diff --git a/.github/workflows/build_test_ci.yml b/.github/workflows/build_test_ci.yml index 239cdbbbf..10bb55908 100644 --- a/.github/workflows/build_test_ci.yml +++ b/.github/workflows/build_test_ci.yml @@ -70,54 +70,6 @@ jobs: token: ${{ secrets.CODECOV_TOKEN }} slug: linode/cluster-api-provider-linode - - go-analyse: - needs: go-build-test - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - github.com:443 - proxy.golang.org:443 - sum.golang.org:443 - objects.githubusercontent.com:443 - registry-1.docker.io:443 - auth.docker.io:443 - production.cloudflare.docker.com:443 - vuln.go.dev:443 - storage.googleapis.com:443 - - - uses: actions/checkout@v4 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version-file: 'go.mod' - check-latest: true - - - name: Docker cache - uses: ScribeMD/docker-cache@0.5.0 - with: - key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }} - - - name: Lint - run: make lint - - - name: Gosec - run: make gosec - - - name: Vulncheck - continue-on-error: true - run: make vulncheck - - - name: Nilcheck - run: make nilcheck - e2e-test: needs: [go-build-test, docker-build] runs-on: ubuntu-latest diff --git a/.github/workflows/go-analyse.yml b/.github/workflows/go-analyse.yml new file mode 100644 index 000000000..fce66ea33 --- /dev/null +++ b/.github/workflows/go-analyse.yml @@ -0,0 +1,76 @@ +name: Go Analyse + +on: + push: + branches: + - main + pull_request: + branches: + - "*" + workflow_dispatch: + +permissions: + contents: read + pull-requests: read + +jobs: + check-noop: + runs-on: ubuntu-latest + steps: + - uses: dorny/paths-filter@v3 + with: + predicate-quantifier: 'every' + filters: | + src: + - '!**/**.md' + - '!docs/**' + go-analyse: + needs: go-build-test + runs-on: ubuntu-latest + if: ${{ steps.filter.outputs.src == 'true' }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + proxy.golang.org:443 + sum.golang.org:443 + objects.githubusercontent.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + vuln.go.dev:443 + storage.googleapis.com:443 + + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + check-latest: true + + - name: lint + uses: golangci/golangci-lint-action@v4 + with: + version: latest + + - name: Nilcheck + run: make nilcheck + + - name: Run Gosec Security Scanner + uses: securego/gosec@master + with: + # we let the report trigger content trigger a failure using the GitHub Security features. + args: '-no-fail -fmt sarif -out scan-results.sarif ./...' + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: scan-results.sarif +