[NET-8601] security: upgrade vault/api to remove go-jose.v2 #16237
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: go-tests | |
on: | |
pull_request: | |
branches-ignore: | |
- stable-website | |
- 'docs/**' | |
- 'ui/**' | |
- 'mktg-**' # Digital Team Terraform-generated branches' prefix | |
- 'backport/docs/**' | |
- 'backport/ui/**' | |
- 'backport/mktg-**' | |
push: | |
branches: | |
# Push events on the main branch | |
- main | |
- release/** | |
permissions: | |
contents: read | |
env: | |
TEST_RESULTS: /tmp/test-results | |
GOPRIVATE: github.com/hashicorp # Required for enterprise deps | |
SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }} | |
# concurrency | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
conditional-skip: | |
runs-on: ubuntu-latest | |
name: Get files changed and conditionally skip CI | |
outputs: | |
skip-ci: ${{ steps.read-files.outputs.skip-ci }} | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
with: | |
fetch-depth: 0 | |
- name: Get changed files | |
id: read-files | |
run: ./.github/scripts/filter_changed_files_go_test.sh | |
setup: | |
needs: [conditional-skip] | |
name: Setup | |
if: needs.conditional-skip.outputs.skip-ci != 'true' | |
runs-on: ubuntu-latest | |
outputs: | |
compute-small: ${{ steps.setup-outputs.outputs.compute-small }} | |
compute-medium: ${{ steps.setup-outputs.outputs.compute-medium }} | |
compute-large: ${{ steps.setup-outputs.outputs.compute-large }} | |
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }} | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- id: setup-outputs | |
name: Setup outputs | |
run: ./.github/scripts/get_runner_classes.sh | |
get-go-version: | |
uses: ./.github/workflows/reusable-get-go-version.yml | |
check-go-mod: | |
needs: | |
- setup | |
- get-go-version | |
uses: ./.github/workflows/reusable-check-go-mod.yml | |
with: | |
runs-on: ${{ needs.setup.outputs.compute-small }} | |
repository-name: ${{ github.repository }} | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
check-generated-protobuf: | |
needs: | |
- setup | |
- get-go-version | |
runs-on: ${{ fromJSON(needs.setup.outputs.compute-medium) }} | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos. | |
- name: Setup Git | |
if: ${{ endsWith(github.repository, '-enterprise') }} | |
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com" | |
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | |
with: | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
- run: make proto-tools | |
name: Install protobuf | |
- run: make proto-format | |
name: "Protobuf Format" | |
- run: make --always-make proto | |
- run: | | |
if ! git diff --exit-code; then | |
echo "Generated code was not updated correctly" | |
exit 1 | |
fi | |
- run: make proto-lint | |
name: "Protobuf Lint" | |
check-codegen: | |
needs: | |
- setup | |
- get-go-version | |
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }} | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos. | |
- name: Setup Git | |
if: ${{ endsWith(github.repository, '-enterprise') }} | |
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com" | |
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | |
with: | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
- run: make --always-make codegen | |
- run: | | |
if ! git diff --exit-code; then | |
echo "Generated code was not updated correctly" | |
exit 1 | |
fi | |
lint-enums: | |
needs: | |
- setup | |
- get-go-version | |
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }} | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos. | |
- name: Setup Git | |
if: ${{ endsWith(github.repository, '-enterprise') }} | |
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com" | |
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | |
with: | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
- run: go install github.com/reillywatson/enumcover/cmd/enumcover@master && enumcover ./... | |
lint-container-test-deps: | |
needs: | |
- setup | |
- get-go-version | |
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }} | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos. | |
- name: Setup Git | |
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com" | |
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | |
with: | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
- run: make lint-container-test-deps | |
lint-consul-retry: | |
needs: | |
- setup | |
- get-go-version | |
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }} | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos. | |
- name: Setup Git | |
if: ${{ endsWith(github.repository, '-enterprise') }} | |
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com" | |
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | |
with: | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
- run: make lint-consul-retry | |
lint: | |
needs: | |
- setup | |
- get-go-version | |
uses: ./.github/workflows/reusable-lint.yml | |
with: | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
lint-32bit: | |
needs: | |
- setup | |
- get-go-version | |
uses: ./.github/workflows/reusable-lint.yml | |
with: | |
go-arch: "386" | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
# create a development build | |
dev-build: | |
needs: | |
- setup | |
- get-go-version | |
uses: ./.github/workflows/reusable-dev-build.yml | |
with: | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
# dev-build-s390x: | |
# if: ${{ endsWith(github.repository, '-enterprise') }} | |
# needs: | |
# - setup | |
# - get-go-version | |
# uses: ./.github/workflows/reusable-dev-build.yml | |
# with: | |
# uploaded-binary-name: 'consul-bin-s390x' | |
# runs-on: ${{ needs.setup.outputs.compute-large }} | |
# go-arch: "s390x" | |
# go-version: ${{ needs.get-go-version.outputs.go-version }} | |
# repository-name: ${{ github.repository }} | |
# secrets: | |
# elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
# dev-build-arm64: | |
# # only run on enterprise because GHA does not have arm64 runners in CE | |
# if: ${{ endsWith(github.repository, '-enterprise') }} | |
# needs: | |
# - setup | |
# - get-go-version | |
# uses: ./.github/workflows/reusable-dev-build.yml | |
# with: | |
# uploaded-binary-name: 'consul-bin-arm64' | |
# runs-on: ${{ needs.setup.outputs.compute-large }} | |
# go-arch: "arm64" | |
# go-version: ${{ needs.get-go-version.outputs.go-version }} | |
# repository-name: ${{ github.repository }} | |
# secrets: | |
# elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
# go-test-arm64: | |
# # only run on enterprise because GHA does not have arm64 runners in CE | |
# if: ${{ endsWith(github.repository, '-enterprise') }} | |
# needs: | |
# - setup | |
# - get-go-version | |
# - dev-build-arm64 | |
# uses: ./.github/workflows/reusable-unit-split.yml | |
# with: | |
# directory: . | |
# uploaded-binary-name: 'consul-bin-arm64' | |
# runner-count: 12 | |
# runs-on: "['self-hosted', 'ondemand', 'os=macos-arm', 'arm64']" | |
# go-test-flags: "${{ (github.ref_name != 'main' && !startsWith(github.ref_name, 'release/')) && '-short' || '' }}" | |
# go-version: ${{ needs.get-go-version.outputs.go-version }} | |
# repository-name: ${{ github.repository }} | |
# secrets: | |
# elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
# consul-license: ${{secrets.CONSUL_LICENSE}} | |
# datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-ce: | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit-split.yml | |
with: | |
directory: . | |
runner-count: 6 | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "" | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-enterprise: | |
if: ${{ endsWith(github.repository, '-enterprise') }} | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit-split.yml | |
with: | |
directory: . | |
runner-count: 6 | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-race: | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit.yml | |
with: | |
directory: . | |
go-test-flags: "-race -gcflags=all=-d=checkptr=0" | |
package-names-command: "go list ./... | grep -E -v '^github.com/hashicorp/consul/agent(/consul|/local|/routine-leak-checker)?$' | grep -E -v '^github.com/hashicorp/consul(/command|/connect|/snapshot)'" | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-32bit: | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit.yml | |
with: | |
directory: . | |
go-arch: "386" | |
go-test-flags: "-short" | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
# go-test-s390x: | |
# if: ${{ endsWith(github.repository, '-enterprise') }} | |
# needs: | |
# - setup | |
# - get-go-version | |
# - dev-build-s390x | |
# uses: ./.github/workflows/reusable-unit.yml | |
# with: | |
# uploaded-binary-name: 'consul-bin-s390x' | |
# directory: . | |
# go-test-flags: -short" | |
# runs-on: ${{ needs.setup.outputs.compute-large }} | |
# repository-name: ${{ github.repository }} | |
# go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
# go-version: ${{ needs.get-go-version.outputs.go-version }} | |
# permissions: | |
# id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
# contents: read | |
# secrets: | |
# elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
# consul-license: ${{secrets.CONSUL_LICENSE}} | |
# datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-envoyextensions: | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit.yml | |
with: | |
directory: envoyextensions | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-troubleshoot: | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit.yml | |
with: | |
directory: troubleshoot | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-api-backwards-compatibility: | |
name: go-test-api-${{ needs.get-go-version.outputs.go-version-previous }} | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit.yml | |
with: | |
directory: api | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version-previous }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-api: | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit.yml | |
with: | |
directory: api | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-sdk-backwards-compatibility: | |
name: go-test-sdk-${{ needs.get-go-version.outputs.go-version-previous }} | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit.yml | |
with: | |
directory: sdk | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version-previous }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-sdk: | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit.yml | |
with: | |
directory: sdk | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
go-test-testing-deployer: | |
needs: | |
- setup | |
- get-go-version | |
- dev-build | |
uses: ./.github/workflows/reusable-unit.yml | |
with: | |
directory: testing/deployer | |
runs-on: ${{ needs.setup.outputs.compute-large }} | |
repository-name: ${{ github.repository }} | |
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}" | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
secrets: | |
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
consul-license: ${{secrets.CONSUL_LICENSE}} | |
datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}" | |
noop: | |
runs-on: ubuntu-latest | |
steps: | |
- run: "echo ok" | |
# This is job is required for branch protection as a required gihub check | |
# because GitHub actions show up as checks at the job level and not the | |
# workflow level. This is currently a feature request: | |
# https://github.com/orgs/community/discussions/12395 | |
# | |
# This job must: | |
# - be placed after the fanout of a workflow so that everything fans back in | |
# to this job. | |
# - "need" any job that is part of the fan out / fan in | |
# - implement the if logic because we have conditional jobs | |
# (go-test-enteprise) that this job needs and this would potentially get | |
# skipped if a previous job got skipped. So we use the if clause to make | |
# sure it does not get skipped. | |
go-tests-success: | |
needs: | |
- conditional-skip | |
- setup | |
- check-codegen | |
- check-generated-protobuf | |
- check-go-mod | |
- lint-consul-retry | |
- lint-container-test-deps | |
- lint-enums | |
- lint | |
- lint-32bit | |
# - go-test-arm64 | |
- go-test-enterprise | |
- go-test-ce | |
- go-test-race | |
- go-test-envoyextensions | |
- go-test-troubleshoot | |
- go-test-api-backwards-compatibility | |
- go-test-api | |
- go-test-sdk-backwards-compatibility | |
- go-test-sdk | |
- go-test-32bit | |
- go-test-testing-deployer | |
# - go-test-s390x | |
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }} | |
if: always() && needs.conditional-skip.outputs.skip-ci != 'true' | |
steps: | |
- name: evaluate upstream job results | |
run: | | |
# exit 1 if failure or cancelled result for any upstream job | |
# this ensures that we fail the PR check regardless of cancellation, rather than skip-passing it | |
# see https://docs.github.com/en/actions/using-jobs/using-conditions-to-control-job-execution#overview | |
if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure|cancelled)\"'; then | |
printf "Tests failed or workflow cancelled:\n\n${{ toJSON(needs) }}" | |
exit 1 | |
fi | |
- name: Set failure Slack commit message summary | |
# failure() ensures this runs even if the test eval step exits 1 | |
if: failure() | |
env: | |
# Capturing in an env var makes this safe against GHA shell injection via commit message. | |
# See https://securitylab.github.com/research/github-actions-untrusted-input/ | |
COMMIT_MESSAGE_FULL: ${{ github.event.head_commit.message }} | |
run: | | |
# if failure (not cancelled), notify Slack | |
if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure)\"'; then | |
printf "Tests failed, notifying Slack" | |
echo "FAILED_TESTS=true" >> $GITHUB_ENV | |
# 'echo ... | head -n 1' does not work reliably, so use bash-ism to get first line. | |
COMMIT_MESSAGE_SUMMARY=${COMMIT_MESSAGE_FULL%%$'\n'*} | |
# Send multi-line env var to GITHUB_ENV. | |
# github.event.head_commit.message and github.ref_name both rely on this event occurring on a push / merge | |
echo "SLACK_MESSAGE_RAW<<EOF" >> $GITHUB_ENV | |
echo "❌ ${{ github.workflow }} workflow failed: | |
- Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
- Branch: ${{ github.ref_name }} | |
- Message: ${COMMIT_MESSAGE_SUMMARY} | |
- Author: ${{ github.event.sender.login }}" >> $GITHUB_ENV | |
echo "EOF" >> $GITHUB_ENV | |
fi | |
- name: Notify Slack | |
# failure() ensures this runs even if the test eval step exits 1 | |
# FAILED_TESTS must also be checked to avoid running this step on cancellation due to the summary check above | |
if: ${{ failure() && env.FAILED_TESTS == 'true' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) }} | |
id: slack | |
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
with: | |
# Escape entire message string to ensure valid JSON. If invalid, the notification will fail silently in CI. | |
payload: | | |
{ | |
"message": ${{ toJSON(env.SLACK_MESSAGE_RAW) }} | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.CONSUL_PROTECTED_BRANCH_TEST_SLACK_WEBHOOK }} |