Skip to content
Build & Verify Pipeline

feat: add Trino external authentication (browser OAuth) #292

Sign in to view logs

feat: add Trino external authentication (browser OAuth)

feat: add Trino external authentication (browser OAuth) #292

Workflow file for this run

.github/workflows/build.yml at 47a1d3b
name: Build & Verify Pipeline
on:
push:
branches: [main]
paths-ignore:
- "**.md"
- ".github/ISSUE_TEMPLATE/**"
- ".gitignore"
pull_request:
paths-ignore:
- "**.md"
- ".github/ISSUE_TEMPLATE/**"
- ".gitignore"
permissions:
contents: read
packages: write
id-token: write # Required for SLSA provenance
security-events: write # Required for uploading security results
pull-requests: read
checks: write
env:
GO_VERSION: "1.24.9"
REGISTRY: ghcr.io
jobs:
# Static analysis and code quality check
verify:
name: Code Quality
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
check-latest: true
- name: Install dependencies
run: |
go mod download
go mod verify
- name: Check Go mod tidy
run: |
go mod tidy
if ! git diff --quiet go.mod go.sum; then
echo "go.mod or go.sum is not tidy, run 'go mod tidy'"
git diff go.mod go.sum
exit 1
fi
- name: Install golangci-lint
uses: golangci/golangci-lint-action@v9
with:
version: latest
args: --timeout=5m
install-mode: binary
skip-pkg-cache: true
skip-build-cache: true
- name: Run linters
run: golangci-lint run
# Security vulnerability scanning and SBOM generation
security:
name: Security Scan
runs-on: ubuntu-latest
needs: verify
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Run Go Vulnerability Check
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
- name: Run dependency scan
uses: aquasecurity/[email protected]
with:
scan-type: "fs"
scan-ref: "."
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH,MEDIUM"
timeout: "10m"
- name: Upload security scan results
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: "trivy-results.sarif"
- name: Generate SBOM
uses: anchore/[email protected]
with:
format: spdx-json
output-file: sbom.spdx.json
- name: Upload SBOM
uses: actions/upload-artifact@v5
with:
name: sbom
path: sbom.spdx.json
retention-days: 30
# Run unit and integration tests with code coverage
test:
name: Run Tests
runs-on: ubuntu-latest
needs: verify
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Run tests
run: go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...
- name: Upload coverage
uses: codecov/codecov-action@v5
with:
file: ./coverage.txt
flags: unittests
fail_ci_if_error: false
# Simple build verification (for PRs and non-main branches)
build:
name: Build Verification
runs-on: ubuntu-latest
needs: [verify, security]
# Only run for PRs or pushes to non-main branches
if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Build
run: go build -v ./...