chore: pin GitHub Actions to commit shas BED-7914 #560
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # ratchet:actions/setup-go@v6 | |
| with: | |
| go-version-file: go.mod | |
| check-latest: true | |
| cache: true | |
| - name: Test | |
| run: go test ./... | |
| containerize: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 | |
| - name: Login to GHCR | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # ratchet:docker/login-action@v4 | |
| if: ${{ ! startsWith(github.event_name, 'pull_request') }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ secrets.GHCR_USER }} | |
| password: ${{ secrets.PACKAGE_SCOPE }} | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/configure-aws-credentials@v6 | |
| if: ${{ ! startsWith(github.event_name, 'pull_request') }} | |
| with: | |
| aws-access-key-id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }} | |
| aws-region: 'us-east-1' | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # ratchet:aws-actions/amazon-ecr-login@v2 | |
| if: ${{ ! startsWith(github.event_name, 'pull_request') }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # ratchet:docker/metadata-action@v6 | |
| with: | |
| images: | | |
| ghcr.io/bloodhoundad/azurehound | |
| ${{ steps.login-ecr.outputs.registry || 'public.ecr.aws' }}/production/azurehound | |
| tags: | | |
| type=edge,branch=main | |
| type=sha,prefix=edge-,format=short | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # ratchet:docker/setup-qemu-action@v4 | |
| - name: Set up buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # ratchet:docker/setup-buildx-action@v4 | |
| - name: Build Container Image | |
| uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # ratchet:docker/build-push-action@v7 | |
| with: | |
| context: . | |
| build-args: VERSION=v0.0.0-rolling+${{ github.sha }} | |
| tags: azurehound # temporary tag to simplify oci conversion | |
| labels: ${{ steps.meta.outputs.labels }} | |
| push: false | |
| secrets: | | |
| GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }} | |
| # Multi-platform builds can not be loaded into local Docker Daemon | |
| outputs: type=oci,dest=/tmp/oci-image.tar | |
| - name: Upload OCI tarball | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 | |
| with: | |
| name: oci-image-tar | |
| path: /tmp/oci-image.tar | |
| - name: Push Image | |
| uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # ratchet:docker/build-push-action@v7 | |
| with: | |
| context: . | |
| build-args: VERSION=v0.0.0-rolling+${{ github.sha }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| push: ${{ ! startsWith(github.event_name, 'pull_request') }} | |
| secrets: | | |
| GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }} | |
| build: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| strategy: | |
| matrix: | |
| os: | |
| - darwin | |
| - linux | |
| - windows | |
| arch: | |
| - amd64 | |
| - arm64 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # ratchet:actions/setup-go@v6 | |
| with: | |
| go-version-file: go.mod | |
| check-latest: true | |
| cache: true | |
| - name: Generate Windows Resources | |
| if: matrix.os == 'windows' | |
| continue-on-error: true | |
| run: | | |
| echo "Generating Windows resources..." | |
| go run winres/generate-windows-resources/generate-windows-resources.go "v0.0.0-rolling+${{ github.sha }}" | |
| - name: Build | |
| run: 'go build -ldflags="-s -w -X github.com/bloodhoundad/azurehound/v2/constants.Version=v0.0.0-rolling+${{ github.sha }}"' | |
| env: | |
| GOOS: ${{ matrix.os }} | |
| GOARCH: ${{ matrix.arch }} | |
| - name: Zip | |
| if: "! startsWith(github.event_name, 'pull_request')" | |
| run: 7z a -tzip -mx9 azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip azurehound* | |
| - name: Compute Checksum | |
| if: "! startsWith(github.event_name, 'pull_request')" | |
| run: sha256sum azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip > azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip.sha256 | |
| - name: Update Rolling Release | |
| if: "! startsWith(github.event_name, 'pull_request')" | |
| uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # ratchet:softprops/action-gh-release@v2 | |
| with: | |
| name: Rolling Release (unstable) | |
| tag_name: rolling | |
| prerelease: true | |
| files: | | |
| azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip | |
| azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip.sha256 | |
| body: | | |
| Rolling release of AzureHound compiled from source (${{ github.sha }}) | |
| This is automatically kept up-to-date with the `${{ github.ref_name }}` ${{ github.ref_type }} |