chore(deps): bump github/codeql-action from 3.29.2 to 4.31.0 #2566
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: [opened, edited, synchronize, reopened] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| env: | |
| TEST_TAG_OSS_API: user/oss-api:test | |
| TEST_TAG_INTERNAL_API: user/internal-api:test | |
| TEST_TAG_WORKER: user/worker:test | |
| jobs: | |
| check-title: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: actions/checkout@v4 | |
| - name: Check PR title for ticket number | |
| run: | | |
| echo "PR Title: ${{ github.event.pull_request.title }}" | |
| # Regex pattern for a ticket number | |
| TICKET_PATTERN="DXTA-[0-9]+" # Matches strings like DXTA-123 | |
| # Check if PR title matches the pattern | |
| if [[ ! "${{ github.event.pull_request.title }}" =~ $TICKET_PATTERN ]]; then | |
| echo "Error: PR title does not contain a valid ticket number!" | |
| exit 1 # Fail the CI/CD pipeline | |
| fi | |
| echo "PR title contains a valid ticket number." | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Go 1.24 | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: 1.24 | |
| - name: Verify modules | |
| run: go mod verify | |
| - name: Install linters & tools | |
| run: | | |
| go install golang.org/x/tools/cmd/deadcode@v0.33.0 | |
| echo "$(go env GOPATH)/bin" >> $GITHUB_PATH | |
| - name: Run deadcode | |
| run: deadcode ./... | |
| - name: Run tests | |
| run: go test -v ./... | |
| build-oss-api: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Go 1.24 | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: 1.24 | |
| - name: Dry Build OSS API | |
| run: go build -ldflags="-linkmode external -extldflags -static" -o ./tmp/oss-api ./cmd/oss-api/main.go | |
| docker-oss-api: | |
| needs: [test, build-oss-api] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| context: . | |
| file: ./oss-api.dockerfile | |
| load: true | |
| tags: ${{ env.TEST_TAG_OSS_API }} | |
| build-internal-api: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Go 1.24 | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: 1.24 | |
| - name: Dry Build Internal API | |
| run: go build -ldflags="-linkmode external -extldflags -static" -o ./tmp/internal-api ./cmd/internal-api/main.go | |
| docker-internal-api: | |
| needs: [test, build-internal-api] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| context: . | |
| file: ./internal-api.dockerfile | |
| load: true | |
| tags: ${{ env.TEST_TAG_INTERNAL_API }} | |
| build-onboarding-worker: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Go 1.24 | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: 1.24 | |
| - name: Dry Build Onboarding Worker | |
| run: go build -ldflags="-linkmode external -extldflags -static" -o ./tmp/onboarding-worker ./cmd/onboarding-worker/main.go | |
| docker-onboarding-worker: | |
| needs: [test, build-onboarding-worker] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| context: . | |
| file: ./onboarding-worker.dockerfile | |
| load: true | |
| tags: ${{ env.TEST_TAG_WORKER }} |