security patch #145
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Go | |
on: | |
push: | |
branches: [ master ] | |
# Sequence of patterns matched against refs/tags | |
tags: | |
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10 | |
pull_request: | |
branches: [ master ] | |
# types: [assigned, opened, synchronize, reopened] | |
#on: [push, pull_request] | |
env: | |
OSes: windows linux darwin | |
ARCHes: amd64 arm64 | |
APPNAME: "evendeep" | |
APPS: "" # optional, a space separated name list. | |
FROM_FOLDER: "." # Use "." for building "cli"; use "./_examples" for building them | |
IMAGE_NAME: "" | |
ENABLE_DOCKER: 0 | |
ENABLE_Apps_Building: 1 | |
ENABLE_FULL_ARCHes_TEST: 0 | |
ENABLE_Coveralls_Sender: 1 | |
ENABLE_Simple_Release: 1 # simple (1), or normal (0): build+docker+brew+release | |
ENABLE_Homebrew: 0 | |
#HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }} | |
#GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
jobs: | |
test: | |
strategy: | |
matrix: | |
go-version: [ 1.22.x ] # 1.11.x, 1.12.x, 1.13.x, | |
#os: [ubuntu-latest, macos-latest, windows-latest] | |
os: [ ubuntu-latest ] | |
fail-fast: false | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- uses: actions/cache@v4 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: Test | |
run: | | |
if [[ $ENABLE_FULL_ARCHes_TESTS -eq 1 ]]; then | |
for GOOS in $(go tool dist list|awk -F'/' '{print $1}'|sort -u); do | |
echo -e "\n\nTESTING FOR $GOOS ...\n" | |
go test ./... | |
done | |
else | |
GOSUMDB=off go mod download | |
# go install -v github.com/swaggo/swag/cmd/swag | |
# go generate ./... | |
[ -d ./cli ] && go build -v ./cli/... || go build -v ./... | |
go test -v ./... | |
fi | |
coverage: | |
needs: test | |
env: | |
COVERALLS_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }} | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.22.x | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
#with: | |
# path: ./src/github.com/${{ github.repository }} | |
- uses: actions/cache@v4 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: Test & Coverage | |
run: | | |
# go install -v github.com/swaggo/swag/cmd/swag | |
# go generate ./... | |
go test -v -coverprofile=profile.cov ./... | |
# notifies coveralls that all test jobs are finished | |
- name: Send coverage | |
env: | |
COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
uses: shogo82148/actions-goveralls@v1 | |
if: startsWith(github.ref, 'refs/tags/v') && env.ENABLE_Coveralls_Sender != 0 | |
#if: env.ENABLE_Coveralls_Sender != 0 | |
with: | |
path-to-profile: profile.cov | |
# parallel: true | |
# parallel-finished: true | |
# | |
# https://docs.github.com/en/actions/learn-github-actions/contexts#job-context | |
simple-release: | |
permissions: write-all # this is the FIX | |
# permissions: # this is the FIX | |
# contents: write | |
# discussions: write | |
runs-on: ubuntu-latest | |
needs: coverage | |
if: startsWith(github.ref, 'refs/tags/') # in job.<job-id>.if, 'env' is not available !! | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
if: env.ENABLE_Simple_Release != 0 | |
# - name: Generate Changelog | |
# run: echo "# Good things have arrived" > ${{ github.workspace }}-CHANGELOG.txt | |
- name: Set Env | |
shell: bash | |
run: | | |
RELEASE_VERSION=${GITHUB_REF#refs/*/} | |
echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV | |
echo "VERSION=${RELEASE_VERSION/v/}" >> $GITHUB_ENV | |
# This step reads a file from repo and use it for body of the release | |
# This works on any self-hosted runner OS | |
- name: Read RELNOTES.md and use it as a body of new release | |
id: read_release_notes_0 | |
if: startsWith(github.ref, 'refs/tags/v') && env.ENABLE_Simple_Release != 0 && 0 # disable now | |
shell: bash | |
run: | | |
REPO_NAME="${GITHUB_REPOSITORY##*/}" | |
APP_NAME="${GITHUB_REPOSITORY##*/}" | |
APP_NAME=$(echo $APP_NAME | sed 's/^(go-)//' | sed 's/(-go)$//' | tr '[:upper:]' '[:lower:]') | |
if [ $APP_NAME = "cmdrstarter" ]; then APP_NAME=your-starter; fi | |
ACTOR=$(echo $GITHUB_ACTOR | tr '[:upper:]' '[:lower:]') | |
GOT=0 | |
for f in RELNOTES relnotes RELNOTES.md REL-NOTES.md relnotes.md rel-notes.md; do | |
if [[ $GOT -eq 0 ]]; then | |
if [ -f $f ]; then | |
r=$(cat $f) | |
# r="${r//'%'/'%25'}" | |
# r="${r//$'\n'/'%0A'}" | |
# r="${r//$'\r'/'%0D'}" | |
r="${r//'{''{'APP_NAME'}''}'/$APP_NAME}" | |
r="${r//'{''{'VERSION'}''}'/$VERSION}" | |
r="${r//'{''{'ACTOR'}''}'/$ACTOR}" | |
r="${r//'{''{'REPO_NAME'}''}'/$REPO_NAME}" | |
r="${r//'{''{'GITHUB_SHA'}''}'/$GITHUB_SHA}" | |
r="${r//'{''{'GITHUB_REF'}''}'/$GITHUB_REF}" | |
r="${r//'{''{'GITHUB_REF_NAME'}''}'/$GITHUB_REF_NAME}" | |
r="${r//'{''{'GITHUB_REPOSITORY'}''}'/$GITHUB_REPOSITORY}" | |
r="${r//'{''{'GITHUB_REPOSITORY_OWNER'}''}'/$GITHUB_REPOSITORY_OWNER}" | |
echo "RELEASE_BODY=$r" >> $GITHUB_OUTPUT | |
GOT=1 | |
fi | |
fi | |
done | |
- name: Release | |
uses: softprops/action-gh-release@v2 | |
if: env.ENABLE_Simple_Release != 0 | |
with: | |
generate_release_notes: true | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ github.ref }} | |
overwrite: true | |
file_glob: true | |
# body_path: ${{ github.workspace }}-CHANGELOG.txt | |
# body_path: RELNOTES.md | |
# files: | | |
# LICENSE | |
# RELNOTES.md | |
# body: | | |
# ${{ steps.read_release_notes_0.outputs.RELEASE_BODY }} | |
release-build: | |
permissions: write-all # this is the FIX | |
# permissions: # this is the FIX | |
# contents: write | |
# discussions: write | |
needs: coverage | |
runs-on: ubuntu-latest | |
env: | |
ACTOR_EMAIL: [email protected] | |
BUMPER_VER: v0.2.0 | |
HOMEBREW_TAP: hedzr/homebrew-brew | |
BINARIES_ASC: ./bin/binaries.asc | |
steps: | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.21.x | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
#with: | |
# path: ./src/github.com/${{ github.repository }} | |
- uses: actions/cache@v4 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: Set Env | |
shell: bash | |
run: | | |
RELEASE_VERSION=${GITHUB_REF#refs/*/} | |
echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV | |
echo "VERSION=${RELEASE_VERSION/v/}" >> $GITHUB_ENV | |
- name: Docker Build | |
## if: startsWith(github.ref, 'refs/tags/v') || contains(github.ref, '/master') | |
if: startsWith(github.ref, 'refs/tags/v') && env.ENABLE_DOCKER != 0 | |
## if: env.ENABLE_DOCKER != 0 | |
env: | |
HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }} | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
#IMAGE_NAME: your-starter # never used | |
#IMAGE_TAG: | |
#PORT: | |
#VERSION: | |
shell: bash | |
run: | | |
IMAGE_NAME="${GITHUB_REPOSITORY##*/}" | |
IMAGE_NAME=$(echo $IMAGE_NAME | sed -re 's/^(go-)//' | sed -re 's/(-go)$//' | tr '[:upper:]' '[:lower:]') | |
if [ $IMAGE_NAME = "cmdrstarter" ]; then IMAGE_NAME=your-starter; fi | |
ACTOR=$(echo $GITHUB_ACTOR | tr '[:upper:]' '[:lower:]') | |
# | |
IMAGE_TAG=${GITHUB_REF#*/} | |
IMAGE_TAG=${IMAGE_TAG#*/} | |
IMAGE_TAG=$(echo $IMAGE_TAG | sed -e "s#^v##") | |
echo "Using IMAGE_NAME: $IMAGE_NAME" | |
echo "Using IMAGE_TAG: $IMAGE_TAG" | |
echo "Using ACTOR: $ACTOR" | |
# | |
export TIMESTAMP="$(date -u -Iseconds)" | |
export TIMEZONE="$(cat /etc/timezone)" | |
export GIT_VERSION="$(git describe --tags --abbrev=0 2>/dev/null || echo "$VERSION")" | |
export GIT_REVISION="$(git rev-parse --short HEAD)" | |
export GIT_SUMMARY="$(git describe --tags --dirty --always)" | |
export GIT_DESC="$(git log --oneline -1)" | |
export BUILDER_COMMENT="" | |
echo "Using TIMESTAMP: $TIMESTAMP" | |
echo "Using TIMEZONE: $TIMEZONE" | |
echo "Using GIT_VERSION: $GIT_VERSION" | |
echo "Using GIT_REVISION: $GIT_REVISION" | |
echo "Using GIT_SUMMARY: $GIT_SUMMARY" | |
echo "Using GIT_DESC: $GIT_DESC" | |
# | |
# export VERSION="$(grep -E "Version[ \t]+=[ \t]+" doc.go|grep -Eo "[0-9.]+")" | |
docker build -f app.Dockerfile \ | |
--build-arg APPNAME="$IMAGE_NAME" \ | |
--build-arg VERSION="$VERSION" \ | |
--build-arg PORT="$PORT" \ | |
--build-arg TIMESTAMP="${TIMESTAMP}" \ | |
--build-arg GIT_REVISION="${GIT_REVISION}" \ | |
--build-arg GIT_SUMMARY="${GIT_SUMMARY}" \ | |
--build-arg GIT_DESC="${GIT_DESC}" \ | |
--build-arg BUILDER_COMMENT="${BUILDER_COMMENT}" \ | |
--build-arg GOPROXY="https://goproxy.io,direct" \ | |
-t ghcr.io/$ACTOR/$IMAGE_NAME:$IMAGE_TAG \ | |
-t ghcr.io/$ACTOR/$IMAGE_NAME:latest \ | |
-t $ACTOR/$IMAGE_NAME:$IMAGE_TAG \ | |
-t $ACTOR/$IMAGE_NAME:latest \ | |
. | |
if [ "$GH_TOKEN" != "" ]; then | |
docker login ghcr.io -u $ACTOR -p $GH_TOKEN | |
# docker tag IMAGE_ID ghcr.io/$ACTOR/$IMAGE_NAME:$VERSION | |
docker push ghcr.io/$ACTOR/$IMAGE_NAME:$IMAGE_TAG | |
docker push ghcr.io/$ACTOR/$IMAGE_NAME:latest | |
fi | |
if [ "$HUB_TOKEN" != "" ]; then | |
docker login -u $ACTOR -p $HUB_TOKEN | |
docker push $ACTOR/$IMAGE_NAME:$IMAGE_TAG | |
docker push $ACTOR/$IMAGE_NAME:latest | |
fi | |
- name: Build | |
if: startsWith(github.ref, 'refs/tags/v') && env.ENABLE_Simple_Release == 0 | |
shell: bash | |
run: | | |
APP_NAME="${GITHUB_REPOSITORY##*/}" | |
APP_NAME=$(echo $APP_NAME | sed 's/^(go-)//' | sed 's/(-go)$//' | tr '[:upper:]' '[:lower:]') | |
if [ $APP_NAME = "cmdrstarter" ]; then APP_NAME=your-starter; fi | |
ACTOR=$(echo $GITHUB_ACTOR | tr '[:upper:]' '[:lower:]') | |
# | |
export GOSUMDB=off | |
export GIT_REVISION="$(git rev-parse --short HEAD)" | |
export GOVERSION="$(go version)" | |
# export BUILDTIME="$(date -u '+%Y-%m-%d_%H-%M-%S')" | |
export BUILDTIME="$(date -Iseconds)" | |
# export VERSION="$(grep -E "Version[ \t]+=[ \t]+" doc.go|grep -Eo "[0-9.]+")" | |
export W_PKG="github.com/hedzr/cmdr/conf" | |
export LDFLAGS="-s -w \ | |
-X '$W_PKG.Githash=$GIT_REVISION' \ | |
-X '$W_PKG.GoVersion=$GOVERSION' \ | |
-X '$W_PKG.Buildstamp=$BUILDTIME' \ | |
-X '$W_PKG.ServerID=pre-built' \ | |
-X '$W_PKG.Version=$VERSION' " | |
cat <<EOF | |
Version: $VERSION | |
GIT_REVISION: $GIT_REVISION | |
GOVERSION: $GOVERSION | |
BUILDTIME: $BUILDTIME | |
EOF | |
# | |
function gobuild() { | |
local d="$1" APP_NAME="${2:-$APP_NAME}" | |
for GOOS in $OSes; do | |
for GOARCH in $ARCHes; do | |
suf=; suf2=tgz; if [[ $GOOS == "windows" ]]; then suf=".exe"; suf2=7z; if [ "$GOARCH" == "arm64" ]; then GOARCH=arm; fi; fi | |
GOOS=$GOOS GOARCH=$GOARCH CGO_ENABLED=0 go build -v -trimpath -ldflags "$LDFLAGS" -o ./bin/$APP_NAME$suf $d | |
chmod +x ./bin/$APP_NAME$suf | |
if [[ $GOOS == "windows" ]]; then | |
7z a ./bin/$APP_NAME-$GOOS-$GOARCH$suf.$suf2 ./bin/$APP_NAME$suf | |
if [ -d ci/etc ]; then | |
cd ci && 7z a ./bin/$APP_NAME-$GOOS-$GOARCH$suf.$suf2 etc/* && cd .. | |
fi | |
else | |
if [ -d ci/etc ]; then | |
tar -czf ./bin/$APP_NAME-$GOOS-$GOARCH$suf.$suf2 ./bin/$APP_NAME$suf -Cci etc | |
else | |
tar -czf ./bin/$APP_NAME-$GOOS-$GOARCH$suf.$suf2 ./bin/$APP_NAME$suf | |
fi | |
fi | |
sha256sum ./bin/$APP_NAME-$GOOS-$GOARCH$suf.$suf2 >> $BINARIES_ASC | |
rm -f ./bin/$APP_NAME$suf | |
NOTHING_OK=0 | |
done | |
done | |
} | |
# | |
# go install -v github.com/swaggo/swag/cmd/swag | |
# go generate ./... | |
# for app in app1 app2 app3 ...; do | |
# | |
# for app in $(ls -b ./cli) ; do | |
# for dir in cli; do | |
fromdir="$FROM_FOLDER" | |
[ -d $fromdir/cli ] && fromdir="$fromdir/cli" | |
NOTHING_OK=1 | |
for app in $(ls -b $fromdir); do | |
for dir in .; do | |
if [ -d "$fromdir/$dir/$app" ]; then | |
gobuild "$fromdir/$dir/$app" "${APP_NAME}" | |
else | |
echo "folder $fromdir/$dir/$app skipped." | |
fi | |
done # dir | |
done # app | |
if (($NOTHING_OK)); then | |
if [ -d "$fromdir/simple" ]; then | |
gobuild "$fromdir/simple" "${APP_NAME}" | |
fi | |
fi | |
ls -la bin/* | |
- name: bump homebrew-brew | |
if: startsWith(github.ref, 'refs/tags/v') && env.ENABLE_Simple_Release == 0 && env.ENABLE_Homebrew != 0 | |
env: | |
HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }} | |
GH_TOKEN: ${{ secrets.TAP_GITHUB_TOKEN }} | |
run: | | |
mkdir .pr && cd .pr | |
APP_NAME="${GITHUB_REPOSITORY##*/}" | |
APP_NAME=$(echo $APP_NAME | sed 's/^(go-)//' | sed 's/(-go)$//' | tr '[:upper:]' '[:lower:]') | |
ACTOR=$(echo $GITHUB_ACTOR | tr '[:upper:]' '[:lower:]') | |
if [ -f .pr/no-disabled ]; then | |
git clone https://hedzr:[email protected]/hedzr/homebrew-brew.git | |
cd homebrew-brew | |
git config --unset-all http.https://github.com/.extraheader | |
git config user.name 'hedzr' | |
git config user.email '[email protected]' | |
# | |
sed -i -r "s/v\d+\.\d+\.\d+/$RELEASE_VERSION/ig" Formular/$APP_NAME.rb | |
sed -i -r "s///ig" Formular/$APP_NAME.rb | |
# | |
git add . | |
git commit -m "bump to $APP_NAME $RELEASE_VERSION" | |
git push --set-upstream https://hedzr:[email protected]/hedzr/homebrew-brew.git master | |
fi | |
# go get -v github.com/hedzr/go-bumper | |
wget https://github.com/hedzr/go-bumper/releases/download/${BUMPER_VER}/bumper-linux-amd64.tgz | |
tar -xf bumper-linux-amd64.tgz | |
cd .. | |
echo .pr/bin/bumper brew -act $ACTOR -am $ACTOR_EMAIL -f $APP_NAME \ | |
-ref $GITHUB_REF -ver $RELEASE_VERSION -t $HOMEBREW_TAP \ | |
--sha $BINARIES_ASC \ | |
--push | |
.pr/bin/bumper brew -act $ACTOR -am $ACTOR_EMAIL -f $APP_NAME \ | |
-ref $GITHUB_REF -ver $RELEASE_VERSION -t $HOMEBREW_TAP \ | |
--sha $BINARIES_ASC \ | |
--token ${GH_TOKEN} \ | |
--push | |
- name: bump launchpad | |
if: startsWith(github.ref, 'refs/tags/v') && env.ENABLE_Simple_Release == 0 | |
run: | | |
echo NOT YET | |
# This uploads artifacts from your workflow allowing you to share data between jobs and store data once a workflow is complete. | |
# https://github.com/actions/upload-artifact | |
# https://github.com/actions/download-artifact | |
# | |
- name: Upload artifacts | |
uses: actions/upload-artifact@master | |
if: startsWith(github.ref, 'refs/tags/v') && env.ENABLE_Simple_Release == 0 | |
with: | |
name: binaries | |
path: bin/ | |
# This step reads a file from repo and use it for body of the release | |
# This works on any self-hosted runner OS | |
- name: Read RELNOTES.md and use it as a body of new release | |
id: read_release_notes | |
if: startsWith(github.ref, 'refs/tags/v') && env.ENABLE_Simple_Release == 0 && 0 # disable now | |
shell: bash | |
run: | | |
REPO_NAME="${GITHUB_REPOSITORY##*/}" | |
APP_NAME="${GITHUB_REPOSITORY##*/}" | |
APP_NAME=$(echo $APP_NAME | sed 's/^(go-)//' | sed 's/(-go)$//' | tr '[:upper:]' '[:lower:]') | |
if [ $APP_NAME = "cmdrstarter" ]; then APP_NAME=your-starter; fi | |
ACTOR=$(echo $GITHUB_ACTOR | tr '[:upper:]' '[:lower:]') | |
GOT=0 | |
for f in RELNOTES relnotes RELNOTES.md REL-NOTES.md relnotes.md rel-notes.md; do | |
if [[ $GOT -eq 0 ]]; then | |
if [ -f $f ]; then | |
r=$(cat $f) | |
r="${r//'%'/'%25'}" | |
r="${r//$'\n'/'%0A'}" | |
r="${r//$'\r'/'%0D'}" | |
r="${r//'{''{'APP_NAME'}''}'/$APP_NAME}" | |
r="${r//'{''{'VERSION'}''}'/$VERSION}" | |
r="${r//'{''{'ACTOR'}''}'/$ACTOR}" | |
r="${r//'{''{'REPO_NAME'}''}'/$REPO_NAME}" | |
r="${r//'{''{'GITHUB_SHA'}''}'/$GITHUB_SHA}" | |
r="${r//'{''{'GITHUB_REF'}''}'/$GITHUB_REF}" | |
r="${r//'{''{'GITHUB_REF_NAME'}''}'/$GITHUB_REF_NAME}" | |
r="${r//'{''{'GITHUB_REPOSITORY'}''}'/$GITHUB_REPOSITORY}" | |
r="${r//'{''{'GITHUB_REPOSITORY_OWNER'}''}'/$GITHUB_REPOSITORY_OWNER}" | |
echo "RELEASE_BODY=$r" >> $GITHUB_OUTPUT | |
GOT=1 | |
fi | |
fi | |
done | |
# This action allows you to select which files to upload to the just-tagged release. It runs on all operating systems types offered by GitHub. | |
# https://github.com/svenstaro/upload-release-action | |
- name: Upload binaries to release | |
uses: svenstaro/upload-release-action@v2 | |
if: startsWith(github.ref, 'refs/tags/v') && env.ENABLE_Simple_Release == 0 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: bin/* | |
tag: ${{ github.ref }} | |
overwrite: true | |
file_glob: true | |
# body: | | |
# ${{ steps.read_release_notes_0.outputs.RELEASE_BODY }} | |
generate_release_notes: true | |