From 6c6bf798b225347358594ef8b445879a3670690f Mon Sep 17 00:00:00 2001 From: Wayback Archiver <66856220+waybackarchiver@users.noreply.github.com> Date: Sat, 3 Dec 2022 10:01:04 +0000 Subject: [PATCH] Reusable workflows (#256) * Migrate linter to reusable workflows * Migrate stale to reusable workflows * Migrate license to reusable workflow * Migrate analysis to reusable workflows codeql-analysis.yml -> analysis.yml Rename workflow CodeQL to Analysis Add Scorecards supply-chain security analysis Add dependency review pin dependencies Using reusable dependency review Call reusable dependency review workflow without args * Migrate builder to reusable workflows * Migrate release to reusable workflows * Use harden runner for testing workflow * Use harden runner for dispatch workflow * Migrate snapcraft to reusable workflows * Use harden runner for docker workflow * Remove dispatch job from docker workflow * Add allowed endpoints * Add allow endpoint * Remove upload artifacts job * Move write permission to job level --- .github/workflows/analysis.yml | 68 ++++ .github/workflows/builder.yml | 321 +++-------------- .github/workflows/codeql-analysis.yml | 188 ---------- .github/workflows/dispatch.yml | 22 +- .github/workflows/docker.yml | 88 ++--- .github/workflows/license.yml | 21 +- .github/workflows/linter.yml | 146 +------- .github/workflows/release.yml | 475 +++++++------------------- .github/workflows/snapcraft.yml | 45 +-- .github/workflows/stale.yml | 14 +- .github/workflows/testing.yml | 280 +++++++-------- 11 files changed, 481 insertions(+), 1187 deletions(-) create mode 100644 .github/workflows/analysis.yml delete mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml new file mode 100644 index 00000000..f60ce6ff --- /dev/null +++ b/.github/workflows/analysis.yml @@ -0,0 +1,68 @@ +# Copyright 2020 Wayback Archiver. All rights reserved. +# Use of this source code is governed by the GNU GPL v3 +# license that can be found in the LICENSE file. + +name: "Analysis" + +on: + push: + branches: + - main + - develop + pull_request: + branches: [ main ] + schedule: + - cron: '33 23 * * 4' + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards + uses: wabarc/.github/.github/workflows/reusable-scorecards.yml@main + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Used to receive a badge. (Upcoming feature) + id-token: write + actions: read + contents: read + + codeql: + name: CodeQL + permissions: + security-events: write + actions: read + contents: read + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + uses: wabarc/.github/.github/workflows/reusable-codeql.yml@main + with: + language: ${{ matrix.language }} + config-file: './.github/codeql/codeql-config.yml' + + nancy: + name: Sonatype Nancy + uses: wabarc/.github/.github/workflows/reusable-nancy.yml@main + + semgrep: + name: Semgrep Scan + if: github.actor != 'dependabot[bot]' + uses: wabarc/.github/.github/workflows/reusable-semgrep.yml@main + + fossa: + if: github.repository == 'wabarc/wayback' + name: FOSSA + uses: wabarc/.github/.github/workflows/reusable-fossa.yml@main + secrets: + fossa-apikey: ${{ secrets.FOSSA_APIKEY }} + + dependency-review: + name: Dependency Review + uses: wabarc/.github/.github/workflows/reusable-dependency-review.yml@main diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index 1f0852ed..d1d36e7e 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -23,11 +23,8 @@ on: - "go.sum" workflow_dispatch: -env: - PRODUCT: wayback - WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }} - -permissions: write-all +permissions: + contents: read jobs: build: @@ -86,73 +83,19 @@ jobs: - os: dragonfly arch: 386 fail-fast: false - runs-on: ubuntu-latest - continue-on-error: true - env: - GOOS: ${{ matrix.os }} - GOARCH: ${{ matrix.arch }} - GOARM: ${{ matrix.arm }} - GOMIPS: ${{ matrix.mips }} - GOMIPS64: ${{ matrix.mips64 }} - GOMIPSLE: ${{ matrix.mipsle }} - steps: - - name: Set up Go 1.x - uses: actions/setup-go@v3 - with: - go-version: ^1.18 - - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Cache go module - uses: actions/cache@v3 - with: - path: | - ~/.cache/go-build - ~/go/pkg/mod - ~/Library/Caches/go-build - ~\AppData\Local\go-build - ~\go\pkg\mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Get dependencies - run: | - go get -v -t -d ./... - - - name: Build binary - id: builder - run: | - ARGS="${GOOS}-${GOARCH}" - if [[ -n "${GOARM}" ]]; then - ARGS="${ARGS}v${GOARM}" - elif [[ -n "${GOMIPS}" ]]; then - ARGS="${ARGS}-${GOMIPS}" - elif [[ -n "${GOMIPS64}" ]]; then - ARGS="${ARGS}-${GOMIPS64}" - elif [[ -n "${GOMIPSLE}" ]]; then - ARGS="${ARGS}-${GOMIPSLE}" - fi - make ${ARGS} - echo "filename=${{ env.PRODUCT }}-${ARGS}" >> $GITHUB_OUTPUT - - - name: Upload binary artifacts - uses: actions/upload-artifact@v3 - with: - name: ${{ steps.builder.outputs.filename }} - path: ./build/binary/${{ env.PRODUCT }}* - if-no-files-found: error + uses: wabarc/.github/.github/workflows/reusable-builder-go.yml@main + with: + product: wayback + go-version: '^1.19' + go-os: ${{ matrix.os }} + go-arch: ${{ matrix.arch }} + go-arm: ${{ matrix.arm }} + go-mips: ${{ matrix.mips }} + go-mips64: ${{ matrix.mips64 }} + go-mipsle: ${{ matrix.mipsle }} + artifact-path: ./build/binary/wayback* + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} debpkg: name: Build deb @@ -168,208 +111,56 @@ jobs: arch: arm64 arm: 8 fail-fast: false - runs-on: ubuntu-latest - continue-on-error: true - env: - GOARCH: ${{ matrix.arch }} - GOARM: ${{ matrix.arm }} - steps: - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8 # v2.0.0 - - - name: Build Debian package - id: builder - run: | - TARGET="${GOARCH}" - if [[ -n "${GOARM}" ]]; then - TARGET="${GOARCH}v${GOARM}" - fi - PKG_ARCH="${TARGET//v8}" - PKG_ARCH="${PKG_ARCH//32}" - make debian DEB_IMG_ARCH=${TARGET} PKG_ARCH=${PKG_ARCH} - echo "filename=${{ env.PRODUCT }}-deb-${PKG_ARCH}" >> $GITHUB_OUTPUT - - - name: Upload archived binary - uses: actions/upload-artifact@v3 - with: - name: ${{ steps.builder.outputs.filename }} - path: build/package/${{ env.PRODUCT }}*.deb - if-no-files-found: error + uses: wabarc/.github/.github/workflows/reusable-builder-deb.yml@main + with: + product: wayback + go-arch: ${{ matrix.arch }} + go-arm: ${{ matrix.arm }} + artifact-path: build/package/wayback*.deb + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} rpmpkg: name: Build RPM - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Build RPM package - run: make rpm - - - name: Upload archived binary - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }}-rpm - path: build/package/${{ env.PRODUCT }}*.rpm - if-no-files-found: error + uses: wabarc/.github/.github/workflows/reusable-builder-rpm.yml@main + with: + product: wayback + params: 'make rpm' + artifact-path: build/package/wayback*.rpm + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} aurpkg: name: Build AUR - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - submodules: true - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - submodules: true - ref: ${{ github.event.pull_request.head.sha }} - - - name: Build AUR package - run: | - make submodule - cd build/aur - make volume - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }}-aur - path: | - build/aur/.SRCINFO - build/aur/PKGBUILD - build/aur/${{ env.PRODUCT }}*.pkg.tar.zst - if-no-files-found: error - - - name: Clean up - run: | - cd build/aur - make clean + uses: wabarc/.github/.github/workflows/reusable-builder-aur.yml@main + with: + product: wayback + params: 'make submodule && cd build/aur && make volume' + artifact-path: | + build/aur/.SRCINFO + build/aur/PKGBUILD + build/aur/wayback*.pkg.tar.zst + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} snapcraft: name: Build Snap - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8 # v2.0.0 - - - id: build - name: Build Snap - uses: snapcore/action-build@ea14cdeb353272f75977040488ca191880509a8c # v1.1.0 - with: - snapcraft-channel: edge - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }}-snap - path: ${{ steps.build.outputs.snap }} - - - name: Install snap - shell: bash - run: | - sudo snap install --dangerous ${{ steps.build.outputs.snap }} - wayback --help - - - name: Release Snap - uses: snapcore/action-publish@128198fd2ed6446f70918a2a2d3ae7cbe758bf3a # v1.1.0 - if: github.repository == 'wabarc/wayback' && github.event_name == 'push' - with: - store_login: ${{ secrets.SNAPCRAFT_TOKEN }} - snap: ${{ steps.build.outputs.snap }} - release: edge + uses: wabarc/.github/.github/workflows/reusable-builder-snap.yml@main + with: + product: wayback + channel: edge + publish: ${{ github.repository == 'wabarc/wayback' && github.event_name == 'push' }} + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} + snapcraft-token: ${{ secrets.SNAPCRAFT_TOKEN }} flatpak: name: Build Flatpak - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set up Go 1.x - uses: actions/setup-go@v3 - with: - go-version: ^1.18 - - - name: Setup Flatpak - run: | - sudo apt-get -y -qq update - sudo apt-get install -y flatpak flatpak-builder - - - name: Packaging flatpak - run: | - VERSION=edge - BUNDLE="org.wabarc.wayback_${VERSION}_x86_64.flatpak" - MANIFEST_PATH=$GITHUB_WORKSPACE/build/flatpak/org.wabarc.wayback.yml - RUNTIME_REPO="https://flathub.org/repo/flathub.flatpakrepo" - APP_ID="org.wabarc.wayback" - BRANCH="master" - - flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo - flatpak install -y --noninteractive flathub org.freedesktop.Platform//20.08 org.freedesktop.Sdk//20.08 - - make build - mv build/binary/wayback build/flatpak/wayback - - flatpak-builder --user --disable-rofiles-fuse --repo=repo --force-clean flatpak_app ${MANIFEST_PATH} --install-deps-from=flathub - flatpak build-bundle repo ${BUNDLE} --runtime-repo=${RUNTIME_REPO} ${APP_ID} ${BRANCH} - mv $GITHUB_WORKSPACE/org.wabarc.wayback_${VERSION}_x86_64.flatpak $GITHUB_WORKSPACE/org.wabarc.wayback-${VERSION}.x86_64.flatpak - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }}-flatpak - path: org.wabarc.wayback-*.x86_64.flatpak + uses: wabarc/.github/.github/workflows/reusable-builder-flatpak.yml@main + with: + product: wayback + version: edge + params: 'make build' + artifact-path: org.wabarc.wayback-*.x86_64.flatpak + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index d175b4f3..00000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,188 +0,0 @@ -# Copyright 2020 Wayback Archiver. All rights reserved. -# Use of this source code is governed by the GNU GPL v3 -# license that can be found in the LICENSE file. -# -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# ******** NOTE ******** - -name: "CodeQL" - -on: - push: - branches: - - main - - develop - pull_request: - # The branches below must be a subset of the branches above - branches: [ main ] - schedule: - - cron: '33 23 * * 4' - -permissions: write-all - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - - permissions: - security-events: write - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - language: [ 'go' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed - - steps: - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'schedule' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - config-file: ./.github/codeql/codeql-config.yml - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - - nancy: - name: Sonatype Nancy - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'schedule' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set up Go 1.x - uses: actions/setup-go@v3 - with: - go-version: ^1.18 - - - name: Write Go module list - run: go list -json -m all > go.list - - - name: Perform Nancy - uses: sonatype-nexus-community/nancy-github-action@aae196481b961d446f4bff9012e4e3b63d7921a4 # v1.0.2 - continue-on-error: true - - semgrep: - name: Semgrep Scan - runs-on: ubuntu-latest - if: github.actor != 'dependabot[bot]' - steps: - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'schedule' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run Bug Scan - uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9 - with: - config: p/r2c-bug-scan - - - name: Run CI - uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9 - with: - config: p/r2c-ci - - - name: Run Best Practices - uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9 - with: - config: p/r2c-best-practices - - - name: Run Security Audit - uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9 - with: - config: p/r2c-security-audit - - - name: Run GoSec - uses: returntocorp/semgrep-action@e9c03cf55b6e6228674d9c6837158af4b61598c9 - with: - config: p/gosec - - fossa: - if: github.repository == 'wabarc/wayback' - name: FOSSA - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'schedule' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run FOSSA Scan - if: github.event_name != 'pull_request' - uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 - with: - api-key: ${{ secrets.FOSSA_APIKEY }} diff --git a/.github/workflows/dispatch.yml b/.github/workflows/dispatch.yml index efd3ed46..3e7a6a4e 100644 --- a/.github/workflows/dispatch.yml +++ b/.github/workflows/dispatch.yml @@ -16,11 +16,19 @@ jobs: name: Repository Dispatch runs-on: ubuntu-latest steps: - - name: Dispatch repository in wabarc/aur - uses: peter-evans/repository-dispatch@11ba7d3f32dc7cc919d1c43f1fec1c05260c26b5 # v2.0.0 - with: - repository: wabarc/homebrew-wayback - event-type: publish - token: ${{ secrets.PAT_WORKFLOW }} - client-payload: '{"from": "${{ github.repository }}", "channel": "stable"}' + - name: Harden Runner + uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 + with: + egress-policy: block + disable-telemetry: true + allowed-endpoints: > + github.com:443 + api.github.com:443 + - name: Dispatch repository in wabarc/aur + uses: peter-evans/repository-dispatch@f2696244ec00ed5c659a5cc77f7138ad0302dffb # v2.1.0 + with: + repository: wabarc/homebrew-wayback + event-type: publish + token: ${{ secrets.PAT_WORKFLOW }} + client-payload: '{"from": "${{ github.repository }}", "channel": "stable"}' diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f719bf8f..fdbb3c29 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -28,16 +28,36 @@ on: permissions: contents: read - packages: write - id-token: write jobs: publish: name: Build and push Docker image runs-on: ubuntu-latest + permissions: + packages: write + id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 + with: + egress-policy: block + disable-telemetry: true + allowed-endpoints: > + ghcr.io:443 + github.com:443 + api.github.com:443 + docker.io:443 + pkg-containers.githubusercontent.com:443 + auth.docker.io:443 + registry-1.docker.io:443 + production.cloudflare.docker.com:443 + dl-cdn.alpinelinux.org:443 + storage.googleapis.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - name: Checkout default branch - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: fetch-depth: 0 @@ -153,19 +173,34 @@ jobs: cat cosign.pub cosign verify --key cosign.pub $IMAGE_NAME - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: wayback - path: ./dist/* - if-no-files-found: error - allinone: name: AllInOne Docker image runs-on: ubuntu-latest + permissions: + packages: write + id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 + with: + egress-policy: block + disable-telemetry: true + allowed-endpoints: > + ghcr.io:443 + github.com:443 + api.github.com:443 + docker.io:443 + pkg-containers.githubusercontent.com:443 + auth.docker.io:443 + registry-1.docker.io:443 + production.cloudflare.docker.com:443 + dl-cdn.alpinelinux.org:443 + storage.googleapis.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - name: Checkout default branch - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: fetch-depth: 0 @@ -270,34 +305,3 @@ jobs: IMAGE_NAME=${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }} cat cosign.pub cosign verify --key cosign.pub $IMAGE_NAME - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: wayback - path: ./dist/* - if-no-files-found: error - - dispatch: - if: github.repository == 'wabarc/wayback' - name: Repository Dispatch - runs-on: ubuntu-latest - needs: [publish] - steps: - - name: Dispatch repository in wabarc/on-heroku (release) - uses: peter-evans/repository-dispatch@11ba7d3f32dc7cc919d1c43f1fec1c05260c26b5 # v2.0.0 - if: startsWith(github.ref, 'refs/tags/v') - with: - repository: wabarc/on-heroku - event-type: deploy - token: ${{ secrets.PAT_WORKFLOW }} - client-payload: '{"from": "${{ github.repository }}", "channel": "stable"}' - - - name: Dispatch repository in wabarc/on-heroku (testing) - uses: peter-evans/repository-dispatch@11ba7d3f32dc7cc919d1c43f1fec1c05260c26b5 # v2.0.0 - if: ${{ github.event_name == 'push' }} - with: - repository: wabarc/on-heroku - event-type: deploy - token: ${{ secrets.PAT_WORKFLOW }} - client-payload: '{"from": "${{ github.repository }}", "channel": "edge"}' diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 9ee1327d..be8023f8 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -13,23 +13,10 @@ on: - '**' types: [ opened, synchronize, reopened ] +permissions: + contents: read + jobs: license: name: License Checker - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Check License Header - uses: apache/skywalking-eyes/header@501a28d2fb4a9b962661987e50cf0219631b32ff + uses: wabarc/.github/.github/workflows/reusable-license.yml@main diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index ccd26fb3..9d16e00c 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -18,147 +18,29 @@ permissions: jobs: super-linter: - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Lint Code Base - uses: github/super-linter@v4 - env: - DEFAULT_BRANCH: 'main' - VALIDATE_MARKDOWN: true - VALIDATE_DOCKERFILE: true - VALIDATE_BASH: true - VALIDATE_BASH_EXEC: true - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + name: Super Linter + uses: wabarc/.github/.github/workflows/reusable-super-linter.yml@main golangci: - strategy: - matrix: - os: [ ubuntu-latest, macos-latest, windows-latest ] - runs-on: ${{ matrix.os }} - steps: - - name: Check out code base - if: github.event_name == 'push' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set up Go 1.x - uses: actions/setup-go@v3 - with: - go-version: ^1.18 - - - name: Golang linter - uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc # v3.2.0 - with: - version: v1.49 - # Optional: golangci-lint command line arguments. - args: --timeout=5m - # Optional: show only new issues if it's a pull request. The default value is `false`. - only-new-issues: true + name: golangci-lint + uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main shellcheck: - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run shellcheck with reviewdog - uses: reviewdog/action-shellcheck@66c9a47bf02255b250284a82251cb4cadf5043f5 # v1.15.0 + name: ShellCheck + uses: wabarc/.github/.github/workflows/reusable-shellcheck.yml@main misspell: - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run misspell with reviewdog - uses: reviewdog/action-misspell@811b1e15f531430be3a5784e3d591bd657df18b0 # v1.12.2 + name: Misspell + uses: wabarc/.github/.github/workflows/reusable-misspell.yml@main alex: - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run alex with reviewdog - uses: reviewdog/action-alex@ba00276838ef57db30fc418f906a09ea79f25efc # v1.5.0 + name: Alex + uses: wabarc/.github/.github/workflows/reusable-alex.yml@main urlcheck: - runs-on: ubuntu-latest - steps: - - name: Check out code base - if: github.event_name == 'push' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run url checker - uses: urlstechie/urlchecker-action@816b328eb5bd2b35a1f72230bf2ff4b7ca0680fe # 0.0.33 - with: - exclude_patterns: ".onion,https://github.com/,https://repo.wabarc.eu.org/" + name: URLCheck + uses: wabarc/.github/.github/workflows/reusable-urlcheck.yml@main goreportcard: - if: ${{ github.ref == 'refs/heads/main' }} - runs-on: ubuntu-latest - steps: - - name: Run Go report card - run: | - path=$(curl -sf -X POST -F "repo=github.com/$GITHUB_REPOSITORY" https://goreportcard.com/checks | jq -r '.redirect') - echo -e "\nSee report for https://goreportcard.com${path}" + name: Go Report Card + uses: wabarc/.github/.github/workflows/reusable-goreportcard.yml@main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 479ccbe2..53186bd2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,9 +11,9 @@ on: env: PRODUCT: wayback - WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }} -permissions: write-all +permissions: + contents: read jobs: build: @@ -72,49 +72,20 @@ jobs: - os: dragonfly arch: 386 fail-fast: false - runs-on: ubuntu-latest - env: - GOOS: ${{ matrix.os }} - GOARCH: ${{ matrix.arch }} - GOARM: ${{ matrix.arm }} - GOMIPS: ${{ matrix.mips }} - GOMIPS64: ${{ matrix.mips64 }} - GOMIPSLE: ${{ matrix.mipsle }} - steps: - - name: Check out code into the Go module directory - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Set up Go 1.x - uses: actions/setup-go@v3 - with: - go-version: ^1.18 - - - name: Build fat binary - id: builder - run: | - ARGS="${GOOS}-${GOARCH}" - if [[ -n "${GOARM}" ]]; then - ARGS="${ARGS}v${GOARM}" - elif [[ -n "${GOMIPS}" ]]; then - ARGS="${ARGS}-${GOMIPS}" - elif [[ -n "${GOMIPS64}" ]]; then - ARGS="${ARGS}-${GOMIPS64}" - elif [[ -n "${GOMIPSLE}" ]]; then - ARGS="${ARGS}-${GOMIPSLE}" - fi - make ${ARGS} - echo "args=${ARGS}" >> $GITHUB_OUTPUT - - - name: Archive binary - run: make TARGET=${{ steps.builder.outputs.args }} releases - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }} - path: build/package/${{ env.PRODUCT }}* + uses: wabarc/.github/.github/workflows/reusable-builder-go.yml@main + with: + product: wayback + release: true + go-version: '^1.19' + go-os: ${{ matrix.os }} + go-arch: ${{ matrix.arch }} + go-arm: ${{ matrix.arm }} + go-mips: ${{ matrix.mips }} + go-mips64: ${{ matrix.mips64 }} + go-mipsle: ${{ matrix.mipsle }} + artifact-path: build/package/wayback* + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} debpkg: name: Build DEB @@ -124,348 +95,148 @@ jobs: - os: linux arch: amd64 - os: linux - arch: arm + arch: arm32 arm: 7 - os: linux arch: arm64 - runs-on: ubuntu-latest - env: - GOOS: ${{ matrix.os }} - GOARCH: ${{ matrix.arch }} - GOARM: ${{ matrix.arm }} - steps: - - name: Check out codebase - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8 # v2.0.0 - - - name: Build Debian package - run: | - OS_ARCH="${GOARCH}" - PKG_ARCH="${GOARCH}" - if [[ -n "${GOARM}" ]]; then - PKG_ARCH="${PKG_ARCH}v${GOARM}" - OS_ARCH="arm32v${GOARM}" - fi - if [[ "${OS_ARCH}" == "arm64" ]]; then - OS_ARCH=arm64v8 - fi - make debian DEB_IMG_ARCH=${OS_ARCH} PKG_ARCH=${PKG_ARCH} - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }} - path: build/package/${{ env.PRODUCT }}*.deb + arm: 8 + fail-fast: false + uses: wabarc/.github/.github/workflows/reusable-builder-deb.yml@main + with: + product: wayback + go-arch: ${{ matrix.arch }} + go-arm: ${{ matrix.arm }} + artifact-path: build/package/wayback*.deb + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} rpmpkg: name: Build RPM - runs-on: ubuntu-latest - steps: - - name: Check out codebase - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Build RPM package - run: make rpm - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }} - path: build/package/${{ env.PRODUCT }}*.rpm + uses: wabarc/.github/.github/workflows/reusable-builder-rpm.yml@main + with: + product: wayback + params: 'make rpm' + artifact-path: build/package/wayback*.rpm + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} aurpkg: name: Build AUR - runs-on: ubuntu-latest - steps: - - name: Check out code base - uses: actions/checkout@v3 - with: - fetch-depth: 0 - submodules: true - - - name: Build AUR package - run: | - make submodule - cd build/aur - make volume - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }} - path: | - build/aur/.SRCINFO - build/aur/PKGBUILD - build/aur/${{ env.PRODUCT }}*.pkg.tar.zst - if-no-files-found: error - - - name: Clean up - run: | - cd build/aur - make clean + uses: wabarc/.github/.github/workflows/reusable-builder-aur.yml@main + with: + product: wayback + params: 'make submodule && cd build/aur && make volume' + artifact-path: | + build/aur/.SRCINFO + build/aur/PKGBUILD + build/aur/wayback*.pkg.tar.zst + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} snapcraft: name: Build Snap - runs-on: ubuntu-latest - outputs: - version: ${{ steps.env.outputs.version }} - steps: - - name: Check out code base - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8 # v2.0.0 - - - name: Set env & Print wayback version - shell: bash - id: env - run: | - version=$(git describe --tags `git rev-list --tags --max-count=1` | sed -e 's/v//g') - sed -i "s/version: 'git'/version: '${version}'/g" snapcraft.yaml - echo "version=${version}" >> $GITHUB_OUTPUT - - - id: build - name: Build Snap - uses: snapcore/action-build@ea14cdeb353272f75977040488ca191880509a8c # v1.1.0 - with: - snapcraft-channel: stable - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }} - path: ${{ steps.build.outputs.snap }} + uses: wabarc/.github/.github/workflows/reusable-builder-snap.yml@main + with: + product: wayback + channel: stable + release: true + publish: true + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} + snapcraft-token: ${{ secrets.SNAPCRAFT_TOKEN }} flatpak: name: Build Flatpak - runs-on: ubuntu-latest - steps: - - name: Check out code base - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Set up Go 1.x - uses: actions/setup-go@v3 - with: - go-version: ^1.18 - - - name: Setup Flatpak - run: | - sudo apt-get -y -qq update - sudo apt-get install -y flatpak flatpak-builder - - - name: Packaging flatpak - run: | - VERSION=$(git describe --tags `git rev-list --tags --max-count=1` | sed -e 's/v//g') - BUNDLE="org.wabarc.wayback_${VERSION}_x86_64.flatpak" - MANIFEST_PATH=$GITHUB_WORKSPACE/build/flatpak/org.wabarc.wayback.yml - RUNTIME_REPO="https://flathub.org/repo/flathub.flatpakrepo" - APP_ID="org.wabarc.wayback" - BRANCH="master" - - flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo - flatpak install -y --noninteractive flathub org.freedesktop.Platform//20.08 org.freedesktop.Sdk//20.08 - - make build - mv build/binary/wayback build/flatpak/wayback - - flatpak-builder --user --disable-rofiles-fuse --repo=repo --force-clean flatpak_app ${MANIFEST_PATH} --install-deps-from=flathub - flatpak build-bundle repo ${BUNDLE} --runtime-repo=${RUNTIME_REPO} ${APP_ID} ${BRANCH} - mv $GITHUB_WORKSPACE/org.wabarc.wayback_${VERSION}_x86_64.flatpak $GITHUB_WORKSPACE/org.wabarc.wayback-${VERSION}.x86_64.flatpak - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }} - path: org.wabarc.wayback-*.x86_64.flatpak - - checksum: - name: Get archived packages checksum - runs-on: ubuntu-latest - needs: [ build, debpkg, rpmpkg, aurpkg, snapcraft, flatpak ] - outputs: - digest: ${{ steps.digest.outputs.result }} - steps: - - name: Download math result from build job - uses: actions/download-artifact@v2 - with: - name: ${{ env.PRODUCT }} - path: . - - - name: Create all binary digest - id: digest - run: | - digest=$(find *${{ env.PRODUCT }}* -type f -exec sha256sum {} +) - output="${digest//$'%'/%25}" - output="${output//$'\n'/%0A}" - echo "result=${output}" >> $GITHUB_OUTPUT - # Write digest to file - version=${{ needs.snapcraft.outputs.version }} - echo "${digest}" > "${{ env.PRODUCT }}-${version}-checksums.txt" - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ env.PRODUCT }} - path: ${{ env.PRODUCT }}-*-checksums.txt + uses: wabarc/.github/.github/workflows/reusable-builder-flatpak.yml@main + with: + product: wayback + params: 'make build' + artifact-path: org.wabarc.wayback-*.x86_64.flatpak + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} release: name: Create and upload release - runs-on: ubuntu-latest - needs: [build, checksum] - steps: - - name: Check out code base - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Generate Git log - run: | - git fetch origin +refs/tags/*:refs/tags/* - echo "Current Tag: ${GITHUB_REF}" - git checkout ${GITHUB_REF} -b release-log - GITVER=$(git describe --tags) - PREVVER=$(git describe --tags --abbrev=0 ${GITVER}~1) - git log --oneline ${PREVVER}..${GITVER} > gittaglogs.txt - MORE=$(echo "See full [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/${{ github.sha }}/CHANGELOG.md)") - echo -e "*Release ${GITVER}* #wayback\n" > release-note.md - cut -c9- gittaglogs.txt | sed -e 's/^/- /' | sed -e 's/\"/\\"/g' >> release-note.md - echo -e "\n${MORE}" | tee -a release-note.md gittaglogs.txt > /dev/null - # Append digests - echo ' - **Digests in this release:** - - ``` - ${{ needs.checksum.outputs.digest }} - ``` - ' >> gittaglogs.txt - - - name: Update bina.jon - run: | - make bina - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: release-note - path: | - release-note.md - bina.json - - - name: Download math result from build and checksum jobs - uses: actions/download-artifact@v2 - with: - name: ${{ env.PRODUCT }} - path: ${{ env.PRODUCT }} - - - name: Create Release - uses: softprops/action-gh-release@50195ba7f6f93d1ac97ba8332a178e008ad176aa - if: startsWith(github.ref, 'refs/tags/') - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token - with: - body_path: gittaglogs.txt - files: | - ${{ env.PRODUCT }}/*${{ env.PRODUCT }}* - bina.json - prerelease: true - draft: false + needs: [ build, debpkg, rpmpkg, aurpkg, snapcraft, flatpak ] + permissions: + contents: write + uses: wabarc/.github/.github/workflows/reusable-releaser-go.yml@main + with: + product: wayback + generate-bina: true release-apt: if: github.repository == 'wabarc/wayback' name: Release APT Repository - runs-on: ubuntu-latest - needs: [debpkg] - steps: - - name: Check out code base - uses: actions/checkout@v3 - - - name: Download artifact - uses: actions/download-artifact@v2 - with: - name: ${{ env.PRODUCT }} - path: ${{ env.PRODUCT }} - - - name: List generated files - run: ls -l ./${{ env.PRODUCT }}/*.deb - - - name: Publish APT Repository - env: - FURY_TOKEN: ${{ secrets.FURY_TOKEN }} - run: for f in ./${{ env.PRODUCT }}/*.deb; do curl --fail -F package=@$f https://$FURY_TOKEN@push.fury.io/wabarc/; done + needs: [ release ] + uses: wabarc/.github/.github/workflows/reusable-releaser-gemfury.yml@main + with: + product: wayback + type: deb + secrets: + fury-token: ${{ secrets.FURY_TOKEN }} release-rpm: if: github.repository == 'wabarc/wayback' name: Release RPM Repository - runs-on: ubuntu-latest - needs: [rpmpkg] - steps: - - name: Check out code base - uses: actions/checkout@v3 - - - name: Download artifact - uses: actions/download-artifact@v2 - with: - name: ${{ env.PRODUCT }} - path: ${{ env.PRODUCT }} - - - name: List generated files - run: ls -l ./${{ env.PRODUCT }}/*.rpm - - - name: Publish RPM Repository - env: - FURY_TOKEN: ${{ secrets.FURY_TOKEN }} - run: for f in ./${{ env.PRODUCT }}/*.rpm; do curl --fail -F package=@$f https://$FURY_TOKEN@push.fury.io/wabarc/; done + needs: [ release ] + uses: wabarc/.github/.github/workflows/reusable-releaser-gemfury.yml@main + with: + product: wayback + type: rpm + secrets: + fury-token: ${{ secrets.FURY_TOKEN }} notification: if: github.repository == 'wabarc/wayback' name: Send Notification runs-on: ubuntu-latest - needs: [release] + needs: [ release ] steps: - - name: Download artifact - uses: actions/download-artifact@v2 - with: - name: release-note - path: . - - - name: Send release note to Telegram channel - continue-on-error: true - run: | - TEXT="$(cat release-note.md)" - echo -e "${TEXT}" - curl --silent --output /dev/null --show-error --fail -X POST \ - -H 'Content-Type: application/json' \ - -d '{"chat_id": "${{ secrets.TELEGRAM_TO }}", "text": "'"${TEXT}"'", "parse_mode": "markdown"}' \ - "https://api.telegram.org/bot${{ secrets.TELEGRAM_TOKEN }}/sendMessage" + - name: Harden Runner + uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 + with: + egress-policy: block + disable-telemetry: true + allowed-endpoints: > + api.telegram.org:443 + + - name: Send release note to Telegram channel + continue-on-error: true + run: | + TEXT="${{ needs.release.outputs.release-note }}" + echo -e "${TEXT}" + curl --silent --output /dev/null --show-error --fail -X POST \ + -H 'Content-Type: application/json' \ + -d '{"chat_id": "${{ secrets.TELEGRAM_TO }}", "text": "'"${TEXT}"'", "parse_mode": "markdown"}' \ + "https://api.telegram.org/bot${{ secrets.TELEGRAM_TOKEN }}/sendMessage" dispatch: if: github.repository == 'wabarc/wayback' name: Repository Dispatch runs-on: ubuntu-latest - needs: [release] + needs: [ release ] steps: - - name: Dispatch repository in wabarc/aur - uses: peter-evans/repository-dispatch@11ba7d3f32dc7cc919d1c43f1fec1c05260c26b5 # v2.0.0 - with: - repository: wabarc/aur - event-type: publish - token: ${{ secrets.PAT_WORKFLOW }} - client-payload: '{"from": "${{ github.repository }}", "channel": "stable"}' - - - name: Dispatch repository in wabarc/homebrew-wayback - uses: peter-evans/repository-dispatch@11ba7d3f32dc7cc919d1c43f1fec1c05260c26b5 # v2.0.0 - with: - repository: wabarc/homebrew-wayback - event-type: publish - token: ${{ secrets.PAT_WORKFLOW }} - client-payload: '{"from": "${{ github.repository }}", "channel": "stable"}' + - name: Harden Runner + uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 + with: + egress-policy: block + disable-telemetry: true + allowed-endpoints: > + api.github.com:443 + + - name: Dispatch repository in wabarc/aur + uses: peter-evans/repository-dispatch@11ba7d3f32dc7cc919d1c43f1fec1c05260c26b5 # v2.0.0 + with: + repository: wabarc/aur + event-type: publish + token: ${{ secrets.PAT_WORKFLOW }} + client-payload: '{"from": "${{ github.repository }}", "channel": "stable"}' + + - name: Dispatch repository in wabarc/homebrew-wayback + uses: peter-evans/repository-dispatch@11ba7d3f32dc7cc919d1c43f1fec1c05260c26b5 # v2.0.0 + with: + repository: wabarc/homebrew-wayback + event-type: publish + token: ${{ secrets.PAT_WORKFLOW }} + client-payload: '{"from": "${{ github.repository }}", "channel": "stable"}' diff --git a/.github/workflows/snapcraft.yml b/.github/workflows/snapcraft.yml index 039aca6a..6907925e 100644 --- a/.github/workflows/snapcraft.yml +++ b/.github/workflows/snapcraft.yml @@ -10,42 +10,17 @@ on: - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 workflow_dispatch: -permissions: write-all +permissions: + content: read jobs: snapcraft: runs-on: ubuntu-latest - steps: - - name: Check out Git repository - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8 # v2.0.0 - - - name: Set env & Print wayback version - shell: bash - run: | - version=$(git describe --tags `git rev-list --tags --max-count=1` | sed -e 's/v//g') - sed -i "s/version: 'git'/version: '${version}'/g" snapcraft.yaml - - - id: build - name: Build Snap - uses: snapcore/action-build@ea14cdeb353272f75977040488ca191880509a8c # v1.1.0 - with: - snapcraft-channel: stable - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: wayback-snap - path: ${{ steps.build.outputs.snap }} - - - uses: snapcore/action-publish@128198fd2ed6446f70918a2a2d3ae7cbe758bf3a # v1.1.0 - name: Release Snap - if: github.repository == 'wabarc/wayback' - with: - store_login: ${{ secrets.SNAPCRAFT_TOKEN }} - snap: ${{ steps.build.outputs.snap }} - release: stable + uses: wabarc/.github/.github/workflows/reusable-builder-snap.yml@main + with: + product: wayback + channel: stable + publish: true + secrets: + wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} + snapcraft-token: ${{ secrets.SNAPCRAFT_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 98fe7ac6..dc1e0a99 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,6 +7,7 @@ name: Stale on: schedule: - cron: "0 3 * * 6" + workflow_dispatch: permissions: issues: write @@ -15,15 +16,4 @@ permissions: jobs: stale: name: Stale - runs-on: ubuntu-latest - steps: - - name: Mark stale issues and pull requests - uses: actions/stale@v5 - with: - repo-token: ${{ github.token }} - exempt-issue-labels: "enhancement,question,help wanted,bug" - exempt-pr-labels: "need-help,WIP" - stale-issue-message: "This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days" - stale-pr-message: 'It has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days' - days-before-stale: 120 - days-before-close: 5 + uses: wabarc/.github/.github/workflows/reusable-stale.yml@main diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 8d14256a..c2a508f3 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -51,140 +51,146 @@ jobs: RECVER_UID: ${{ secrets.MATRIX_RECVER_UID }} RECVER_PWD: ${{ secrets.MATRIX_RECVER_PWD }} steps: - - name: Set up Go ${{ matrix.go }}.x - uses: actions/setup-go@v3 - with: - go-version: ${{ matrix.go }} - - - name: Set up IPFS - uses: ibnesayeed/setup-ipfs@3e5452e358dfa43a0fb92496e96c82cf756be94a - with: - run_daemon: true - - - name: Set up Tor - uses: tor-actions/setup-tor@main - with: - daemon: true - - - name: Set up Chrome - uses: browser-actions/setup-chrome@37c79b7f0199cec79c8b6a414e806d88c8662bdd - with: - chrome-version: stable - - - name: Set up Meilisearch - if: matrix.os == 'ubuntu-latest' - uses: moy2010/meilisearch-github-action@fcc5ef714af0596633665032d459bfb279d3c730 # 0.1.4 - with: - meilisearch-version: v0.28.0 - meilisearch-port: 7700 - meilisearch-api-key: foobar - - - name: Set up Chocolatey - if: matrix.os == 'windows-latest' - uses: crazy-max/ghaction-chocolatey@b59ffdb6594d2e2c36d9e1174e15ac799dd0a8f1 # v2.0.0 - with: - args: -h - - - name: Install Packages - if: matrix.os == 'ubuntu-latest' - shell: bash - run: | - # search package https://pkgs.org/ - sudo add-apt-repository universe - sudo apt-get -y -qq update - sudo apt-get -y -qq install ffmpeg webp youtube-dl - pip3 install you-get - echo "youtube-dl version $(youtube-dl --version)" - you-get --version - ffmpeg -version - - - name: Install Packages - if: matrix.os == 'macos-latest' - shell: bash - run: | - # search package https://brew.sh/ - brew install --quiet ffmpeg webp youtube-dl you-get - echo "youtube-dl version $(youtube-dl --version)" - you-get --version - ffmpeg -version - - - name: Install Packages - if: matrix.os == 'windows-latest' - shell: bash - run: | - # search package https://community.chocolatey.org/packages - choco install --no-progress wget ffmpeg webp youtube-dl you-get - echo "youtube-dl version $(youtube-dl --version)" - you-get --version - ffmpeg -version - wget --help - - - name: Set environments - shell: bash - run: | - # Set env to enable reduxer - echo "WAYBACK_STORAGE_DIR=${{ runner.temp }}" >> $GITHUB_ENV - # Append paths to environment path - # echo "$(which youtube-dl)" >> $GITHUB_PATH - # echo "$(which you-get)" >> $GITHUB_PATH - # echo "$(which ffmpeg)" >> $GITHUB_PATH - # echo "$(which wget)" >> $GITHUB_PATH - - - name: Set environments for Meilisearch - if: matrix.os == 'ubuntu-latest' - shell: bash - run: | - # Set env to enable reduxer - echo "WAYBACK_MEILI_ENDPOINT=http://localhost:7700" >> $GITHUB_ENV - echo "PLAYBACK_MEILI_ENDPOINT=http://localhost:7700" >> $GITHUB_ENV - echo "WAYBACK_MEILI_APIKEY=foobar" >> $GITHUB_ENV - echo "PLAYBACK_MEILI_APIKEY=foobar" >> $GITHUB_ENV - - - name: Check out code base - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Check out code base - if: github.event_name == 'pull_request' - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Cache go module - uses: actions/cache@v3 - with: - path: | - ~/.cache/go-build - ~/go/pkg/mod - ~/Library/Caches/go-build - ~\AppData\Local\go-build - ~\go\pkg\mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Get dependencies - run: | - go get -v -t -d ./... - - - name: Run test - run: | - make test - make test-cover - shell: bash - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: coverage-${{ matrix.os }} - path: coverage.* - - - name: Upload coverage to Codecov - if: ${{ matrix.update-coverage }} - uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 #v3.1.0 - - - name: Run integration test - run: make test-integration + - name: Harden Runner + uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 + with: + egress-policy: audit + disable-telemetry: true + + - name: Set up Go ${{ matrix.go }}.x + uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.3.1 + with: + go-version: ${{ matrix.go }} + + - name: Set up IPFS + uses: ibnesayeed/setup-ipfs@3e5452e358dfa43a0fb92496e96c82cf756be94a + with: + run_daemon: true + + - name: Set up Tor + uses: tor-actions/setup-tor@462b4eef22eecc86cc4abdedafc95a38667e2557 + with: + daemon: true + + - name: Set up Chrome + uses: browser-actions/setup-chrome@37c79b7f0199cec79c8b6a414e806d88c8662bdd + with: + chrome-version: stable + + - name: Set up Meilisearch + if: matrix.os == 'ubuntu-latest' + uses: moy2010/meilisearch-github-action@fcc5ef714af0596633665032d459bfb279d3c730 # 0.1.4 + with: + meilisearch-version: v0.28.0 + meilisearch-port: 7700 + meilisearch-api-key: foobar + + - name: Set up Chocolatey + if: matrix.os == 'windows-latest' + uses: crazy-max/ghaction-chocolatey@b59ffdb6594d2e2c36d9e1174e15ac799dd0a8f1 # v2.0.0 + with: + args: -h + + - name: Install Packages + if: matrix.os == 'ubuntu-latest' + shell: bash + run: | + # search package https://pkgs.org/ + sudo add-apt-repository universe + sudo apt-get -y -qq update + sudo apt-get -y -qq install ffmpeg webp youtube-dl + pip3 install you-get + echo "youtube-dl version $(youtube-dl --version)" + you-get --version + ffmpeg -version + + - name: Install Packages + if: matrix.os == 'macos-latest' + shell: bash + run: | + # search package https://brew.sh/ + brew install --quiet ffmpeg webp youtube-dl you-get + echo "youtube-dl version $(youtube-dl --version)" + you-get --version + ffmpeg -version + + - name: Install Packages + if: matrix.os == 'windows-latest' + shell: bash + run: | + # search package https://community.chocolatey.org/packages + choco install --no-progress wget ffmpeg webp youtube-dl you-get + echo "youtube-dl version $(youtube-dl --version)" + you-get --version + ffmpeg -version + wget --help + + - name: Set environments + shell: bash + run: | + # Set env to enable reduxer + echo "WAYBACK_STORAGE_DIR=${{ runner.temp }}" >> $GITHUB_ENV + # Append paths to environment path + # echo "$(which youtube-dl)" >> $GITHUB_PATH + # echo "$(which you-get)" >> $GITHUB_PATH + # echo "$(which ffmpeg)" >> $GITHUB_PATH + # echo "$(which wget)" >> $GITHUB_PATH + + - name: Set environments for Meilisearch + if: matrix.os == 'ubuntu-latest' + shell: bash + run: | + # Set env to enable reduxer + echo "WAYBACK_MEILI_ENDPOINT=http://localhost:7700" >> $GITHUB_ENV + echo "PLAYBACK_MEILI_ENDPOINT=http://localhost:7700" >> $GITHUB_ENV + echo "WAYBACK_MEILI_APIKEY=foobar" >> $GITHUB_ENV + echo "PLAYBACK_MEILI_APIKEY=foobar" >> $GITHUB_ENV + + - name: Check out code base + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + fetch-depth: 0 + + - name: Check out code base + if: github.event_name == 'pull_request' + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + + - name: Cache go module + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 + with: + path: | + ~/.cache/go-build + ~/go/pkg/mod + ~/Library/Caches/go-build + ~\AppData\Local\go-build + ~\go\pkg\mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - name: Get dependencies + run: | + go get -v -t -d ./... + + - name: Run test + run: | + make test + make test-cover + shell: bash + + - name: Upload artifact + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 + with: + name: coverage-${{ matrix.os }} + path: coverage.* + + - name: Upload coverage to Codecov + if: ${{ matrix.update-coverage }} + uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 #v3.1.0 + + - name: Run integration test + run: make test-integration