diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fa9952f..e5e3bb1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,10 +18,11 @@ jobs: name: Build & Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod + cache: false - name: Configure git for private modules run: git config --global url."https://${{ secrets.RELEASES_TOKEN }}@github.com/".insteadOf "https://github.com/" - run: go build ./... @@ -33,11 +34,12 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod + cache: false - name: Configure git for private modules run: git config --global url."https://${{ secrets.RELEASES_TOKEN }}@github.com/".insteadOf "https://github.com/" - name: Validate strict plugin contracts - run: go run github.com/GoCodeAlone/workflow/cmd/wfctl@v0.64.3 plugin validate --file plugin.json --strict-contracts + run: go run github.com/GoCodeAlone/workflow/cmd/wfctl@v0.74.6 plugin validate --file plugin.json --strict-contracts diff --git a/.github/workflows/iac-host-conformance.yml b/.github/workflows/iac-host-conformance.yml index dbe8fbb..8f00fd8 100644 --- a/.github/workflows/iac-host-conformance.yml +++ b/.github/workflows/iac-host-conformance.yml @@ -14,11 +14,12 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod + cache: false - name: Configure Git for private repos env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c15ffdf..1965eca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,7 +26,7 @@ jobs: # this public repo's release job indefinitely. runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # On push-tag, github.ref is refs/tags/; on workflow_dispatch, @@ -37,18 +37,42 @@ jobs: - name: Configure git for private modules run: git config --global url."https://${{ secrets.RELEASES_TOKEN }}@github.com/".insteadOf "https://github.com/" - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod + cache: false - - uses: GoCodeAlone/setup-wfctl@v1 - with: - version: v0.64.3 + - name: Install wfctl v0.74.6 + env: + GH_TOKEN: ${{ secrets.RELEASES_TOKEN || github.token }} + WFCTL_VERSION: v0.74.6 + run: | + set -euo pipefail + runner_arch=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') + asset="wfctl-linux-${runner_arch}" + download_dir="$(mktemp -d)" + case "${asset}" in + wfctl-linux-amd64) expected_sha="e471470fbf82bcf9bb11de338b727b0c38b426c955f1740e0d6e88eca604436a" ;; + wfctl-linux-arm64) expected_sha="bf4525f2769d52336d9634a8d22baa8af3a981ed6be8a4a213c1aa8a4cf2c688" ;; + *) echo "::error::unsupported wfctl asset ${asset}"; exit 1 ;; + esac + gh release download "${WFCTL_VERSION}" \ + --repo GoCodeAlone/workflow \ + --pattern "${asset}" \ + --dir "${download_dir}" + actual_sha="$(sha256sum "${download_dir}/${asset}" | awk '{print $1}')" + if [ "${actual_sha}" != "${expected_sha}" ]; then + echo "::error::wfctl checksum mismatch for ${asset}: expected ${expected_sha}, got ${actual_sha}" + exit 1 + fi + mkdir -p "${RUNNER_TEMP}/wfctl-bin" + install -m 0755 "${download_dir}/${asset}" "${RUNNER_TEMP}/wfctl-bin/wfctl" + echo "${RUNNER_TEMP}/wfctl-bin" >> "$GITHUB_PATH" - name: Validate plugin contract for publish (pre-build) run: wfctl plugin validate-contract --for-publish --tag "${{ inputs.tag || github.ref_name }}" . - - uses: goreleaser/goreleaser-action@v7 + - uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2 with: distribution: goreleaser version: '~> v2' @@ -83,7 +107,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Publish GitHub release - uses: actions/github-script@v7 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.RELEASES_TOKEN || github.token }} script: | @@ -117,7 +141,7 @@ jobs: && github.repository == 'GoCodeAlone/workflow-plugin-azure' steps: - name: Trigger registry manifest sync - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.repo_dispatch_token }} repository: GoCodeAlone/workflow-registry diff --git a/go.mod b/go.mod index acea7cf..4d3746f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/GoCodeAlone/workflow-plugin-azure -go 1.26.1 +go 1.26.4 require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0