rebase to upstream/main #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Boulder CI test suite workflow | |
| name: Boulder CI | |
| # Controls when the action will run. | |
| on: | |
| # Triggers the workflow on push or pull request events but only for the main branch | |
| push: | |
| branches: | |
| - main | |
| - release-branch-* | |
| pull_request: | |
| branches: | |
| - '**' | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| # A workflow run is made up of one or more jobs that can run sequentially or in parallel | |
| permissions: | |
| contents: read | |
| jobs: | |
| # Main test jobs. This looks like a single job, but the matrix | |
| # items will multiply it. For example every entry in the | |
| # BOULDER_TOOLS_TAG list will run with every test. If there were two | |
| # tags and 5 tests there would be 10 jobs run. | |
| b: | |
| # The type of runner that the job will run on | |
| runs-on: ubuntu-20.04 | |
| strategy: | |
| # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true | |
| fail-fast: false | |
| # Test matrix. | |
| matrix: | |
| # Add additional docker image tags here and all tests will be run with the additional image. | |
| BOULDER_TOOLS_TAG: | |
| - go1.20.6_2023-07-19 | |
| - go1.21rc2_2023-07-19 | |
| # Tests command definitions. Use the entire "docker compose" command you want to run. | |
| tests: | |
| # Run ./test.sh --help for a description of each of the flags. | |
| - "./t.sh --lints --generate" | |
| - "./t.sh --integration && ./test/test-caa-log-checker.sh" | |
| # Testing Config Changes: | |
| # Config changes that have landed in main but not yet been applied to | |
| # production can be made in `test/config-next/<component>.json`. | |
| # | |
| # Testing DB Schema Changes: | |
| # Database migrations in `sa/_db-next/migrations` are only performed | |
| # when `docker compose` is called using `-f docker-compose.yml -f | |
| # docker-compose.next.yml`. | |
| - "./tn.sh --integration" | |
| - "./t.sh --unit --enable-race-detection" | |
| - "./tn.sh --unit --enable-race-detection" | |
| - "./t.sh --start-py" | |
| # gomod-vendor runs with a separate network access definition | |
| # because it needs to fetch packages from GitHub et. al., which | |
| # is incompatible with the DNS server override in the boulder | |
| # container (used for service discovery). | |
| - "docker compose run --use-aliases netaccess ./test.sh --gomod-vendor" | |
| env: | |
| # This sets the docker image tag for the boulder-tools repository to | |
| # use in tests. It will be set appropriately for each tag in the list | |
| # defined in the matrix. | |
| BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }} | |
| # Sequence of tasks that will be executed as part of the job. | |
| steps: | |
| # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it | |
| - uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| # TODO(#6998): Remove this step when the ubuntu-20.04 image has v2.20.0+. | |
| # Install instructions copied from https://docs.docker.com/compose/install/linux/#install-the-plugin-manually | |
| - name: Update docker compose plugin | |
| run: mkdir -p ${DOCKER_CONFIG:-$HOME/.docker}/cli-plugins && curl -SL https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-linux-x86_64 -o ${DOCKER_CONFIG:-$HOME/.docker}/cli-plugins/docker-compose && chmod +x ${DOCKER_CONFIG:-$HOME/.docker}/cli-plugins/docker-compose | |
| - name: Docker Login | |
| # You may pin to the exact commit or the version. | |
| # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a | |
| uses: docker/[email protected] | |
| with: | |
| # Username used to log against the Docker registry | |
| username: ${{ secrets.DOCKER_USERNAME}} | |
| # Password or personal access token used to log against the Docker registry | |
| password: ${{ secrets.DOCKER_PASSWORD}} | |
| # Log out from the Docker registry at the end of a job | |
| logout: true | |
| continue-on-error: true | |
| # Print the env variable being used to pull the docker image. For | |
| # informational use. | |
| - name: Print BOULDER_TOOLS_TAG | |
| run: echo "Using BOULDER_TOOLS_TAG ${BOULDER_TOOLS_TAG}" | |
| # Pre-pull the docker containers before running the tests. | |
| - name: docker compose pull | |
| run: docker compose pull | |
| # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on | |
| # go1.21rc2 or higher. This experiment value is unknown in lower versions. | |
| - if: startsWith(matrix.BOULDER_TOOLS_TAG, 'go1.21') | |
| run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV" | |
| # Run the test matrix. This will run | |
| - name: "Run Test: ${{ matrix.tests }}" | |
| run: ${{ matrix.tests }} | |
| govulncheck: | |
| runs-on: ubuntu-20.04 | |
| strategy: | |
| # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true | |
| fail-fast: false | |
| matrix: | |
| # Add additional docker image tags here and all tests will be run with the additional image. | |
| BOULDER_TOOLS_TAG: | |
| - go1.20.6_2023-07-19 | |
| - go1.21rc2_2023-07-19 | |
| env: | |
| # This sets the docker image tag for the boulder-tools repository to | |
| # use in tests. It will be set appropriately for each tag in the list | |
| # defined in the matrix. | |
| BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }} | |
| steps: | |
| # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it | |
| - uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| - name: Docker Login | |
| # You may pin to the exact commit or the version. | |
| # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a | |
| uses: docker/[email protected] | |
| with: | |
| # Username used to log against the Docker registry | |
| username: ${{ secrets.DOCKER_USERNAME}} | |
| # Password or personal access token used to log against the Docker registry | |
| password: ${{ secrets.DOCKER_PASSWORD}} | |
| # Log out from the Docker registry at the end of a job | |
| logout: true | |
| continue-on-error: true | |
| # Print the env variable being used to pull the docker image. For | |
| # informational use. | |
| - name: Print BOULDER_TOOLS_TAG | |
| run: echo "Using BOULDER_TOOLS_TAG ${BOULDER_TOOLS_TAG}" | |
| # Pre-pull the docker containers before running the tests. | |
| - name: docker compose pull netaccess | |
| run: docker compose pull netaccess | |
| # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on | |
| # go1.21rc2 or higher. This experiment value is unknown in lower versions. | |
| - if: startsWith(matrix.BOULDER_TOOLS_TAG, 'go1.21') | |
| run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV" | |
| # Unset the GOFLAGS environment variable because, by default, it will be | |
| # set to "GOFLAGS='-mod=vendor'" which all go subcommands will utilize. In | |
| # this instance, we want to run a package that isn't vendored in our | |
| # repository because 1) we don't need this package for CA operations and | |
| # 2) we want the benefits of vulnerability checking. | |
| - name: Run govulncheck | |
| run: docker compose run -e GOFLAGS= netaccess go run golang.org/x/vuln/cmd/govulncheck@latest ./... | |
| # This is a utility build job to detect if the status of any of the | |
| # above jobs have failed and fail if so. It is needed so there can be | |
| # one static job name that can be used to determine success of the job | |
| # in GitHub branch protection. | |
| boulder_ci_test_matrix_status: | |
| permissions: | |
| contents: none | |
| if: ${{ always() }} | |
| runs-on: ubuntu-latest | |
| name: Boulder CI Test Matrix | |
| needs: | |
| - b | |
| - govulncheck | |
| steps: | |
| - name: Check boulder ci test matrix status | |
| if: ${{ needs.b.result != 'success' || needs.govulncheck.result != 'success' }} | |
| run: exit 1 |