build.yml

name: build

on:
  push:
    tags:
      - v*
    branches:
      - main
  pull_request:

permissions:
  contents: write
  id-token: write
  packages: write

jobs:
  govulncheck:
    uses: caarlos0/meta/.github/workflows/govulncheck.yml@main
  semgrep:
    uses: caarlos0/meta/.github/workflows/semgrep.yml@main
  ruleguard:
    uses: caarlos0/meta/.github/workflows/ruleguard.yml@main
  unit-tests:
    strategy:
      matrix:
        os: [ ubuntu-latest, macos-latest, windows-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: actions/setup-go@v3
        with:
          go-version: '~1.19'
          cache: true
      - uses: arduino/setup-task@v1
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: setup-tparse
        run: go install github.com/mfridman/tparse@latest
      - run: task setup
      - name: test
        run: ./scripts/test.sh test ${{ matrix.os }}
      - uses: codecov/codecov-action@v3
        if: matrix.os == 'ubuntu-latest'
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          file: ./coverage.txt
  acceptance-tests:
    strategy:
      matrix:
        pkgFormat: [ deb, rpm, apk ]
        pkgPlatform: [ amd64, arm64, 386, ppc64le, armv6, armv7, s390x ]
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
      NO_TEST_PPC64LE: "true"
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v3
        with:
          go-version: '~1.19'
          cache: true
      - uses: arduino/setup-task@v1
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/setup-qemu-action@v2
      - uses: docker/setup-buildx-action@v2
      - run: task setup
      - name: setup-tparse
        run: go install github.com/mfridman/tparse@latest
      - name: acceptance
        run: ./scripts/test.sh acceptance ubuntu-latest
        env:
          TEST_PATTERN: "/${{ matrix.pkgFormat }}/${{ matrix.pkgPlatform }}/"
  goreleaser:
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/')
    needs:
      - unit-tests
      - Acceptance-Tests
    permissions:
      contents: write
      id-token: write
      packages: write
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: actions/setup-go@v3
        with:
          go-version: '~1.19'
          cache: true
      - uses: arduino/setup-task@v1
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: sigstore/cosign-installer@v2.5.1
      - uses: anchore/sbom-action/download-syft@v0.12.0
      - uses: docker/setup-qemu-action@v2
      - uses: docker/setup-buildx-action@v2
      - run: task setup
      - run: task build
      - uses: docker/login-action@v2
        if: startsWith(github.ref, 'refs/tags/v')
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - uses: docker/login-action@v2
        if: startsWith(github.ref, 'refs/tags/v')
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: goreleaser/goreleaser-action@v3
        if: success()
        with:
          version: latest
          args: release --rm-dist
          distribution: goreleaser-pro
        env:
          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          TWITTER_CONSUMER_KEY: ${{ secrets.TWITTER_CONSUMER_KEY }}
          TWITTER_CONSUMER_SECRET: ${{ secrets.TWITTER_CONSUMER_SECRET }}
          TWITTER_ACCESS_TOKEN: ${{ secrets.TWITTER_ACCESS_TOKEN }}
          TWITTER_ACCESS_TOKEN_SECRET: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }}
          DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }}
          DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}
          FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
          AUR_KEY: ${{ secrets.AUR_KEY }}