Status checks #781
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Workflow to check whether changes to master fulfill all requirements. | |
name: Status checks | |
on: | |
push: | |
branches: [ master ] | |
pull_request: | |
schedule: | |
# Run every monday on 9:00 in the morning (UTC). | |
- cron: "0 9 * * 1" | |
# Make it possible to trigger the checks manually. | |
workflow_dispatch: | |
jobs: | |
build: | |
strategy: | |
matrix: | |
os: [ linux, darwin, windows ] | |
arch: [ amd64, 386, arm, arm64 ] | |
exclude: | |
- os: darwin | |
arch: 386 | |
- os: darwin | |
arch: arm | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build artifact | |
uses: ./.github/actions/build | |
id: build | |
with: | |
os: ${{ matrix.os }} | |
arch: ${{ matrix.arch }} | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: irma-${{ matrix.os }}-${{ matrix.arch }} | |
path: ${{ steps.build.outputs.artifact-name }} | |
docker-build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
# We only run the build stage to prevent that the IRMA schemes are downloaded. | |
- name: Run Dockerfile build stage | |
run: docker build -t privacybydesign/irma:build --target build . | |
- name: Test Docker image | |
# Because we have only run the build stage, we have to explicitly set irma as entrypoint. | |
run: docker run --entrypoint irma privacybydesign/irma:build version | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
- name: Run gofmt | |
# gofmt does not return non-zero exit codes on failure, so we have to check that there are no issues using grep. | |
run: gofmt -d -e . | (! grep ^) | |
- name: Run go vet | |
run: go vet ./... | |
- name: Install ineffassign | |
run: go install github.com/gordonklaus/ineffassign@latest | |
- name: Run ineffassign | |
run: ineffassign ./... | |
- name: Install misspell | |
run: go install github.com/client9/misspell/cmd/misspell@latest | |
- name: Run misspell | |
run: misspell -error . | |
- name: Install staticcheck | |
run: go install honnef.co/go/tools/cmd/staticcheck@2023.1.3 | |
- name: Run staticcheck | |
run: staticcheck -checks "all,-ST1000,-ST1003,-SA1019,-SA1029" ./... | |
test: | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Run all unit tests | |
run: docker compose run test -v ./... | |
# The integration tests are split into two jobs, one for the client side and one for the server side. | |
# They test whether irmago versions with different versions of gabi can interact. | |
# We assume that the keyshare server is always kept up to date, so we don't test using older versions of the keyshare server. | |
integration-test-clientside: # Checks whether irmaclient interacts with older IRMA servers | |
needs: build | |
strategy: | |
matrix: | |
irma-server: | |
- v0.13.2 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Run integration test | |
uses: ./.github/actions/integration-test | |
with: | |
test-ref: ${{ github.ref }} | |
irma-server-artifact: https://github.com/privacybydesign/irmago/releases/download/${{ matrix.irma-server }}/irma-linux-amd64 | |
keyshare-server-artifact: irma-linux-amd64 # Current build | |
integration-test-serverside: # Checks whether IRMA server interacts with older irmaclients | |
needs: build | |
strategy: | |
matrix: | |
irmaclient-ref: | |
- f0023141ec429d912e329665f937d05b178a3fee # v0.13.2 (integration test did not exist when version tag was created) | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Run integration test | |
uses: ./.github/actions/integration-test | |
with: | |
test-ref: ${{ matrix.irmaclient-ref }} | |
irma-server-artifact: irma-linux-amd64 # Current build | |
keyshare-server-artifact: irma-linux-amd64 # Current build | |
analyze: | |
# Add integration tests as dependencies to make sure that PRs are not merged if they fail. | |
needs: | |
- build | |
- integration-test-clientside | |
- integration-test-serverside | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: go | |
queries: +security-and-quality | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 |