Skip to content

Apply security best practices #4828

Apply security best practices

Apply security best practices #4828

Workflow file for this run

# This file is autogenerated by the 'modulegen' tool.
# Please update the 'ci.yml' template instead.
name: Main pipeline
on:
push:
branches:
- main
paths-ignore:
- '.vscode/**'
- 'mkdocs.yml'
- 'docs/**'
- 'README.md'
pull_request:
paths-ignore:
- '.vscode/**'
- 'mkdocs.yml'
- 'docs/**'
- 'README.md'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.sha }}
cancel-in-progress: true
jobs:
test:
# do not run this job if it's a PR from dependabot that is not approved yet
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }}
strategy:
matrix:
go-version: [1.20.x, 1.x]
platform: [ubuntu-latest, macos-latest]
uses: ./.github/workflows/ci-test-go.yml
with:
go-version: ${{ matrix.go-version }}
fail-fast: true
platform: ${{ matrix.platform }}
project-directory: "."
rootless-docker: false
run-tests: ${{ matrix.platform == 'ubuntu-latest' }}
ryuk-disabled: false
# The job below is a copy of the job above, but with ryuk disabled.
# It's executed in a secondary stage to avoid concurrency issues.
test-reaper-off:
# do not run this job if it's a PR from dependabot that is not approved yet
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }}
name: "Test with reaper off"
needs: test
strategy:
matrix:
go-version: [1.20.x, 1.x]
uses: ./.github/workflows/ci-test-go.yml
with:
go-version: ${{ matrix.go-version }}
fail-fast: true
platform: "ubuntu-latest"
project-directory: "."
rootless-docker: false
run-tests: true
ryuk-disabled: true
# The job below is a copy of the job above, but with Docker rootless.
# It's executed in a secondary stage to avoid concurrency issues.
test-rootless-docker:
# do not run this job if it's a PR from dependabot that is not approved yet
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }}
name: "Test with Rootless Docker"
needs: test
strategy:
matrix:
go-version: [1.20.x, 1.x]
platform: [ubuntu-latest]
uses: ./.github/workflows/ci-test-go.yml
with:
go-version: ${{ matrix.go-version }}
fail-fast: true
platform: "ubuntu-latest"
project-directory: "."
rootless-docker: true
run-tests: true
ryuk-disabled: false
test-module-generator:
# do not run this job if it's a PR from dependabot that is not approved yet
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }}
strategy:
matrix:
go-version: [1.20.x, 1.x]
platform: [ubuntu-latest, macos-latest, windows-latest]
uses: ./.github/workflows/ci-test-go.yml
with:
go-version: ${{ matrix.go-version }}
fail-fast: true
platform: ${{ matrix.platform }}
project-directory: "modulegen"
rootless-docker: false
run-tests: true
ryuk-disabled: false
test-modules:
# do not run this job if it's a PR from dependabot that is not approved yet
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }}
needs: test
strategy:
matrix:
go-version: [1.20.x, 1.x]
platform: [ubuntu-latest, macos-latest]
module: [artemis, cassandra, clickhouse, compose, couchbase, elasticsearch, gcloud, k3s, k6, kafka, localstack, mariadb, mongodb, mysql, nats, neo4j, postgres, pulsar, rabbitmq, redis, redpanda, vault]
exclude:
- go-version: 1.20.x
module: compose
uses: ./.github/workflows/ci-test-go.yml
with:
go-version: ${{ matrix.go-version }}
fail-fast: false
platform: ${{ matrix.platform }}
project-directory: modules/${{ matrix.module }}
rootless-docker: false
run-tests: ${{ matrix.platform == 'ubuntu-latest' }}
ryuk-disabled: false
test-examples:
# do not run this job if it's a PR from dependabot that is not approved yet
if: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.state != 'approved' && github.triggering_actor == 'dependabot[bot]') }}
needs: test-modules
strategy:
matrix:
module: [cockroachdb, consul, nginx, toxiproxy]
uses: ./.github/workflows/ci-test-go.yml
with:
go-version: "1.20.x"
fail-fast: true
platform: 'ubuntu-latest'
project-directory: examples/${{ matrix.module }}
rootless-docker: false
run-tests: true
ryuk-disabled: false
sonarcloud:
if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }}
needs: test-examples
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: sonarcloud
- name: Analyze with SonarCloud
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}