diff --git a/.github/workflows/go_lint.yml b/.github/workflows/go_lint.yml index d062e337b..53bd6e84d 100644 --- a/.github/workflows/go_lint.yml +++ b/.github/workflows/go_lint.yml @@ -3,20 +3,24 @@ name: Go lint on: push: branches: [ master ] - pull_request: + pull_request_target: + types: [opened, synchronize, reopened] jobs: lint: runs-on: ubuntu-latest steps: - - name: Use go >= 1.13 + - name: Set up Go ^1.13 uses: actions/setup-go@v3 with: - go-version: '>=1.13' + go-version: ^1.13 - name: Check out code into the Go module directory uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 - name: Tidy run: go mod tidy && [ -z "$(git status -s)" ] diff --git a/.github/workflows/go_tests.yml b/.github/workflows/go_tests.yml index 227587dcc..0ec31107f 100644 --- a/.github/workflows/go_tests.yml +++ b/.github/workflows/go_tests.yml @@ -3,11 +3,33 @@ name: Go test on: push: branches: [ master ] - pull_request: + pull_request_target: + types: [opened, synchronize, reopened] jobs: + permission: + runs-on: ubuntu-latest + steps: + - name: Add comment if PR permission failed + if: ${{ !contains(github.event.pull_request.labels.*.name, 'safe PR') }} + uses: actions/github-script@v3 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '🔒 Could not start CI tests due to missing *safe PR* label. Please contact one of the repo maintainers.' + }) + - name: Check permission + if: ${{ !contains(github.event.pull_request.labels.*.name, 'safe PR') }} + run: | + echo "::error:: Could not start CI tests due to missing *safe PR* label." + exit 1 test: + needs: permission strategy: matrix: platform: [ubuntu-latest, macos-latest, windows-latest] @@ -15,25 +37,31 @@ jobs: runs-on: ${{matrix.platform}} steps: - - name: Use go >= 1.13 + - name: Setup go ^1.13 uses: actions/setup-go@v3 with: - go-version: '>=1.13' + go-version: ^1.13 - name: Check out code into the Go module directory uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 - - name: Test with coverage - if: matrix.platform == 'ubuntu-latest' - run: go test -json -covermode=count -coverprofile=profile.cov ./... > report.json - - name: Test without coverage if: matrix.platform == 'macos-latest' || matrix.platform == 'windows-latest' run: go test ./... + - name: Test with coverage + if: matrix.platform == 'ubuntu-latest' + run: go test -json -covermode=count -coverprofile=profile.cov ./... > report.json + - name: Sonarcloud scan if: matrix.platform == 'ubuntu-latest' uses: sonarsource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: args: > -Dsonar.organization=dedis @@ -43,9 +71,9 @@ jobs: -Dsonar.c.file.suffixes=- -Dsonar.cpp.file.suffixes=- -Dsonar.objc.file.suffixes=- - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + -Dsonar.pullrequest.key=${{ github.event.number }} + -Dsonar.pullrequest.branch=${{ github.head_ref }} + -Dsonar.pullrequest.base=${{ github.event.pull_request.base }} - name: Send coverage if: matrix.platform == 'ubuntu-latest'