Allow SOPS to use custom AWS KMS and STS Endpoint #1637
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CLI | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
permissions: | |
contents: read | |
jobs: | |
build: | |
name: Build and test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.go-version }} | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
os: [linux, darwin, windows] | |
arch: [amd64, arm64] | |
go-version: ['1.22', '1.23'] | |
exclude: | |
- os: windows | |
arch: arm64 | |
env: | |
VAULT_VERSION: "1.14.0" | |
VAULT_TOKEN: "root" | |
VAULT_ADDR: "http://127.0.0.1:8200" | |
steps: | |
- name: Set up Go ${{ matrix.go-version }} | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version: ${{ matrix.go-version }} | |
id: go | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: Vendor Go Modules | |
run: make vendor | |
- name: Restore go/toolchain lines of go.mod | |
run: python3 .github/utils/patch-go.mod.py | |
- name: Ensure clean working tree | |
run: git diff --exit-code | |
- name: Build ${{ matrix.os }} | |
if: matrix.os != 'windows' | |
run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops | |
- name: Build ${{ matrix.os }} | |
if: matrix.os == 'windows' | |
run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops | |
- name: Import test GPG keys | |
run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done | |
- name: Test | |
run: make test | |
- name: Upload artifact for ${{ matrix.os }} | |
if: matrix.os != 'windows' | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} | |
path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} | |
- name: Upload artifact for ${{ matrix.os }} | |
if: matrix.os == 'windows' | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} | |
path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} | |
test: | |
name: Functional tests | |
runs-on: ubuntu-latest | |
needs: [build] | |
strategy: | |
matrix: | |
go-version: ['1.22'] | |
env: | |
VAULT_VERSION: "1.14.0" | |
VAULT_TOKEN: "root" | |
VAULT_ADDR: "http://127.0.0.1:8200" | |
steps: | |
- name: Check out code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
# Rustup will detect toolchain version and profile from rust-toolchain.toml | |
# It will download and install the toolchain and components automatically | |
# and make them available for subsequent commands | |
- name: Install Rust toolchain | |
run: rustup show | |
- name: Show Rust version | |
run: cargo --version | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }} | |
- name: Move SOPS binary | |
run: mv sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }} ./functional-tests/sops | |
- name: Make SOPS binary executable | |
run: chmod +x ./functional-tests/sops | |
- name: Download Vault | |
run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/ | |
- name: Start Vault server | |
run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" & | |
- name: Enable Vault KV | |
run: vault secrets enable -version=1 kv | |
- name: Import test GPG keys | |
run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done | |
- name: Run tests | |
run: cargo test | |
working-directory: ./functional-tests | |
# The 'check' job should depend on all other jobs so it's possible to configure branch protection only for 'check' | |
# instead of having to explicitly list all individual jobs that need to pass. | |
check: | |
if: always() | |
needs: | |
- build | |
- test | |
runs-on: ubuntu-latest | |
steps: | |
- name: Decide whether the needed jobs succeeded or failed | |
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 | |
with: | |
allowed-failures: docs, linters | |
allowed-skips: non-voting-flaky-job | |
jobs: ${{ toJSON(needs) }} |