name: CI on: release: types: - published push: branches: - master paths: - .github/workflows/ci.yml - cmd/** - internal/** - pkg/** - .dockerignore - .golangci.yml - Dockerfile - go.mod - go.sum pull_request: branches: - master paths: - .github/workflows/ci.yml - cmd/** - internal/** - pkg/** - .dockerignore - .golangci.yml - Dockerfile - go.mod - go.sum jobs: verify: # Only run if it's a push event or if it's a PR from this repository, and it is not dependabot. if: | github.actor != 'dependabot[bot]' && (github.event_name == 'push' || github.event_name == 'release' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)) runs-on: ubuntu-latest env: DOCKER_BUILDKIT: "1" steps: - uses: actions/checkout@v3 - uses: reviewdog/action-misspell@v1 with: locale: "US" level: error - name: Linting run: docker build --target lint . - name: Go mod tidy check run: docker build --target tidy . - name: Build test image run: docker build --target test -t test-container . - name: Run tests in test container run: | touch coverage.txt docker run --rm \ -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \ test-container - name: Code security analysis uses: snyk/actions/golang@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - name: Build final image run: docker build -t final-image . # - name: Image security analysis # uses: snyk/actions/docker@master # env: # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # with: # image: final-image publish: # Only run if it's a push event or if it's a PR from this repository if: | github.event_name == 'push' || github.event_name == 'release' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) needs: [verify] runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 # extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@v3 with: flavor: | latest=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} images: | qmcgaw/gluetun qmcgaw/private-internet-access tags: | type=ref,event=branch,enable=${{ github.ref != format('refs/heads/{0}', github.event.repository.default_branch) }} type=ref,event=pr type=semver,pattern=v{{major}}.{{minor}}.{{patch}} type=semver,pattern=v{{major}}.{{minor}} type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - uses: docker/setup-qemu-action@v1 - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: username: qmcgaw password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Short commit id: shortcommit run: echo "::set-output name=value::$(git rev-parse --short HEAD)" - name: Build and push final image uses: docker/build-push-action@v2.10.0 with: platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7,linux/ppc64le labels: ${{ steps.meta.outputs.labels }} build-args: | CREATED=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} COMMIT=${{ steps.shortcommit.outputs.value }} VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} tags: ${{ steps.meta.outputs.tags }} push: true