From da6cd10ed969e11293de7d2c0e85408fd60d0eb6 Mon Sep 17 00:00:00 2001 From: Gui Iribarren Date: Fri, 30 Aug 2024 12:58:36 +0200 Subject: [PATCH] disable actions --- .github/workflows/deploy-dev.yml | 28 --- .github/workflows/docker-release.yml | 56 ------ .github/workflows/main.yml | 213 ---------------------- .github/workflows/scan_vulns_deps.yml | 250 -------------------------- 4 files changed, 547 deletions(-) delete mode 100644 .github/workflows/deploy-dev.yml delete mode 100644 .github/workflows/docker-release.yml delete mode 100644 .github/workflows/main.yml delete mode 100644 .github/workflows/scan_vulns_deps.yml diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml deleted file mode 100644 index 811b0a000..000000000 --- a/.github/workflows/deploy-dev.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Deploy dev - -on: - push: - branches: - - main - - dev - -jobs: - push-to-dev: - name: Git push main -> dev - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # the push step needs a full repo, not shallow - - name: Push main branch to dev branch - run: git push origin main:dev - - call-docker-release: - name: Docker - needs: push-to-dev - if: always() && !cancelled() && !failure() # so if push-to-dev was skipped (because branch is dev) this still runs - uses: vocdoni/vocdoni-node/.github/workflows/docker-release.yml@main - secrets: inherit - with: - image-tag: dev diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml deleted file mode 100644 index c74a1ad4e..000000000 --- a/.github/workflows/docker-release.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Docker Release - -on: - workflow_call: - inputs: - image-tag: - required: true - type: string - -jobs: - job_docker_release: - name: Publish images - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - name: Check out the repo - uses: actions/checkout@v4 - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Set up vars used in next step - id: vars - shell: bash - run: | - echo "IMAGE_TAG_CLEAN=$(echo ${{ inputs.image-tag }} | tr '/' '-' )" >> $GITHUB_OUTPUT - echo "GIT_HASH_SHORT=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - echo "DATE_IN_SECS=$(date +%s)" >> $GITHUB_OUTPUT - - name: Build and Push image to Docker Hub and ghcr.io - uses: docker/build-push-action@v5 - with: - context: . - # platforms: linux/amd64 - push: true # true to upload image to registry - tags: | - vocdoni/vocdoni-node:latest, - vocdoni/vocdoni-node:${{ steps.vars.outputs.IMAGE_TAG_CLEAN }}, - vocdoni/vocdoni-node:${{ steps.vars.outputs.IMAGE_TAG_CLEAN }}-${{ steps.vars.outputs.DATE_IN_SECS }} - vocdoni/vocdoni-node:commit-${{ steps.vars.outputs.GIT_HASH_SHORT }}, - ghcr.io/vocdoni/vocdoni-node:latest, - ghcr.io/vocdoni/vocdoni-node:${{ steps.vars.outputs.IMAGE_TAG_CLEAN }}, - ghcr.io/vocdoni/vocdoni-node:${{ steps.vars.outputs.IMAGE_TAG_CLEAN }}-${{ steps.vars.outputs.DATE_IN_SECS }} - ghcr.io/vocdoni/vocdoni-node:commit-${{ steps.vars.outputs.GIT_HASH_SHORT }}, - cache-from: type=gha - cache-to: type=gha,mode=max diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index e8ad79cfd..000000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,213 +0,0 @@ -name: Build and Test - -on: - push: - branches: - - dev - - stage - - main - - release** - pull_request: - -jobs: - job_go_checks: - runs-on: ubuntu-latest - defaults: - run: - shell: bash - steps: - - name: Print github env vars - run: | - echo github.event_name: ${{ github.event_name }} - echo github.ref: ${{ github.ref }} - echo github.ref_name: ${{ github.ref_name }} - echo github.head_ref: ${{ github.head_ref }} - echo github.base_ref: ${{ github.base_ref }} - - name: Checkout code - uses: actions/checkout@v4 - - name: Set up Go environment - uses: actions/setup-go@v5 - with: - go-version: '1.22' - - name: Tidy go module - run: | - go mod tidy - if [[ $(git status --porcelain) ]]; then - git diff - echo - echo "go mod tidy made these changes, please run 'go mod tidy' and include those changes in a commit" - exit 1 - fi - - name: Run gofumpt - # Run gofumpt first, as it's quick and issues are common. - run: diff -u <(echo -n) <(go run mvdan.cc/gofumpt@v0.7.0 -d .) - - name: Run go vet - run: go vet ./... - - name: Run go generate - run: | - go generate ./... - if [[ $(git status --porcelain) ]]; then - git diff - echo - echo "go generate made these changes, please run 'go generate ./...' and include those changes in a commit" - exit 1 - fi - - name: Run staticcheck - run: | - go install honnef.co/go/tools/cmd/staticcheck@2024.1.1 - staticcheck -debug.version - staticcheck ./... 2> staticcheck-stderr - - name: Check staticcheck stderr (this step isn't needed because we are using actions/setup-go@v5 on GitHub hosted runner) - run: | - if cat staticcheck-stderr | grep "matched no packages" ; then - echo "staticcheck step did nothing, due to https://github.com/vocdoni/vocdoni-node/issues/444" - echo "Please re-run job." - # seize the opportunity to fix the underlying problem: a permissions error in ~/.cache - epoch=$(date +%s) - # if any file is reported by find, grep returns true and the mv is done - if [ -d ~/.cache ] && find ~/.cache -not -user `id --user` -print0 | grep -qz . ; then - echo "~/.cache had broken permissions, moving it away... (cache will be rebuilt with usage)" - mv -v ~/.cache ~/.cache-broken-by-root-$epoch - fi - exit 2 - fi - - job_go_test: - runs-on: ubuntu-latest - env: - LOG_PANIC_ON_INVALIDCHARS: true # check that log lines contains no invalid chars (evidence of format mismatch) - steps: - - uses: actions/checkout@v4 - - uses: benjlevesque/short-sha@v3.0 # sets env.SHA to the first 7 chars of github.sha - - uses: actions/setup-go@v5 - with: - go-version: '1.22' - - run: mkdir -p "$PWD/gocoverage-unit/" - - name: Run Go test -race - id: go-test-race - # note that -race can easily make the crypto stuff 10x slower - # this is further limited to selected branches at the beginning of this file - if: runner.debug || - github.event_name == 'push' && - github.ref != 'refs/heads/dev' - env: - GORACE: atexit_sleep_ms=10 # the default of 1000 makes every Go package test sleep for 1s; see https://go.dev/issues/20364 - run: go test ./... - -race -timeout=15m -vet=off - -cover -coverpkg=./... -covermode=atomic -args -test.gocoverdir="$PWD/gocoverage-unit/" - - name: Run Go test - if: steps.go-test-race.outcome == 'skipped' - # quicker, non-race test in case it's a PR or push to dev - run: go test ./... - -cover -coverpkg=./... -covermode=count -args -test.gocoverdir="$PWD/gocoverage-unit/" - - name: Store code coverage artifact (unit) - uses: actions/upload-artifact@v4 - with: - name: gocoverage-unit@${{ env.SHA }} - path: gocoverage-unit/ - - job_compose_test: - runs-on: [self-hosted] - steps: - - uses: actions/checkout@v4 - - uses: benjlevesque/short-sha@v3.0 # sets env.SHA to the first 7 chars of github.sha - - name: Run compose script - env: - TESTSUITE_BUILD_TAG: ${{ github.sha }} - COMPOSE_PROJECT_NAME: testsuite_${{ github.run_id }} # unique name for docker compose (needed for concurrent job runs) - COMPOSE_DVOTE_PORT_MAPPING: "9090" # this binds gateway0 to a random available port on docker host (needed for concurrent job runs) - COMPOSE_HOST_PATH: ${{ github.workspace }}/dockerfiles/testsuite - LOG_PANIC_ON_INVALIDCHARS: true # check that log lines contains no invalid chars (evidence of format mismatch) - GOCOVERDIR: "./gocoverage-integration/" # collect code coverage when running binaries - CONCURRENT: 1 # run all the start_test.sh tests concurrently - BUILDARGS: "-race" # this makes the integration test only slightly slower (around +10%) unlike the abismal effect in unit test (10x) - run: | - cd dockerfiles/testsuite && ./start_test.sh - - name: Store code coverage artifact (integration) - uses: actions/upload-artifact@v4 - with: - name: gocoverage-integration@${{ env.SHA }} - path: dockerfiles/testsuite/gocoverage-integration/ - - call-docker-release: - name: Docker - needs: [job_go_checks, job_go_test, job_compose_test] - # docker releases are triggered only on push to the selected branches at the beginning of this file - if: github.event_name == 'push' && - github.ref != 'refs/heads/dev' # but pushes to dev trigger a release via a quicker workflow (deploy-dev.yml) which skips the tests - uses: vocdoni/vocdoni-node/.github/workflows/docker-release.yml@main - secrets: inherit - with: - image-tag: ${{ github.ref_name }} - - job_gocoverage_textfmt: - name: Convert coverage (bin->txt) - continue-on-error: true # never mark the whole CI as failed because of this job - needs: [job_go_test, job_compose_test] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: benjlevesque/short-sha@v3.0 # sets env.SHA to the first 7 chars of github.sha - - uses: actions/download-artifact@v4 - - uses: actions/setup-go@v5 - with: - go-version: '1.22' - cache: false - - name: Convert gocoverage format - run: | - go tool covdata textfmt -i=gocoverage-unit@${{ env.SHA }}/ \ - -o gocoverage-unit@${{ env.SHA }}.txt - go tool covdata textfmt -i=gocoverage-integration@${{ env.SHA }}/ \ - -o gocoverage-integration@${{ env.SHA }}.txt - - name: Merge both files - run: | - go install github.com/wadey/gocovmerge@latest - # dirty hack since integration is mode atomic and unit mode count, which are perfectly mergeable - # but gocovmerge doesn't recognize this: "cannot merge profiles with different modes" - sed 's/mode: count/mode: atomic/' gocoverage-unit@${{ env.SHA }}.txt \ - > gocoverage-unit@${{ env.SHA }}.tmp - gocovmerge gocoverage-unit@${{ env.SHA }}.tmp \ - gocoverage-integration@${{ env.SHA }}.txt \ - > gocoverage-merged@${{ env.SHA }}.txt - rm -f gocoverage-unit@${{ env.SHA }}.tmp - - name: Store code coverage artifact (all, textfmt) - if: ${{ always() }} - uses: actions/upload-artifact@v4 - with: - name: gocoverage-all-textfmt@${{ env.SHA }} - path: gocoverage-*.txt - - job_gocoverage_coveralls: - name: Publish coverage (Coveralls) - runs-on: ubuntu-latest - needs: [job_gocoverage_textfmt] - continue-on-error: true # never mark the whole CI as failed because of this job - steps: - - uses: actions/checkout@v4 - - uses: benjlevesque/short-sha@v3.0 # sets env.SHA to the first 7 chars of github.sha - - uses: actions/download-artifact@v4 - with: - name: gocoverage-all-textfmt@${{ env.SHA }} - - uses: actions/setup-go@v5 - with: - go-version: '1.22' - cache: false - - name: Send coverage to coveralls.io (unit) - if: ${{ always() }} - uses: shogo82148/actions-goveralls@v1 - with: - path-to-profile: gocoverage-unit@${{ env.SHA }}.txt - flag-name: unit - parallel: true - - name: Send coverage to coveralls.io (integration) - if: ${{ always() }} - uses: shogo82148/actions-goveralls@v1 - with: - path-to-profile: gocoverage-integration@${{ env.SHA }}.txt - flag-name: integration - parallel: true - - name: Tell coveralls.io we're done - if: ${{ always() }} - uses: shogo82148/actions-goveralls@v1 - with: - parallel-finished: true diff --git a/.github/workflows/scan_vulns_deps.yml b/.github/workflows/scan_vulns_deps.yml deleted file mode 100644 index 3145cc711..000000000 --- a/.github/workflows/scan_vulns_deps.yml +++ /dev/null @@ -1,250 +0,0 @@ -name: scan-vulns-deps - -on: - workflow_dispatch: - push: - branches: - - '**' - -jobs: - - build-and-deploy: - runs-on: ubuntu-latest - outputs: - BRANCH_NAME: ${{ steps.myvars.outputs.BRANCH_NAME }} - GIT_HASH_SHORT: ${{ steps.myvars.outputs.GIT_HASH_SHORT }} - DATE_IN_SECS: ${{ steps.myvars.outputs.DATE_IN_SECS }} - CONTAINER_TAG: ${{ steps.myvars.outputs.CONTAINER_TAG }} - SHORT_ENV_OUT: ${{ steps.myvars.outputs.SHORT_ENV_OUT }} - CONTAINER_NAME: ${{ steps.myvars.outputs.CONTAINER_NAME }} - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set myvars - id: myvars - run: | - branchname=$(echo ${GITHUB_REF#refs/heads/} | tr '/' '-' ) - dateinsecs=$(date +%s) - githashshort=$(git rev-parse --short HEAD) - echo "BRANCH_NAME=$branchname" >> $GITHUB_OUTPUT - echo "GIT_HASH_SHORT=$githashshort" >> $GITHUB_OUTPUT - echo "DATE_IN_SECS=$dateinsecs" >> $GITHUB_OUTPUT - if [ "$branchname" = "develop" ]; then - echo "CURRENT_ENVIRONMENT=development" >> $GITHUB_OUTPUT - echo "SHORT_ENV_OUT=DEV" >> $GITHUB_OUTPUT - containertag="commit-race-$githashshort" - elif [ "$branchname" = "main" ]; then - echo "CURRENT_ENVIRONMENT=production" >> $GITHUB_OUTPUT - echo "SHORT_ENV_OUT=PROD" >> $GITHUB_OUTPUT - containertag="commit-race-$githashshort" - else - echo "BRANCH_NAME=test" >> $GITHUB_OUTPUT - echo "CURRENT_ENVIRONMENT=testing" >> $GITHUB_OUTPUT - echo "SHORT_ENV_OUT=TEST" >> $GITHUB_OUTPUT - containertag="commit-$githashshort" - fi - echo "CONTAINER_NAME=vocdoni-node" >> $GITHUB_OUTPUT - echo "CONTAINER_TAG=$containertag" >> $GITHUB_OUTPUT - - - name: Set up Go environment - uses: actions/setup-go@v5 - with: - go-version: '1.22' - - - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push Docker image to ghcr.io - uses: docker/build-push-action@v5 - with: - context: . - #push: true - push: false - tags: | - ghcr.io/vocdoni/go-dvote:latest, - ghcr.io/vocdoni/go-dvote:${{ steps.myvars.outputs.BRANCH_NAME }}, - ghcr.io/vocdoni/go-dvote:commit-${{ steps.myvars.outputs.GIT_HASH_SHORT }}, - ghcr.io/vocdoni/go-dvote:${{ steps.myvars.outputs.BRANCH_NAME }}-${{ steps.myvars.outputs.DATE_IN_SECS }} - cache-from: type=gha - cache-to: type=gha,mode=max - #outputs: type=tar,dest=${{ steps.myvars.outputs.CONTAINER_NAME }}-${{ steps.myvars.outputs.CONTAINER_TAG }}-tar - outputs: type=docker,dest=${{ steps.myvars.outputs.CONTAINER_NAME }}-${{ steps.myvars.outputs.CONTAINER_TAG }}-oci-tar - - - name: Push Docker image to ghcr.io (race enabled) - uses: docker/build-push-action@v5 - if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main' - with: - context: . - #push: true - push: false - build-args: | - BUILDARGS=-race - tags: | - ghcr.io/vocdoni/go-dvote:latest-race, - ghcr.io/vocdoni/go-dvote:${{ steps.myvars.outputs.BRANCH_NAME }}-race, - ghcr.io/vocdoni/go-dvote:commit-${{ steps.myvars.outputs.GIT_HASH_SHORT }}, - ghcr.io/vocdoni/go-dvote:${{ steps.myvars.outputs.BRANCH_NAME }}-race-${{ steps.myvars.outputs.DATE_IN_SECS }} - cache-from: type=gha - cache-to: type=gha,mode=max - #outputs: type=tar,dest=${{ steps.myvars.outputs.CONTAINER_NAME }}-${{ steps.myvars.outputs.CONTAINER_TAG }}-tar - outputs: type=docker,dest=${{ steps.myvars.outputs.CONTAINER_NAME }}-${{ steps.myvars.outputs.CONTAINER_TAG }}-oci-tar - - - name: Upload Container Img Tarball as Artifact - uses: actions/upload-artifact@v4 - if: success() || failure() - with: - name: ${{ steps.myvars.outputs.CONTAINER_NAME }}-${{ steps.myvars.outputs.CONTAINER_TAG }}-docker-img - path: ${{ steps.myvars.outputs.CONTAINER_NAME }}-${{ steps.myvars.outputs.CONTAINER_TAG }}-oci-tar - - - scan-vulns-repo: - name: Scan Vulns in Repo - runs-on: ubuntu-latest - needs: [build-and-deploy] - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Go environment - uses: actions/setup-go@v5 - with: - go-version: '1.22' - - - name: Scan in Repo (html) - uses: aquasecurity/trivy-action@master - if: success() || failure() - with: - scan-type: fs - scanners: vuln,secret,config - scan-ref: . - format: template - template: '@/contrib/html.tpl' - output: trivy-results-repo-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.html - env: - TRIVY_USERNAME: ${{ github.repository_owner }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Scan in Repo (sarif) - uses: aquasecurity/trivy-action@master - if: success() || failure() - with: - scan-type: fs - scanners: vuln,secret,config - scan-ref: . - format: sarif - output: trivy-results-repo-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.sarif - env: - TRIVY_USERNAME: ${{ github.repository_owner }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Publish Repo Scan Results as Artifact - uses: actions/upload-artifact@v4 - if: success() || failure() - with: - name: trivy-results-repo-${{ needs.build-and-deploy.outputs.DATE_IN_SECS }} - path: trivy-results-repo-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.* - - - name: Load Repo Scan Results (sarif) to Github - uses: github/codeql-action/upload-sarif@v2 - if: always() - #if: false ## false = bypass - with: - sarif_file: trivy-results-repo-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.sarif - category: vulns-in-repo - - - scan-vulns-docker: - name: Scan Vulns in Docker - runs-on: ubuntu-latest - needs: [build-and-deploy] - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Download Container Img Tarball as Artifact - uses: actions/download-artifact@v4 - id: container_img_tar - with: - name: ${{ needs.build-and-deploy.outputs.CONTAINER_NAME }}-${{ needs.build-and-deploy.outputs.CONTAINER_TAG }}-docker-img - path: _tmp/ - - - name: Check Container Image Tarball - run: | - cd _tmp/ - mkdir _tar/ - ls -la - file ${{ needs.build-and-deploy.outputs.CONTAINER_NAME }}-${{ needs.build-and-deploy.outputs.CONTAINER_TAG }}-oci-tar - ## we remove 'z' flag because file is not compressed (gz), only archived (tar) - tar -xvf ${{ needs.build-and-deploy.outputs.CONTAINER_NAME }}-${{ needs.build-and-deploy.outputs.CONTAINER_TAG }}-oci-tar -C _tar/ - ls -la _tar/ - - - name: Vuln scan in Docker (table) - uses: aquasecurity/trivy-action@master - if: always() - with: - scan-type: image - scanners: vuln,secret,config - ## it can be the dir with content of untar file or it can be the tar file - input: _tmp/_tar/ - ##input: _tmp/${{ needs.build-and-deploy.outputs.CONTAINER_NAME }}-${{ needs.build-and-deploy.outputs.CONTAINER_TAG }}-oci-tar - format: table - env: - TRIVY_USERNAME: ${{ github.repository_owner }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Vuln scan in Docker (html) - uses: aquasecurity/trivy-action@master - if: always() - with: - scan-type: image - scanners: vuln,secret,config - ## it can be the dir with content of untar file or it can be the tar file - ## input: _tmp/_tar/ - input: _tmp/${{ needs.build-and-deploy.outputs.CONTAINER_NAME }}-${{ needs.build-and-deploy.outputs.CONTAINER_TAG }}-oci-tar - format: template - template: '@/contrib/html.tpl' - output: trivy-results-docker-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.html - env: - TRIVY_USERNAME: ${{ github.repository_owner }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Vuln scan in Docker (sarif) - uses: aquasecurity/trivy-action@master - if: always() - with: - scan-type: image - scanners: vuln,secret,config - ## it can be the dir with content of untar file or it can be the tar file - ## input: _tmp/_tar/ - input: _tmp/${{ needs.build-and-deploy.outputs.CONTAINER_NAME }}-${{ needs.build-and-deploy.outputs.CONTAINER_TAG }}-oci-tar - format: sarif - output: trivy-results-docker-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.sarif - env: - TRIVY_USERNAME: ${{ github.repository_owner }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Publish Docker Scan Results as Artifact - uses: actions/upload-artifact@v4 - if: success() || failure() - with: - name: trivy-results-docker-${{ needs.build-and-deploy.outputs.DATE_IN_SECS }} - path: trivy-results-docker-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.* - - - name: Load Docker Scan Results (sarif) to Github - uses: github/codeql-action/upload-sarif@v2 - if: always() - #if: false ## false = bypass - with: - sarif_file: trivy-results-docker-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.sarif - category: vulns-in-docker