-
Notifications
You must be signed in to change notification settings - Fork 890
150 lines (122 loc) · 4.99 KB
/
cli.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: CLI
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: read
jobs:
build:
name: Build and test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.go-version }}
runs-on: ubuntu-latest
strategy:
matrix:
os: [linux, darwin, windows]
arch: [amd64, arm64]
go-version: ['1.22', '1.23']
exclude:
- os: windows
arch: arm64
env:
VAULT_VERSION: "1.14.0"
VAULT_TOKEN: "root"
VAULT_ADDR: "http://127.0.0.1:8200"
steps:
- name: Set up Go ${{ matrix.go-version }}
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: ${{ matrix.go-version }}
id: go
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Vendor Go Modules
run: make vendor
- name: Restore go/toolchain lines of go.mod
run: python3 .github/utils/patch-go.mod.py
- name: Ensure clean working tree
run: git diff --exit-code
- name: Build ${{ matrix.os }}
if: matrix.os != 'windows'
run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops
- name: Build ${{ matrix.os }}
if: matrix.os == 'windows'
run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops
- name: Import test GPG keys
run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
- name: Test
run: make test
- name: Upload artifact for ${{ matrix.os }}
if: matrix.os != 'windows'
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
- name: Upload artifact for ${{ matrix.os }}
if: matrix.os == 'windows'
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
test:
name: Functional tests
runs-on: ubuntu-latest
needs: [build]
strategy:
matrix:
go-version: ['1.22']
env:
VAULT_VERSION: "1.14.0"
VAULT_TOKEN: "root"
VAULT_ADDR: "http://127.0.0.1:8200"
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# Rustup will detect toolchain version and profile from rust-toolchain.toml
# It will download and install the toolchain and components automatically
# and make them available for subsequent commands
- name: Install Rust toolchain
run: rustup show
- name: Show Rust version
run: cargo --version
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }}
- name: Move SOPS binary
run: mv sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }} ./functional-tests/sops
- name: Make SOPS binary executable
run: chmod +x ./functional-tests/sops
- name: Download Vault
run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/
- name: Start Vault server
run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" &
- name: Enable Vault KV
run: vault secrets enable -version=1 kv
- name: Import test GPG keys
run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
- name: Run tests
run: cargo test
working-directory: ./functional-tests
# The 'check' job should depend on all other jobs so it's possible to configure branch protection only for 'check'
# instead of having to explicitly list all individual jobs that need to pass.
check:
if: always()
needs:
- build
- test
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
allowed-failures: docs, linters
allowed-skips: non-voting-flaky-job
jobs: ${{ toJSON(needs) }}