topdown/crypto: Add URIStrings field to JSON certs #9486
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR Check | |
on: [pull_request] | |
# When a new revision is pushed to a PR, cancel all in-progress CI runs for that | |
# PR. See https://docs.github.com/en/actions/using-jobs/using-concurrency | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
# All jobs essentially re-create the `ci-release-test` make target, but are split | |
# up for parallel runners for faster PR feedback and a nicer UX. | |
generate: | |
name: Generate Code | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Generate | |
run: make clean generate | |
- name: Upload generated artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: generated | |
path: | | |
internal/compiler/wasm/opa | |
capabilities.json | |
go-build: | |
name: Go Build (${{ matrix.os }}${{ matrix.arch && format(' {0}', matrix.arch) || '' }}) | |
runs-on: ${{ matrix.run }} | |
needs: generate | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: linux | |
run: ubuntu-22.04 | |
targets: ci-go-ci-build-linux ci-go-ci-build-linux-static | |
arch: amd64 | |
- os: linux | |
run: ubuntu-22.04 | |
targets: ci-go-ci-build-linux-static | |
arch: arm64 | |
- os: windows | |
run: ubuntu-22.04 | |
targets: ci-go-ci-build-windows | |
- os: darwin | |
run: macos-latest | |
targets: ci-build-darwin ci-build-darwin-arm64-static | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- id: go_version | |
name: Read go version | |
run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT | |
- name: Install Go (${{ steps.go_version.outputs.go_version }}) | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ steps.go_version.outputs.go_version }} | |
if: matrix.os == 'darwin' | |
- name: Download generated artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: generated | |
- name: Build | |
run: make ${{ matrix.targets }} | |
env: | |
GOARCH: ${{ matrix.arch }} | |
timeout-minutes: 30 | |
- name: Upload binaries | |
uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: binaries | |
path: _release | |
go-test: | |
name: Go Test (${{ matrix.os }}) | |
runs-on: ${{ matrix.run }} | |
needs: generate | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: linux | |
run: ubuntu-22.04 | |
- os: darwin | |
run: macos-latest | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- id: go_version | |
name: Read go version | |
run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT | |
- name: Install Go (${{ steps.go_version.outputs.go_version }}) | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ steps.go_version.outputs.go_version }} | |
- name: Download generated artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: generated | |
- name: Unit Test Golang | |
run: make test-coverage | |
timeout-minutes: 30 | |
go-lint: | |
name: Go Lint | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Golang Style and Lint Check | |
run: make check | |
timeout-minutes: 30 | |
wasm: | |
name: WASM | |
runs-on: ubuntu-22.04 | |
needs: generate | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Check PR for changes to Wasm | |
uses: dorny/paths-filter@v2 | |
id: changes | |
with: | |
filters: | | |
wasm: | |
- Makefile | |
- 'wasm/**' | |
- 'ast/**' | |
- 'internal/compiler/**' | |
- 'internal/planner/**' | |
- 'internal/wasm/**' | |
- 'test/wasm/**' | |
- 'test/cases/**' | |
- name: Download generated artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: generated | |
if: steps.changes.outputs.wasm == 'true' | |
- name: Build and Test Wasm | |
run: make ci-wasm | |
timeout-minutes: 15 | |
if: steps.changes.outputs.wasm == 'true' | |
- name: Build and Test Wasm SDK | |
run: make ci-go-wasm-sdk-e2e-test | |
timeout-minutes: 30 | |
if: steps.changes.outputs.wasm == 'true' | |
env: | |
DOCKER_RUNNING: 0 | |
check-generated: | |
name: Check Generated | |
runs-on: ubuntu-22.04 | |
needs: generate | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Download generated artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: generated | |
- name: Check Working Copy | |
run: make ci-check-working-copy | |
timeout-minutes: 15 | |
env: | |
DOCKER_RUNNING: 0 | |
race-detector: | |
name: Go Race Detector | |
runs-on: ubuntu-22.04 | |
needs: generate | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Download generated artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: generated | |
- name: Test with Race Detector | |
run: make ci-go-race-detector | |
env: | |
DOCKER_RUNNING: 0 | |
smoke-test-docker-images: | |
name: docker image smoke test | |
runs-on: ubuntu-22.04 | |
needs: go-build | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: arm64 | |
- name: Download release binaries | |
uses: actions/download-artifact@v3 | |
with: | |
name: binaries | |
path: _release | |
- name: Test amd64 images | |
run: make ci-image-smoke-test | |
- name: Test arm64 images | |
run: make ci-image-smoke-test | |
env: | |
GOARCH: arm64 | |
smoke-test-binaries: | |
runs-on: ${{ matrix.os }} | |
needs: go-build | |
strategy: | |
matrix: | |
include: | |
- os: ubuntu-22.04 | |
exec: opa_linux_amd64 | |
- os: ubuntu-22.04 | |
exec: opa_linux_amd64_static | |
wasm: disabled | |
- os: macos-latest | |
exec: opa_darwin_amd64 | |
- os: windows-latest | |
exec: opa_windows_amd64.exe | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Download release binaries | |
uses: actions/download-artifact@v3 | |
with: | |
name: binaries | |
path: _release | |
- name: Test binaries (Rego) | |
run: make ci-binary-smoke-test-rego BINARY=${{ matrix.exec }} | |
- name: Test binaries (Wasm) | |
run: make ci-binary-smoke-test-wasm BINARY=${{ matrix.exec }} | |
if: matrix.wasm != 'disabled' | |
go-version-build: | |
name: Go compat build/test | |
needs: generate | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, macos-latest] | |
version: ["1.19"] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download generated artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: generated | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ matrix.version }} | |
- run: make build | |
env: | |
DOCKER_RUNNING: 0 | |
- run: make go-test | |
env: | |
DOCKER_RUNNING: 0 | |
# Run PR metadata against Rego policies | |
rego-check-pr: | |
name: Rego PR checks | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Download OPA | |
uses: open-policy-agent/setup-opa@v2 | |
with: | |
version: edge | |
- name: Test policies | |
run: opa test build/policy | |
- name: Ensure proper formatting | |
run: opa fmt --list --fail build/policy | |
- name: Run file policy checks on changed files | |
run: | | |
curl --silent --fail --header 'Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' -o files.json \ | |
https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files | |
opa eval -d build/policy/files.rego -d build/policy/helpers.rego --format values --input files.json \ | |
--fail-defined 'data.files.deny[message]' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Show input on failure | |
run: opa eval --input files.json --format pretty input | |
if: ${{ failure() }} | |
- name: Setup Hugo | |
uses: peaceiris/actions-hugo@v2 | |
with: | |
# keep this version in sync with the version in netlify.toml | |
hugo-version: '0.113.0' | |
extended: true | |
- name: Build docs site and test integrations data | |
run: | | |
cd docs | |
make dev-generate hugo-production-build | |
cd - | |
opa eval 'data.integrations.deny[message]' -i docs/website/public/index.json -d build/policy/integrations.rego --format=values --fail-defined |