pipecd/.github/workflows/lint.yaml at master · pipe-cd/pipecd · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: lint

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
      - "release-v*"
      - "feat/*"
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

env:
  GO_VERSION: 1.26.2
  NODE_VERSION: 20.19.0
  GOLANGCI_LINT_VERSION: v2.11.4
  HELM_VERSION: 3.17.3

jobs:
  list-go-modules:
    runs-on: ubuntu-24.04
    outputs:
      modules: ${{ steps.list-go-modules.outputs.modules }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: List go modules
        id: list-go-modules
        run: |
          echo "modules=$(find . -name go.mod -exec dirname {} \; | sort | jq -R -s -c 'split("\n") | map(select(length > 0))')" >> $GITHUB_OUTPUT

  go:
    runs-on: ubuntu-24.04
    needs: list-go-modules
    strategy:
      fail-fast: false
      matrix:
        module: ${{ fromJSON(needs.list-go-modules.outputs.modules) }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: golangci-lint
        uses: reviewdog/action-golangci-lint@f9bba13753278f6a73b27a56a3ffb1bfda90ed71 #v2.8.0
        with:
          workdir: ${{ matrix.module }}
          go_version: ${{ env.GO_VERSION }}
          golangci_lint_version: ${{ env.GOLANGCI_LINT_VERSION }}
          golangci_lint_flags: --config ${{ github.workspace }}/.golangci.yml
          fail_level: error
          filter_mode: nofilter

  # This job is used to check if the go linting is completed successfully
  # It is used to set as required check for the branch protection rules
  go-lint-completed:
    runs-on: ubuntu-24.04
    if: always()
    needs: go
    steps:
      - name: Check if all go lint jobs succeeded
        # if jobs in the 'go' job matrix failed or were cancelled, this job will fail
        # otherwise this job is marked as successful because all steps are skipped
        run: exit 1
        if: needs.go.result != 'success'

  web:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-node@v3
        with:
          node-version: ${{ env.NODE_VERSION }}
      - name: Get yarn cache directory path
        id: yarn-cache-dir-path
        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
      - uses: actions/cache@v4
        id: yarn-cache
        with:
          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            ${{ runner.os }}-yarn-
      - name: Update web dependencies
        run: make update/web-deps
      - name: Run lint
        run: make lint/web
  helm:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          version: ${{ env.HELM_VERSION }}

      - name: Lint all Helm charts
        run: make lint/helm

  govulncheck:
    runs-on: ubuntu-24.04
    needs: list-go-modules
    strategy:
      fail-fast: false
      matrix:
        module: ${{ fromJSON(needs.list-go-modules.outputs.modules) }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
      - name: Run govulncheck
        working-directory: ${{ matrix.module }}
        # TODO: Remove continue-on-error once vulnerabilities are fixed (see #6600)
        continue-on-error: true
        run: govulncheck ./...

  govulncheck-completed:
    runs-on: ubuntu-24.04
    if: always()
    needs: govulncheck
    steps:
      - name: Check govulncheck status
        # Warn-only for now until vulnerabilities are fixed (see #6600)
        # Change 'skipped' back to 'success' once fixed
        run: |
          echo "::warning::govulncheck found vulnerabilities - see issue #6600 for tracking"
        if: needs.govulncheck.result != 'success'