# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Build, Test, Coverage, and Publish on: push: branches: [main] pull_request: branches: [main] release: types: [created] permissions: contents: read jobs: test: name: Run Tests with Coverage and SARIF runs-on: ubuntu-latest permissions: contents: write checks: write pull-requests: write security-events: write statuses: write steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version-file: "./go.mod" cache: true - name: Install dependencies run: go mod tidy - name: Run tests run: go test -json ./... > test-results.json - name: Generate coverage report run: go test -coverprofile=coverage.out ./... - name: Check coverage id: coverage run: | coverage="$(go tool cover -func=coverage.out | grep total | awk '{print substr($3, 1, length($3)-1)}')" echo "total_coverage=$coverage" >> "$GITHUB_ENV" echo "Coverage: $coverage%" - name: Upload test results uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: test-results path: test-results.json - name: Cleanup run: rm coverage.out - name: Fail if coverage is below threshold run: | if (( $(echo "$total_coverage < 50" | bc -l) )); then echo "Coverage ($total_coverage%) is below the threshold (50%)" exit 1 fi build: name: Build Binaries needs: test runs-on: ubuntu-latest permissions: contents: write packages: write strategy: matrix: goos: [linux, darwin, windows] goarch: [amd64, arm64] steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version-file: "./go.mod" - name: Run go mod tidy run: go mod tidy - name: Build binary for ${{ matrix.goos }}-${{ matrix.goarch }} run: | mkdir -p dist GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build \ -ldflags "-X main.Version=${{ github.ref_name }}" \ -o dist/gibidify-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.goos == 'windows' && '.exe' || '' }} \ . - name: Generate SHA256 checksum run: | cd dist for f in gibidify-*; do sha256sum "$f" > "$f.sha256" done - name: Upload artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: gibidify-${{ matrix.goos }}-${{ matrix.goarch }} path: dist/* docker: name: Build and Publish Docker Image if: github.event_name == 'release' needs: build runs-on: ubuntu-latest permissions: contents: write packages: write steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Download Linux binaries uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: gibidify-linux-amd64 path: . - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to GitHub Container Registry run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - name: Build and push multi-arch Docker image run: | chmod +x gibidify-linux-amd64 mv gibidify-linux-amd64 gibidify docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \ --tag ghcr.io/${{ github.repository }}/gibidify:${{ github.ref_name }} \ --tag ghcr.io/${{ github.repository }}/gibidify:latest \ --push \ --squash .