Skip to content

chore(main): release 0.9.0 (auto-release) (#76) #228

chore(main): release 0.9.0 (auto-release) (#76)

chore(main): release 0.9.0 (auto-release) (#76) #228

Workflow file for this run

# Terraform Provider testing workflow.
name: Tests
# This GitHub action runs your tests for each pull request and push.
# Optionally, you can turn it on using a schedule for regular testing.
on:
pull_request:
branches:
- main
push:
branches:
- main
jobs:
build:
name: Build
runs-on: github-hosted-small
permissions:
contents: read
actions: read
security-events: write
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: 'go.mod'
cache: true
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: go
build-mode: manual # go build must be run between this step and the analysis step
queries: security-extended,security-and-quality
- run: go mod download
- run: go build -v .
- run: go vet ./...
- run: go tool staticcheck ./...
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
category: "/language:go"
- name: Archive Build
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: build
path: |
terraform-provider-quicknode
pr-scan:
uses: circlefin/circle-public-github-workflows/.github/workflows/pr-scan.yaml@v1
trivy-scan:
name: Trivy Scan
runs-on: github-hosted-small
permissions:
actions: read
contents: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
# setup-trivy's install.sh downloads from get.trivy.dev; some runners cannot resolve it (curl exit 6).
- name: Install Trivy from GitHub releases
shell: bash
env:
TRIVY_VERSION: '0.69.3'
RUNNER_ARCH: ${{ runner.arch }}
run: |
set -euo pipefail
case "$RUNNER_ARCH" in
X64) suffix='Linux-64bit' ;;
ARM64) suffix='Linux-ARM64' ;;
*) echo "unsupported runner.arch=$RUNNER_ARCH"; exit 1 ;;
esac
ver="v${TRIVY_VERSION}"
name="trivy_${TRIVY_VERSION}_${suffix}.tar.gz"
curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/${ver}/${name}" -o trivy.tgz
tar -xzf trivy.tgz trivy
mkdir -p "$HOME/bin"
install -m 0755 trivy "$HOME/bin/trivy"
echo "$HOME/bin" >> "$GITHUB_PATH"
rm -f trivy trivy.tgz
# No upload-sarif: org repo may not expose GitHub Code Scanning UI (GHAS). Artifact + summary below.
# scanners=vuln: dependency CVEs only (secret scanner often false-positives on fixtures/docs).
- name: Trivy Scan
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
skip-setup-trivy: true
version: v0.69.3
scan-type: fs
scan-ref: '.'
scanners: vuln
exit-code: '1'
output: trivy-results.sarif
format: sarif
# On public repos, workflow artifacts are world-readable; SARIF is low-risk (same as go.mod+CVE DB)
# but we only attach it for private repos. Public: table in job summary only.
- name: Upload Trivy SARIF artifact
if: always() && github.event.repository.private
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: trivy-results
path: trivy-results.sarif
if-no-files-found: warn
- name: Trivy table (job summary)
if: always()
shell: bash
run: |
{
echo '### Trivy filesystem scan (vulnerabilities only)'
echo ''
if [[ "${{ github.event.repository.private }}" == "true" ]]; then
echo 'Full SARIF: workflow artifact **trivy-results** (private repo only).'
else
echo 'Public repo: no SARIF artifact (artifacts are public). Table below matches dependency scan.'
fi
echo ''
echo '```'
trivy fs --scanners vuln --format table --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --exit-code 0 .
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
generate:
runs-on: github-hosted-small
permissions:
contents: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: 'go.mod'
cache: true
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_wrapper: false
- run: make generate
- name: git diff
run: |
git diff --compact-summary --exit-code || \
(echo; echo "Unexpected difference in directories after code generation. Run 'make generate' command and commit."; exit 1)
- name: setup goreleaser
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
install-only: true
- run: make validate
test:
name: Terraform Provider Unit Tests
needs: build
runs-on: github-hosted-small
timeout-minutes: 5
permissions:
contents: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: 'go.mod'
cache: true
- run: go mod download
- run: go test -v -cover ./... -run Test -skip TestAcc
# Run acceptance tests in a matrix with Terraform CLI versions
acctest:
# skip when triggered by dependabot, due to no access to secrets
if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
name: Terraform Provider Acceptance Tests
needs: build
runs-on: github-hosted-small
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
# list whatever Terraform versions here you would like to support
terraform:
- '1.8.*'
- '1.9.*'
- '1.10.*'
permissions:
contents: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: 'go.mod'
cache: true
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: ${{ matrix.terraform }}
terraform_wrapper: false
- run: go mod download
- env:
TF_ACC: "1"
QUICKNODE_APIKEY: ${{ secrets.QUICKNODE_APIKEY }}
run: go test -v -cover ./... -run TestAcc
timeout-minutes: 10
rollup:
name: Success Rollup
if: always()
needs:
- build
- pr-scan
- trivy-scan
- generate
- test
- acctest
runs-on: github-hosted-small
permissions: {}
steps:
- run: exit 1
if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}