Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/go-tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
name: Go Tests

on:
workflow_call:

permissions: {}

jobs:
go-tests:
name: Go Static Contract Tests
runs-on: ubuntu-latest

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: The job uses runs-on: ubuntu-latest. The sibling rust-tests.yml pins to ubuntu-24.04 to keep the apt package set stable and reproducible across runs. Once the Azure CLI install is switched to the apt keyring pattern, a future runner image upgrade could silently break lsb_release -cs resolution. Pinning makes that failure explicit rather than silent.

# Pinned to ubuntu-24.04 to keep apt package set stable across runs; revisit when bumping to next LTS.
runs-on: ubuntu-24.04

permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: The checkout step omits persist-credentials: false. The majority of workflows in this repo set it, and the workflow-permissions convention example includes it. Since this job only reads files, there is no need to keep the GitHub token credential on disk for the entire job lifetime.

- name: Checkout repository
  uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
  with:
    persist-credentials: false


- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: blueprints/full-single-node-cluster/tests/go.mod
cache-dependency-path: blueprints/full-single-node-cluster/tests/go.sum

- name: Install terraform-docs
shell: bash
run: ./scripts/install-terraform-docs.sh

- name: Install Azure CLI and Bicep
shell: bash
run: |
Comment on lines +28 to +31

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Azure CLI install step uses curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash. This is a pipe-to-bash pattern from a URL shortener that cannot be pinned to a specific version, cannot be verified at build time, and violates the OSSF Scorecard pinned-dependencies requirement this repository explicitly enforces. The step also lacks set -euo pipefail, so a silent curl failure would not block the job.

The codebase already has the correct pattern in .github/workflows/docs-check-bicep.yml with a comment calling this out. Suggest replacing this step with that pattern:

- name: Install Azure CLI and Bicep
  shell: bash
  run: |
    set -euo pipefail
    AZ_CLI_INSTALL_VER="${AZ_CLI_VER:-2.67.0}"
    sudo apt-get update
    sudo apt-get install -y ca-certificates curl apt-transport-https lsb-release gnupg
    sudo mkdir -p /etc/apt/keyrings
    curl -sLS https://packages.microsoft.com/keys/microsoft.asc \
      | gpg --dearmor \
      | sudo tee /etc/apt/keyrings/microsoft.gpg >/dev/null
    sudo chmod go+r /etc/apt/keyrings/microsoft.gpg
    AZ_REPO="$(lsb_release -cs)"
    echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ ${AZ_REPO} main" \
      | sudo tee /etc/apt/sources.list.d/azure-cli.list >/dev/null
    sudo apt-get update
    sudo apt-get install -y "azure-cli=${AZ_CLI_INSTALL_VER}-1~${AZ_REPO}"
    az bicep install

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
az bicep install

- name: Run Go static contract tests
run: npm run go-test
16 changes: 16 additions & 0 deletions .github/workflows/matrix-folder-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
# - changesInApplications: true/false indicating if any Application folders have changed (when includeApplications=true)
# - changedApplicationFolders: JSON object with Application folder details for matrix strategy (when includeApplications=true)
# - changesInRust: true/false indicating if any Rust-related files have changed (gates the rust-tests workflow)
# - changesInGoContractTests: true/false indicating if static Go contract-test files have changed (gates the go-tests workflow)
#
# Usage Examples:
# ```yaml
Expand Down Expand Up @@ -150,6 +151,9 @@ on: # yamllint disable-line rule:truthy
changesInRust:
description: 'Whether any Rust-relevant files have changed (gates rust-tests)'
value: ${{ jobs.map-outputs.outputs.changesInRust }}
changesInGoContractTests:
description: 'Whether any static Go contract-test relevant files have changed (gates go-tests)'
value: ${{ jobs.map-outputs.outputs.changesInGoContractTests }}

permissions: {}

Expand All @@ -174,6 +178,7 @@ jobs:
changesInFuzzJs: ${{ steps.detect.outputs.changesInFuzzJs }}
changedFuzzJsFolders: ${{ steps.detect.outputs.changedFuzzJsFolders }}
changesInRust: ${{ steps.detect.outputs.changesInRust }}
changesInGoContractTests: ${{ steps.detect.outputs.changesInGoContractTests }}
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -233,6 +238,11 @@ jobs:
'changedFuzzJsFolders={"folderName":[]}' >> $env:GITHUB_OUTPUT
}
"changesInRust=$($jsonData.rust.has_changes)" >> $env:GITHUB_OUTPUT
if ($jsonData.PSObject.Properties.Name -contains 'goContractTests') {
"changesInGoContractTests=$($jsonData.goContractTests.has_changes.ToString().ToLower())" >> $env:GITHUB_OUTPUT
} else {
"changesInGoContractTests=false" >> $env:GITHUB_OUTPUT
}

# Display results for debugging
Write-Host "Detection results:"
Expand All @@ -250,6 +260,11 @@ jobs:
Write-Host "Fuzz JS changes: $($jsonData.fuzz.js.has_changes)"
}
Write-Host "Rust changes: $($jsonData.rust.has_changes)"
if ($jsonData.PSObject.Properties.Name -contains 'goContractTests') {
Write-Host "Go contract test changes: $($jsonData.goContractTests.has_changes)"
} else {
Write-Host "Go contract test changes: false"
}

# Map outputs from the detection job to maintain backward compatibility
map-outputs:
Expand All @@ -272,6 +287,7 @@ jobs:
changesInFuzzJs: ${{ needs.detect-changes.outputs.changesInFuzzJs }}
changedFuzzJsFolders: ${{ needs.detect-changes.outputs.changedFuzzJsFolders }}
changesInRust: ${{ needs.detect-changes.outputs.changesInRust }}
changesInGoContractTests: ${{ needs.detect-changes.outputs.changesInGoContractTests }}
steps:
- name: Map outputs for backward compatibility
run: echo "Mapping outputs from detection job for backward compatibility"
11 changes: 11 additions & 0 deletions .github/workflows/pr-validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,16 @@ jobs:
uses: ./.github/workflows/rust-tests.yml
secrets: inherit

# Static Go contract tests for full-single-node-cluster blueprint outputs
go-tests:
name: Go Tests
needs: [matrix-changes]
if: github.event_name != 'pull_request' || needs.matrix-changes.outputs.changesInGoContractTests == 'true'
permissions:
contents: read
uses: ./.github/workflows/go-tests.yml
secrets: inherit

# Dependency advisory audit (cargo-audit + govulncheck) for PRs
dep-audit:
name: Dependency Audit
Expand Down Expand Up @@ -406,6 +416,7 @@ jobs:
- aio-version-check
- rust-clippy
- rust-tests
- go-tests
- dep-audit
- fuzz
- matrix-changes
Expand Down