_VERSION: '0.69.3' | |
| RUNNER_ARCH: ${{ runner.arch }} | |
| run: | | |
| set -euo pipefail | |
| case "$RUNNER_ARCH" in | |
| X64) suffix='Linux-64bit' ;; | |
| ARM64) suffix='Linux-ARM64' ;; | |
| *) echo "unsupported runner.arch=$RUNNER_ARCH"; exit 1 ;; | |
| esac | |
| ver="v${TRIVY_VERSION}" | |
| name="trivy_${TRIVY_VERSION}_${suffix}.tar.gz" | |
| curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/${ver}/${name}" -o trivy.tgz | |
| tar -xzf trivy.tgz trivy | |
| mkdir -p "$HOME/bin" | |
| install -m 0755 trivy "$HOME/bin/trivy" | |
| echo "$HOME/bin" >> "$GITHUB_PATH" | |
| rm -f trivy trivy.tgz | |
| # No upload-sarif: org repo may not expose GitHub Code Scanning UI (GHAS). Artifact + summary below. | |
| # scanners=vuln: dependency CVEs only (secret scanner often false-positives on fixtures/docs). | |
| - name: Trivy Scan | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| skip-setup-trivy: true | |
| version: v0.69.3 | |
| scan-type: fs | |
| scan-ref: '.' | |
| scanners: vuln | |
| exit-code: '1' | |
| output: trivy-results.sarif | |
| format: sarif | |
| # On public repos, workflow artifacts are world-readable; SARIF is low-risk (same as go.mod+CVE DB) | |
| # but we only attach it for private repos. Public: table in job summary only. | |
| - name: Upload Trivy SARIF artifact | |
| if: always() && github.event.repository.private | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: trivy-results | |
| path: trivy-results.sarif | |
| if-no-files-found: warn | |
| - name: Trivy table (job summary) | |
| if: always() | |
| shell: bash | |
| run: | | |
| { | |
| echo '### Trivy filesystem scan (vulnerabilities only)' | |
| echo '' | |
| if [[ "${{ github.event.repository.private }}" == "true" ]]; then | |
| echo 'Full SARIF: workflow artifact **trivy-results** (private repo only).' | |
| else | |
| echo 'Public repo: no SARIF artifact (artifacts are public). Table below matches dependency scan.' | |
| fi | |
| echo '' | |
| echo '```' | |
| trivy fs --scanners vuln --format table --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --exit-code 0 . | |
| echo '```' | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| generate: | |
| runs-on: github-hosted-small | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_wrapper: false | |
| - run: make generate | |
| - name: git diff | |
| run: | | |
| git diff --compact-summary --exit-code || \ | |
| (echo; echo "Unexpected difference in directories after code generation. Run 'make generate' command and commit."; exit 1) | |
| - name: setup goreleaser | |
| uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 | |
| with: | |
| install-only: true | |
| - run: make validate | |
| test: | |
| name: Terraform Provider Unit Tests | |
| needs: build | |
| runs-on: github-hosted-small | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - run: go mod download | |
| - run: go test -v -cover ./... -run Test -skip TestAcc | |
| # Run acceptance tests in a matrix with Terraform CLI versions | |
| acctest: | |
| # skip when triggered by dependabot, due to no access to secrets | |
| if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }} | |
| name: Terraform Provider Acceptance Tests | |
| needs: build | |
| runs-on: github-hosted-small | |
| timeout-minutes: 15 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # list whatever Terraform versions here you would like to support | |
| terraform: | |
| - '1.8.*' | |
| - '1.9.*' | |
| - '1.10.*' | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: ${{ matrix.terraform }} | |
| terraform_wrapper: false | |
| - run: go mod download | |
| - env: | |
| TF_ACC: "1" | |
| QUICKNODE_APIKEY: ${{ secrets.QUICKNODE_APIKEY }} | |
| run: go test -v -cover ./... -run TestAcc | |
| timeout-minutes: 10 | |
| rollup: | |
| name: Success Rollup | |
| if: always() | |
| needs: | |
| - build | |
| - pr-scan | |
| - trivy-scan | |
| - generate | |
| - test | |
| - acctest | |
| runs-on: github-hosted-small | |
| permissions: {} | |
| steps: | |
| - run: exit 1 | |
| if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }} |