Apply security best practices #4828
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This file is autogenerated by the 'modulegen' tool. | |
# Please update the 'ci.yml' template instead. | |
name: Main pipeline | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- '.vscode/**' | |
- 'mkdocs.yml' | |
- 'docs/**' | |
- 'README.md' | |
pull_request: | |
paths-ignore: | |
- '.vscode/**' | |
- 'mkdocs.yml' | |
- 'docs/**' | |
- 'README.md' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.sha }} | |
cancel-in-progress: true | |
jobs: | |
test: | |
# do not run this job if it's a PR from dependabot that is not approved yet | |
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }} | |
strategy: | |
matrix: | |
go-version: [1.20.x, 1.x] | |
platform: [ubuntu-latest, macos-latest] | |
uses: ./.github/workflows/ci-test-go.yml | |
with: | |
go-version: ${{ matrix.go-version }} | |
fail-fast: true | |
platform: ${{ matrix.platform }} | |
project-directory: "." | |
rootless-docker: false | |
run-tests: ${{ matrix.platform == 'ubuntu-latest' }} | |
ryuk-disabled: false | |
# The job below is a copy of the job above, but with ryuk disabled. | |
# It's executed in a secondary stage to avoid concurrency issues. | |
test-reaper-off: | |
# do not run this job if it's a PR from dependabot that is not approved yet | |
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }} | |
name: "Test with reaper off" | |
needs: test | |
strategy: | |
matrix: | |
go-version: [1.20.x, 1.x] | |
uses: ./.github/workflows/ci-test-go.yml | |
with: | |
go-version: ${{ matrix.go-version }} | |
fail-fast: true | |
platform: "ubuntu-latest" | |
project-directory: "." | |
rootless-docker: false | |
run-tests: true | |
ryuk-disabled: true | |
# The job below is a copy of the job above, but with Docker rootless. | |
# It's executed in a secondary stage to avoid concurrency issues. | |
test-rootless-docker: | |
# do not run this job if it's a PR from dependabot that is not approved yet | |
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }} | |
name: "Test with Rootless Docker" | |
needs: test | |
strategy: | |
matrix: | |
go-version: [1.20.x, 1.x] | |
platform: [ubuntu-latest] | |
uses: ./.github/workflows/ci-test-go.yml | |
with: | |
go-version: ${{ matrix.go-version }} | |
fail-fast: true | |
platform: "ubuntu-latest" | |
project-directory: "." | |
rootless-docker: true | |
run-tests: true | |
ryuk-disabled: false | |
test-module-generator: | |
# do not run this job if it's a PR from dependabot that is not approved yet | |
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }} | |
strategy: | |
matrix: | |
go-version: [1.20.x, 1.x] | |
platform: [ubuntu-latest, macos-latest, windows-latest] | |
uses: ./.github/workflows/ci-test-go.yml | |
with: | |
go-version: ${{ matrix.go-version }} | |
fail-fast: true | |
platform: ${{ matrix.platform }} | |
project-directory: "modulegen" | |
rootless-docker: false | |
run-tests: true | |
ryuk-disabled: false | |
test-modules: | |
# do not run this job if it's a PR from dependabot that is not approved yet | |
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }} | |
needs: test | |
strategy: | |
matrix: | |
go-version: [1.20.x, 1.x] | |
platform: [ubuntu-latest, macos-latest] | |
module: [artemis, cassandra, clickhouse, compose, couchbase, elasticsearch, gcloud, k3s, k6, kafka, localstack, mariadb, mongodb, mysql, nats, neo4j, postgres, pulsar, rabbitmq, redis, redpanda, vault] | |
exclude: | |
- go-version: 1.20.x | |
module: compose | |
uses: ./.github/workflows/ci-test-go.yml | |
with: | |
go-version: ${{ matrix.go-version }} | |
fail-fast: false | |
platform: ${{ matrix.platform }} | |
project-directory: modules/${{ matrix.module }} | |
rootless-docker: false | |
run-tests: ${{ matrix.platform == 'ubuntu-latest' }} | |
ryuk-disabled: false | |
test-examples: | |
# do not run this job if it's a PR from dependabot that is not approved yet | |
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }} | |
needs: test-modules | |
strategy: | |
matrix: | |
module: [cockroachdb, consul, nginx, toxiproxy] | |
uses: ./.github/workflows/ci-test-go.yml | |
with: | |
go-version: "1.20.x" | |
fail-fast: true | |
platform: 'ubuntu-latest' | |
project-directory: examples/${{ matrix.module }} | |
rootless-docker: false | |
run-tests: true | |
ryuk-disabled: false | |
sonarcloud: | |
if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }} | |
needs: test-examples | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
# Disabling shallow clone is recommended for improving relevancy of reporting | |
fetch-depth: 0 | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: sonarcloud | |
- name: Analyze with SonarCloud | |
uses: sonarsource/sonarcloud-github-action@master | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |