Add a check for vulnerabilities in the Go database #2944
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
env: | |
# Use the Go toolchain installed by setup-go | |
# https://github.com/actions/setup-go/issues/457 | |
GOTOOLCHAIN: local | |
jobs: | |
go-test: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: { go-version: stable } | |
- run: make check | |
- run: make check-generate | |
- name: Ensure go.mod is tidy | |
run: go mod tidy && git diff --exit-code -- go.mod | |
kubernetes-api: | |
runs-on: ubuntu-latest | |
needs: [go-test] | |
strategy: | |
fail-fast: false | |
matrix: | |
kubernetes: ['default'] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: { go-version: stable } | |
- run: go mod download | |
- run: ENVTEST_K8S_VERSION="${KUBERNETES#default}" make check-envtest | |
env: | |
KUBERNETES: "${{ matrix.kubernetes }}" | |
GO_TEST: go test --coverprofile 'envtest.coverage' --coverpkg ./internal/... | |
# Upload coverage to GitHub | |
- run: gzip envtest.coverage | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: "~coverage~kubernetes-api=${{ matrix.kubernetes }}" | |
path: envtest.coverage.gz | |
retention-days: 1 | |
kubernetes-k3d: | |
if: "${{ github.repository == 'CrunchyData/postgres-operator' }}" | |
runs-on: ubuntu-latest | |
needs: [go-test] | |
strategy: | |
fail-fast: false | |
matrix: | |
kubernetes: [v1.31, v1.28] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: { go-version: stable } | |
- name: Start k3s | |
uses: ./.github/actions/k3d | |
with: | |
k3s-channel: "${{ matrix.kubernetes }}" | |
prefetch-images: | | |
registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.53.1-0 | |
registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.23-0 | |
registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.4-2 | |
- run: make createnamespaces check-envtest-existing | |
env: | |
PGO_TEST_TIMEOUT_SCALE: 1.2 | |
GO_TEST: go test --coverprofile 'envtest-existing.coverage' --coverpkg ./internal/... | |
# Upload coverage to GitHub | |
- run: gzip envtest-existing.coverage | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: "~coverage~kubernetes-k3d=${{ matrix.kubernetes }}" | |
path: envtest-existing.coverage.gz | |
retention-days: 1 | |
kuttl-k3d: | |
runs-on: ubuntu-latest | |
needs: [go-test] | |
strategy: | |
fail-fast: false | |
matrix: | |
kubernetes: [v1.31, v1.30, v1.29, v1.28] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: { go-version: stable } | |
- name: Start k3s | |
uses: ./.github/actions/k3d | |
with: | |
k3s-channel: "${{ matrix.kubernetes }}" | |
prefetch-images: | | |
registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-31 | |
registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.53.1-0 | |
registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.23-0 | |
registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:latest | |
registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:latest | |
registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.4-2 | |
registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.4-3.3-2 | |
registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.4-3.4-2 | |
registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-17.0-0 | |
registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-17.0-3.4-0 | |
- run: go mod download | |
- name: Build executable | |
run: PGO_VERSION='${{ github.sha }}' make build-postgres-operator | |
- name: Get pgMonitor files. | |
run: make get-pgmonitor | |
env: | |
PGMONITOR_DIR: "${{ github.workspace }}/hack/tools/pgmonitor" | |
QUERIES_CONFIG_DIR: "${{ github.workspace }}/hack/tools/queries" | |
# Start a Docker container with the working directory mounted. | |
- name: Start PGO | |
run: | | |
kubectl apply --server-side -k ./config/namespace | |
kubectl apply --server-side -k ./config/dev | |
hack/create-kubeconfig.sh postgres-operator pgo | |
docker run --detach --network host --read-only \ | |
--volume "$(pwd):/mnt" --workdir '/mnt' --env 'PATH=/mnt/bin' \ | |
--env 'CHECK_FOR_UPGRADES=false' \ | |
--env 'QUERIES_CONFIG_DIR=/mnt/hack/tools/queries' \ | |
--env 'KUBECONFIG=hack/.kube/postgres-operator/pgo' \ | |
--env 'RELATED_IMAGE_PGADMIN=registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-31' \ | |
--env 'RELATED_IMAGE_PGBACKREST=registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.53.1-0' \ | |
--env 'RELATED_IMAGE_PGBOUNCER=registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.23-0' \ | |
--env 'RELATED_IMAGE_PGEXPORTER=registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:latest' \ | |
--env 'RELATED_IMAGE_PGUPGRADE=registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:latest' \ | |
--env 'RELATED_IMAGE_POSTGRES_16=registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.4-2' \ | |
--env 'RELATED_IMAGE_POSTGRES_16_GIS_3.3=registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.4-3.3-2' \ | |
--env 'RELATED_IMAGE_POSTGRES_16_GIS_3.4=registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.4-3.4-2' \ | |
--env 'RELATED_IMAGE_POSTGRES_17=registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-17.0-0' \ | |
--env 'RELATED_IMAGE_POSTGRES_17_GIS_3.4=registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-17.0-3.4-0' \ | |
--env 'RELATED_IMAGE_STANDALONE_PGADMIN=registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-8.12-0' \ | |
--env 'PGO_FEATURE_GATES=TablespaceVolumes=true' \ | |
--name 'postgres-operator' ubuntu \ | |
postgres-operator | |
- name: Install kuttl | |
run: | | |
curl -Lo /usr/local/bin/kubectl-kuttl https://github.com/kudobuilder/kuttl/releases/download/v0.13.0/kubectl-kuttl_0.13.0_linux_x86_64 | |
chmod +x /usr/local/bin/kubectl-kuttl | |
- run: make generate-kuttl | |
env: | |
KUTTL_PG_UPGRADE_FROM_VERSION: '16' | |
KUTTL_PG_UPGRADE_TO_VERSION: '17' | |
KUTTL_PG_VERSION: '16' | |
KUTTL_POSTGIS_VERSION: '3.4' | |
KUTTL_PSQL_IMAGE: 'registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.4-2' | |
- run: | | |
make check-kuttl && exit | |
failed=$? | |
echo '::group::PGO logs'; docker logs 'postgres-operator'; echo '::endgroup::' | |
exit $failed | |
env: | |
KUTTL_TEST: kubectl-kuttl test | |
- name: Stop PGO | |
run: docker stop 'postgres-operator' || true | |
coverage-report: | |
if: ${{ success() || contains(needs.*.result, 'success') }} | |
runs-on: ubuntu-latest | |
needs: | |
- kubernetes-api | |
- kubernetes-k3d | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: { go-version: stable } | |
- uses: actions/download-artifact@v4 | |
with: { path: download } | |
# Combine the coverage profiles by taking the mode line from any one file | |
# and the data from all files. Write a list of functions with less than | |
# 100% coverage to the job summary, and upload a complete HTML report. | |
- name: Generate report | |
run: | | |
gunzip --keep download/*/*.gz | |
( sed -e '1q' download/*/*.coverage | |
tail -qn +2 download/*/*.coverage ) > total.coverage | |
go tool cover --func total.coverage -o total-coverage.txt | |
go tool cover --html total.coverage -o total-coverage.html | |
awk < total-coverage.txt ' | |
END { print "<details><summary>Total Coverage: <code>" $3 " " $2 "</code></summary>" } | |
' >> "${GITHUB_STEP_SUMMARY}" | |
sed < total-coverage.txt -e '/100.0%/d' -e "s,$(go list -m)/,," | column -t | awk ' | |
NR == 1 { print "\n\n```" } { print } END { if (NR > 0) print "```\n\n"; print "</details>" } | |
' >> "${GITHUB_STEP_SUMMARY}" | |
# Upload coverage to GitHub | |
- run: gzip total-coverage.html | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-report=html | |
path: total-coverage.html.gz | |
retention-days: 15 |