From cb1d81083f1c57751344dda73f48ecd745d39ab8 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 17:58:02 +0100 Subject: [PATCH 01/25] feat(ci): Go caching improvements --- .github/workflows/ci.yml | 64 +++++++++++++++++++---- actions/internal/plugins/setup/action.yml | 63 +++++++++++++++------- 2 files changed, 100 insertions(+), 27 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8c34e157..7f97f7e7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -397,20 +397,66 @@ jobs: env: INPUT_TESTING: ${{ inputs.testing }} + - name: Determine Go and Node versions + id: tooling-versions + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const fs = require('fs'); + + const PLUGIN_DIRECTORY = process.env['PLUGIN_DIRECTORY'] || '.'; + const GO_VERSION = process.env['GO_VERSION']; + const NODE_VERSION = process.env['NODE_VERSION']; + + const DEFAULT_GO_VERSION = process.env['DEFAULT_GO_VERSION']; + const DEFAULT_NODE_VERSION = process.env['DEFAULT_NODE_VERSION']; + + // Both Go and Node versions are determined as follows: + // 1. If explicitly provided as input, use that + // 2. If a version file (.nvmrc/go.mod) exists in the plugin directory, use that + // 3. Otherwise, use the workflow-level default version + + let goVersion = ''; + let goVersionFile = ''; + if (GO_VERSION) { + goVersion = GO_VERSION; + } else if (fs.existsSync(`${PLUGIN_DIRECTORY}/go.mod`)) { + goVersionFile = `${PLUGIN_DIRECTORY}/go.mod`; + } else { + goVersion = DEFAULT_GO_VERSION; + } + + let nodeVersion = ''; + let nodeVersionFile = ''; + if (NODE_VERSION) { + nodeVersion = NODE_VERSION; + } else if (fs.existsSync(`${PLUGIN_DIRECTORY}/.nvmrc`)) { + nodeVersionFile = `${PLUGIN_DIRECTORY}/.nvmrc`; + } else { + nodeVersion = DEFAULT_NODE_VERSION; + } + + const o = { goVersion, goVersionFile, nodeVersion, nodeVersionFile }; + console.log("Tooling versions:", JSON.stringify(o)); + return o; + env: + PLUGIN_DIRECTORY: ${{ inputs.plugin-directory }} + GO_VERSION: ${{ inputs.go-version }} + NODE_VERSION: ${{ inputs.node-version }} + DEFAULT_GO_VERSION: ${{ env.DEFAULT_GO_VERSION }} + DEFAULT_NODE_VERSION: ${{ env.DEFAULT_NODE_VERSION }} + - name: Setup id: setup uses: grafana/plugin-ci-workflows/actions/internal/plugins/setup@main with: - # The priority to setup the node version is: - # 1. inputs.node-version - # 2. inputs.plugin-directory/.nvmrc - # 3. workflow-level DEFAULT_NODE_VERSION - node-version: ${{ inputs.node-version || (hashFiles(format('{0}/.nvmrc', inputs.plugin-directory)) == '' && env.DEFAULT_NODE_VERSION || '') }} - node-version-file: ${{ inputs.plugin-directory }}/.nvmrc - go-version: ${{ inputs.go-version || env.DEFAULT_GO_VERSION }} - golangci-lint-version: ${{ inputs.golangci-lint-version || env.DEFAULT_GOLANGCI_LINT_VERSION }} - go-setup-caching: ${{ inputs.go-setup-caching }} plugin-directory: ${{ inputs.plugin-directory }} + node-version: ${{ fromJson(steps.tooling-versions.outputs.result).nodeVersion }} + node-version-file: ${{ fromJson(steps.tooling-versions.outputs.result).nodeVersionFile }} + go-version: ${{ fromJson(steps.tooling-versions.outputs.result).goVersion }} + go-version-file: ${{ fromJson(steps.tooling-versions.outputs.result).goVersionFile }} + go-setup-caching: ${{ inputs.go-setup-caching }} + golangci-lint-version: ${{ inputs.golangci-lint-version || env.DEFAULT_GOLANGCI_LINT_VERSION }} - name: Get secrets from Vault id: get-secrets diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index 24b928ef..629c8655 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -2,27 +2,42 @@ name: Plugins - Setup description: Sets up the environment for building and testing the plugin. inputs: + plugin-directory: + description: | + Directory of the plugin, if not in the root of the repository. + required: false + default: . go-version: - description: Go version to use. - required: true - node-version: - description: Node.js version to use. - required: true - golangci-lint-version: - description: golangci-lint version to use. - required: true + description: | + Go version to use. + Either go-version or go-version-file should be provided. + required: false + default: "" + go-version-file: + description: | + File containing the Go version to use (usually `go.mod`). + Either go-version or go-version-file should be provided. + required: false + default: "" go-setup-caching: description: Defines if setup-go action should have caching enabled (https://github.com/actions/setup-go#caching-dependency-files-and-build-outputs) required: false - default: true - node-version-file: - description: Node.js version file to use. + default: "true" + node-version: + description: | + Node.js version to use. + Either node-version or node-version-file should be provided. required: false default: "" - plugin-directory: - description: Directory of the plugin, if not in the root of the repository. + node-version-file: + description: | + File containing the Node.js version file to use (usually `.nvmrc`). + Either node-version or node-version-file should be provided. required: false - default: . + default: "" + golangci-lint-version: + description: golangci-lint version to use. + required: true runs: using: composite @@ -34,12 +49,11 @@ runs: working-directory: ${{ inputs.plugin-directory }} - name: Install pnpm - if: steps.package-manager.outputs.name == 'pnpm' + if: ${{ steps.package-manager.outputs.name == 'pnpm' }} uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: ${{ steps.package-manager.outputs.version }} - - name: Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: @@ -67,16 +81,29 @@ runs: uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version: "${{ inputs.go-version }}" - cache: ${{ inputs.go-setup-caching }} + go-version-file: "${{ inputs.go-version-file }}" + cache: ${{ inputs.go-setup-caching == 'true' }} + cache-dependency-path: ${{ format('{0}/go.sum', inputs.plugin-directory) || '' }} + + - name: Cache Go tooling + id: cache + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 + with: + path: | + /root/go/bin/golangci-lint + /root/go/bin/mage + key: go-tools-${{ inputs.go-version }}-${{ inputs.golangci-lint-version }} - name: Mage + if: ${{ steps.cache.outputs.cache-hit != 'true' }} shell: bash run: | go install github.com/magefile/mage@latest - name: golangci-lint + if: ${{ steps.cache.outputs.cache-hit != 'true' }} shell: bash run: | curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v${GOLANGCI_LINT_VERSION} env: - GOLANGCI_LINT_VERSION: ${{ inputs.golangci-lint-version }} + GOLANGCI_LINT_VERSION: ${{ inputs.golangci-lint-version }} \ No newline at end of file From a92c0dce56344fdcb71e201a502245909522e829 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:01:13 +0100 Subject: [PATCH 02/25] add missing new line --- actions/internal/plugins/setup/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index 629c8655..de92de99 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -106,4 +106,4 @@ runs: run: | curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v${GOLANGCI_LINT_VERSION} env: - GOLANGCI_LINT_VERSION: ${{ inputs.golangci-lint-version }} \ No newline at end of file + GOLANGCI_LINT_VERSION: ${{ inputs.golangci-lint-version }} From 132c2f329aa329d4b3821ea431ba7c4a17c5f9dd Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:01:43 +0100 Subject: [PATCH 03/25] revert go tooling cache --- actions/internal/plugins/setup/action.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index de92de99..bf0a1235 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -85,23 +85,12 @@ runs: cache: ${{ inputs.go-setup-caching == 'true' }} cache-dependency-path: ${{ format('{0}/go.sum', inputs.plugin-directory) || '' }} - - name: Cache Go tooling - id: cache - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 - with: - path: | - /root/go/bin/golangci-lint - /root/go/bin/mage - key: go-tools-${{ inputs.go-version }}-${{ inputs.golangci-lint-version }} - - name: Mage - if: ${{ steps.cache.outputs.cache-hit != 'true' }} shell: bash run: | go install github.com/magefile/mage@latest - name: golangci-lint - if: ${{ steps.cache.outputs.cache-hit != 'true' }} shell: bash run: | curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v${GOLANGCI_LINT_VERSION} From 3f0f3003959cae93a7c1872c53d3ef8b5ab32adf Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:02:28 +0100 Subject: [PATCH 04/25] revert go sum caching --- actions/internal/plugins/setup/action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index bf0a1235..ef97c8fd 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -83,7 +83,6 @@ runs: go-version: "${{ inputs.go-version }}" go-version-file: "${{ inputs.go-version-file }}" cache: ${{ inputs.go-setup-caching == 'true' }} - cache-dependency-path: ${{ format('{0}/go.sum', inputs.plugin-directory) || '' }} - name: Mage shell: bash From 08e986bf0e10085bc18c9b84dad29039b9ec4e9c Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:02:50 +0100 Subject: [PATCH 05/25] Revert "revert go sum caching" This reverts commit 3f0f3003959cae93a7c1872c53d3ef8b5ab32adf. --- actions/internal/plugins/setup/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index ef97c8fd..bf0a1235 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -83,6 +83,7 @@ runs: go-version: "${{ inputs.go-version }}" go-version-file: "${{ inputs.go-version-file }}" cache: ${{ inputs.go-setup-caching == 'true' }} + cache-dependency-path: ${{ format('{0}/go.sum', inputs.plugin-directory) || '' }} - name: Mage shell: bash From 2803046a44c0cad3b9a1b9926d6f57aca7635aa9 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:04:33 +0100 Subject: [PATCH 06/25] Revert "revert go tooling cache" This reverts commit 132c2f329aa329d4b3821ea431ba7c4a17c5f9dd. --- actions/internal/plugins/setup/action.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index bf0a1235..de92de99 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -85,12 +85,23 @@ runs: cache: ${{ inputs.go-setup-caching == 'true' }} cache-dependency-path: ${{ format('{0}/go.sum', inputs.plugin-directory) || '' }} + - name: Cache Go tooling + id: cache + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 + with: + path: | + /root/go/bin/golangci-lint + /root/go/bin/mage + key: go-tools-${{ inputs.go-version }}-${{ inputs.golangci-lint-version }} + - name: Mage + if: ${{ steps.cache.outputs.cache-hit != 'true' }} shell: bash run: | go install github.com/magefile/mage@latest - name: golangci-lint + if: ${{ steps.cache.outputs.cache-hit != 'true' }} shell: bash run: | curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v${GOLANGCI_LINT_VERSION} From 2d50ae9e27b8ea646c30ba3c3ba34689a0498124 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:09:26 +0100 Subject: [PATCH 07/25] test(act): better cache warmup, removed rsync from package step --- actions/internal/plugins/package/package.sh | 15 +++++++----- actions/internal/plugins/setup/action.yml | 18 +++++++++----- tests/act/main_test.go | 27 ++++++++++++--------- 3 files changed, 37 insertions(+), 23 deletions(-) diff --git a/actions/internal/plugins/package/package.sh b/actions/internal/plugins/package/package.sh index e35dc234..d5e2f766 100755 --- a/actions/internal/plugins/package/package.sh +++ b/actions/internal/plugins/package/package.sh @@ -106,15 +106,18 @@ for file in $(find "$backend_folder" -type f -name "${exe_basename}_*"); do # Temporary folder for the zip file tmp=$(mktemp -d) pushd $tmp > /dev/null - - # Copy all files but the executables mkdir -p "$plugin_id" - rsync -a --exclude "${exe_basename}*" "$dist/" "$plugin_id" - # TODO: this instead of rsync - # find "$dist" -type f ! -name "${exe_basename}*" -exec cp --parents {} "$plugin_id" \; + + # Copy all files but the executables, preserving permissions and mod times (simialr to rsync) + pushd "$dist" > /dev/null + # -name "${exe_basename}*" -prune: Ignore (prune) all executables + # -o -type f -print: OR, print file name + # Copy with cp, preserving permissions and create any required parent directories to the dest folder + find . -name "${exe_basename}*" -prune -o -type f -print0 | xargs -0 cp -p --parents -t "$tmp/$plugin_id" + popd > /dev/null # Copy only the current executable - cp "$dist/$file" "$plugin_id/$backend_folder" + cp "$dist/$file" "$tmp/$plugin_id/$backend_folder" os_arch_zip_fn="$plugin_id-$plugin_version.$os_arch.zip" echo "Creating package: $os_arch_zip_fn" diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index de92de99..a74c82ad 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -7,6 +7,13 @@ inputs: Directory of the plugin, if not in the root of the repository. required: false default: . + act-cache-warmup: + description: | + If true, run in a simplified mode for caching Node/Go tooling before running any tests with `act`. + This will not attempt to detect the package manager or cache the plugin's dependencies. + This should only be used when testing with `act`. + required: false + default: "false" go-version: description: | Go version to use. @@ -43,13 +50,14 @@ runs: using: composite steps: - name: Detect package manager + if: ${{ inputs.act-cache-warmup != 'true' }} id: package-manager uses: grafana/plugin-actions/package-manager-detect@package-manager-detect/v1.0.1 with: working-directory: ${{ inputs.plugin-directory }} - name: Install pnpm - if: ${{ steps.package-manager.outputs.name == 'pnpm' }} + if: ${{ inputs.act-cache-warmup != 'true' && steps.package-manager.outputs.name == 'pnpm' }} uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: ${{ steps.package-manager.outputs.version }} @@ -59,8 +67,8 @@ runs: with: node-version: "${{ inputs.node-version }}" node-version-file: "${{ inputs.node-version-file }}" - cache: ${{ steps.package-manager.outputs.name }} - cache-dependency-path: ${{ steps.package-manager.outputs.lockFilePath }} + cache: ${{ inputs.act-cache-warmup != 'true' && steps.package-manager.outputs.name || '' }} + cache-dependency-path: ${{ inputs.act-cache-warmup != 'true' && steps.package-manager.outputs.lockFilePath }} # Install additional dependencies that are not built-in to the slim act image # but are included in the default GitHub Actions runner image and are needed for plugin-ci-workflows. @@ -74,8 +82,6 @@ runs: if ! command -v yarn >/dev/null 2>&1; then npm install -g yarn fi - apt-get update - apt-get install -y rsync - name: Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 @@ -83,7 +89,7 @@ runs: go-version: "${{ inputs.go-version }}" go-version-file: "${{ inputs.go-version-file }}" cache: ${{ inputs.go-setup-caching == 'true' }} - cache-dependency-path: ${{ format('{0}/go.sum', inputs.plugin-directory) || '' }} + cache-dependency-path: ${{ inputs.act-cache-warmup != 'true' && format('{0}/go.sum', inputs.plugin-directory) || '' }} - name: Cache Go tooling id: cache diff --git a/tests/act/main_test.go b/tests/act/main_test.go index 337e0f18..b64be74f 100644 --- a/tests/act/main_test.go +++ b/tests/act/main_test.go @@ -35,6 +35,12 @@ func TestMain(m *testing.M) { panic(err) } + // Read ci.yml to get the default tooling versions, so we can warm up the cache + ciWf, err := workflow.NewBaseWorkflowFromFile(filepath.Join(".github", "workflows", "ci.yml")) + if err != nil { + panic(err) + } + // Warm up act-toolcache volume, otherwise we get weird errors // when running the "setup/*" actions in parallel tests since they // all share the same act-toolcache volume. @@ -57,24 +63,23 @@ func TestMain(m *testing.M) { // DEFAULT_GO_VERSION and DEFAULT_NODE_VERSION Steps: []workflow.Step{ { - Name: "Setup Go", - Uses: "actions/setup-go@v6.1.0", + Name: "Warm up tooling", + Uses: "grafana/plugin-ci-workflows/actions/internal/plugins/setup@main", With: map[string]any{ - "go-version": "1.25", + "go-version": ciWf.Env["DEFAULT_GO_VERSION"], + "node-version": ciWf.Env["DEFAULT_NODE_VERSION"], + "golangci-lint-version": ciWf.Env["DEFAULT_GOLANGCI_LINT_VERSION"], + "act-cache-warmup": "true", }, }, { - Name: "Setup Node.js", - Uses: "actions/setup-node@v4.4.0", + Name: "Warm up Trufflehog", + Uses: "grafana/plugin-ci-workflows/actions/internal/plugins/trufflehog@main", With: map[string]any{ - "node-version": "24", + "trufflehog-version": ciWf.Env["DEFAULT_TRUFFLEHOG_VERSION"], + "setup-only": "true", }, }, - { - Name: "Install yarn", - Run: "npm install -g yarn", - Shell: "bash", - }, }, }, }, From 989d73fe95715115bae1ac375bb9dcde22f281c5 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:11:23 +0100 Subject: [PATCH 08/25] cache trufflehog binary --- .../internal/plugins/trufflehog/action.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/actions/internal/plugins/trufflehog/action.yml b/actions/internal/plugins/trufflehog/action.yml index 6b3553ee..a1f9de21 100644 --- a/actions/internal/plugins/trufflehog/action.yml +++ b/actions/internal/plugins/trufflehog/action.yml @@ -10,7 +10,7 @@ inputs: description: | Folder containing plugin zip files to scan. It will be scanned recursively. - required: true + required: false include-detectors: description: | Comma-separated list of detector types to include. @@ -26,21 +26,34 @@ inputs: This value will be passed via the `--exclude-detectors` option to Trufflehog. If not provided, the flag is not passed. required: false + setup-only: + description: If true, only sets up Trufflehog without running it. + required: false + default: "false" runs: using: composite steps: + - name: Cache Trufflehog binary + id: cache + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 + with: + path: /usr/local/bin/trufflehog + key: trufflehog-${{ inputs.trufflehog-version }} + - name: Install Trufflehog + if: ${{ steps.cache.outputs.cache-hit != 'true' }} shell: bash run: | - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/v${TRUFFLEHOG_VERSION}/scripts/install.sh | bash -s -- "v${TRUFFLEHOG_VERSION}" + curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/v${TRUFFLEHOG_VERSION}/scripts/install.sh | bash -s -- -b /usr/local/bin "v${TRUFFLEHOG_VERSION}" env: TRUFFLEHOG_VERSION: ${{ inputs.trufflehog-version }} - name: Run Trufflehog + if: ${{ inputs.setup-only != 'true' }} shell: bash run: | - ./bin/trufflehog filesystem "${FOLDER}" \ + /usr/local/bin/trufflehog filesystem "${FOLDER}" \ --no-update --fail --github-actions \ --results=verified,unknown \ --include-detectors="${INCLUDE_DETECTORS}" \ From 749ca79b3cb41c44510ac4cb4e07a21550df8cec Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:18:53 +0100 Subject: [PATCH 09/25] Update .github/workflows/ci.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7f97f7e7..941cae7f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -420,7 +420,7 @@ jobs: let goVersionFile = ''; if (GO_VERSION) { goVersion = GO_VERSION; - } else if (fs.existsSync(`${PLUGIN_DIRECTORY}/go.mod`)) { + } else if (fs.existsSync(`${PLUGIN_DIRECTORY}/go.mod`)) { goVersionFile = `${PLUGIN_DIRECTORY}/go.mod`; } else { goVersion = DEFAULT_GO_VERSION; From 94c5ce032275d6a9d0030f4ebf35ff2131af34a7 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:19:01 +0100 Subject: [PATCH 10/25] Update .github/workflows/ci.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 941cae7f..59cdebcc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -430,7 +430,7 @@ jobs: let nodeVersionFile = ''; if (NODE_VERSION) { nodeVersion = NODE_VERSION; - } else if (fs.existsSync(`${PLUGIN_DIRECTORY}/.nvmrc`)) { + } else if (fs.existsSync(`${PLUGIN_DIRECTORY}/.nvmrc`)) { nodeVersionFile = `${PLUGIN_DIRECTORY}/.nvmrc`; } else { nodeVersion = DEFAULT_NODE_VERSION; From ada466e197457cd3667dddb44c06d40665894ab0 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:19:14 +0100 Subject: [PATCH 11/25] Update .github/workflows/ci.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59cdebcc..63058b8d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -415,7 +415,6 @@ jobs: // 1. If explicitly provided as input, use that // 2. If a version file (.nvmrc/go.mod) exists in the plugin directory, use that // 3. Otherwise, use the workflow-level default version - let goVersion = ''; let goVersionFile = ''; if (GO_VERSION) { From cd317723917d2c91f622409fae5c8d5190599885 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:20:30 +0100 Subject: [PATCH 12/25] Update actions/internal/plugins/setup/action.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- actions/internal/plugins/setup/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index ef97c8fd..1845d742 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -31,7 +31,7 @@ inputs: default: "" node-version-file: description: | - File containing the Node.js version file to use (usually `.nvmrc`). + File containing the Node.js version to use (usually `.nvmrc`). Either node-version or node-version-file should be provided. required: false default: "" From 8880b8abcb9222b3dcb5c01373d32497430a7c84 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:26:57 +0100 Subject: [PATCH 13/25] Update actions/internal/plugins/setup/action.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- actions/internal/plugins/setup/action.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index ef169b88..6bf94005 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -85,13 +85,18 @@ runs: cache: ${{ inputs.go-setup-caching == 'true' }} cache-dependency-path: ${{ format('{0}/go.sum', inputs.plugin-directory) || '' }} + - name: Determine Go bin directory + id: go-bin + shell: bash + run: echo "gobin=$(go env GOPATH)/bin" >> "$GITHUB_OUTPUT" + - name: Cache Go tooling id: cache uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: | - /root/go/bin/golangci-lint - /root/go/bin/mage + ${{ steps.go-bin.outputs.gobin }}/golangci-lint + ${{ steps.go-bin.outputs.gobin }}/mage key: go-tools-${{ inputs.go-version }}-${{ inputs.golangci-lint-version }} - name: Mage From 3b41a55b416401d5982dc48867b2aa78123c3eee Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:27:36 +0100 Subject: [PATCH 14/25] Update actions/internal/plugins/trufflehog/action.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- actions/internal/plugins/trufflehog/action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/actions/internal/plugins/trufflehog/action.yml b/actions/internal/plugins/trufflehog/action.yml index a1f9de21..ff3bae2a 100644 --- a/actions/internal/plugins/trufflehog/action.yml +++ b/actions/internal/plugins/trufflehog/action.yml @@ -53,6 +53,10 @@ runs: if: ${{ inputs.setup-only != 'true' }} shell: bash run: | + if [[ -z "${FOLDER}" ]]; then + echo "Error: 'folder' input is required when 'setup-only' is false." >&2 + exit 1 + fi /usr/local/bin/trufflehog filesystem "${FOLDER}" \ --no-update --fail --github-actions \ --results=verified,unknown \ From 79f293d3aa75e08254c183198ed84a693aff7146 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:29:25 +0100 Subject: [PATCH 15/25] pin mage --- actions/internal/plugins/setup/action.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index 6bf94005..c2b8afaf 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -38,6 +38,9 @@ inputs: golangci-lint-version: description: golangci-lint version to use. required: true + mage-version: + description: mage version to use. + required: true runs: using: composite @@ -97,13 +100,15 @@ runs: path: | ${{ steps.go-bin.outputs.gobin }}/golangci-lint ${{ steps.go-bin.outputs.gobin }}/mage - key: go-tools-${{ inputs.go-version }}-${{ inputs.golangci-lint-version }} + key: go-tools-go=${{ inputs.go-version }}-mage=${{ inputs.mage-version }}-golangci-lint=${{ inputs.golangci-lint-version }} - name: Mage if: ${{ steps.cache.outputs.cache-hit != 'true' }} shell: bash run: | - go install github.com/magefile/mage@latest + go install github.com/magefile/mage@${MAGE_VERSION} + env: + MAGE_VERSION: ${{ inputs.mage-version }} - name: golangci-lint if: ${{ steps.cache.outputs.cache-hit != 'true' }} From e72828024dc919a0e817dc8f7fa491be0fc503f0 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:30:16 +0100 Subject: [PATCH 16/25] pass mage-version from ci workflow --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 63058b8d..e5f296d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -290,6 +290,7 @@ env: DEFAULT_GO_VERSION: "1.25" DEFAULT_GOLANGCI_LINT_VERSION: "2.7.2" DEFAULT_TRUFFLEHOG_VERSION: "3.91.0" + DEFAULT_MAGE_VERSION: "v1.15.0" GCS_ARTIFACTS_BUCKET: integration-artifacts VAULT_INSTANCE: ops @@ -456,6 +457,7 @@ jobs: go-version-file: ${{ fromJson(steps.tooling-versions.outputs.result).goVersionFile }} go-setup-caching: ${{ inputs.go-setup-caching }} golangci-lint-version: ${{ inputs.golangci-lint-version || env.DEFAULT_GOLANGCI_LINT_VERSION }} + mage-version: ${{ inputs.mage-version || env.DEFAULT_MAGE_VERSION }} - name: Get secrets from Vault id: get-secrets From 436dda919ceadba690224868e988b0cf5c51da10 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:32:45 +0100 Subject: [PATCH 17/25] read mage version from ci.yml and pass it to act cache warmup workflow --- tests/act/main_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/act/main_test.go b/tests/act/main_test.go index b64be74f..d71b3c65 100644 --- a/tests/act/main_test.go +++ b/tests/act/main_test.go @@ -59,8 +59,6 @@ func TestMain(m *testing.M) { "warmup": { Name: "Warm up tool cache", RunsOn: "ubuntu-arm64-small", - // TODO: we should read the go-version and node-version from ci.yml: - // DEFAULT_GO_VERSION and DEFAULT_NODE_VERSION Steps: []workflow.Step{ { Name: "Warm up tooling", @@ -69,6 +67,7 @@ func TestMain(m *testing.M) { "go-version": ciWf.Env["DEFAULT_GO_VERSION"], "node-version": ciWf.Env["DEFAULT_NODE_VERSION"], "golangci-lint-version": ciWf.Env["DEFAULT_GOLANGCI_LINT_VERSION"], + "mage-version": ciWf.Env["DEFAULT_MAGE_VERSION"], "act-cache-warmup": "true", }, }, From 63b1dfdeff9b49df3028297749741ccb15d3994c Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:34:40 +0100 Subject: [PATCH 18/25] update trufflehog action input descriptions --- actions/internal/plugins/trufflehog/action.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/actions/internal/plugins/trufflehog/action.yml b/actions/internal/plugins/trufflehog/action.yml index ff3bae2a..74ee18ad 100644 --- a/actions/internal/plugins/trufflehog/action.yml +++ b/actions/internal/plugins/trufflehog/action.yml @@ -10,6 +10,7 @@ inputs: description: | Folder containing plugin zip files to scan. It will be scanned recursively. + This input is required unless `setup-only` is set to true. required: false include-detectors: description: | @@ -27,7 +28,9 @@ inputs: If not provided, the flag is not passed. required: false setup-only: - description: If true, only sets up Trufflehog without running it. + description: | + If true, only sets up Trufflehog without running it. + If true, the `folder` input is not required and will be ignored. required: false default: "false" From bc1cba0a6bc8217b14e735cfa01faff63cd2d827 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:36:28 +0100 Subject: [PATCH 19/25] add mage-version input to ci.yml --- .github/workflows/ci.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e5f296d6..c22f9da4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,15 +30,19 @@ on: description: golangci-lint version to use type: string required: false - go-setup-caching: - description: Defines if setup-go action should have caching enabled (https://github.com/actions/setup-go#caching-dependency-files-and-build-outputs)olangci-lint version to use - type: boolean + mage-version: + description: Mage version to use + type: string required: false - default: true trufflehog-version: description: Trufflehog version to use type: string required: false + go-setup-caching: + description: Defines if setup-go action should have caching enabled (https://github.com/actions/setup-go#caching-dependency-files-and-build-outputs)olangci-lint version to use + type: boolean + required: false + default: true # Build options. plugin-directory: From bfa3367cd71daee3246680bb12688fd35042fd20 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:37:07 +0100 Subject: [PATCH 20/25] pass mage-version from cd.yml --- .github/workflows/cd.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 6fc27805..221108de 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -60,14 +60,18 @@ on: description: golangci-lint version to use type: string required: false - go-setup-caching: - description: Defines if setup-go action should have caching enabled (https://github.com/actions/setup-go#caching-dependency-files-and-build-outputs) - type: "boolean" + mage-version: + description: Mage version to use + type: string required: false trufflehog-version: description: Trufflehog version to use type: string required: false + go-setup-caching: + description: Defines if setup-go action should have caching enabled (https://github.com/actions/setup-go#caching-dependency-files-and-build-outputs) + type: "boolean" + required: false # Build options. plugin-directory: @@ -421,6 +425,7 @@ jobs: go-setup-caching: ${{ inputs.go-setup-caching }} node-version: ${{ inputs.node-version }} golangci-lint-version: ${{ inputs.golangci-lint-version }} + mage-version: ${{ inputs.mage-version }} run-plugin-validator: ${{ inputs.run-plugin-validator }} plugin-validator-config: ${{ inputs.plugin-validator-config }} From 83f2d3af83ba484be0087d4352c06e9641c500cc Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:40:46 +0100 Subject: [PATCH 21/25] take go version for cache key from setup-go step output --- actions/internal/plugins/setup/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index c2b8afaf..6177cfbc 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -81,6 +81,7 @@ runs: apt-get install -y rsync - name: Go + id: go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version: "${{ inputs.go-version }}" @@ -100,7 +101,7 @@ runs: path: | ${{ steps.go-bin.outputs.gobin }}/golangci-lint ${{ steps.go-bin.outputs.gobin }}/mage - key: go-tools-go=${{ inputs.go-version }}-mage=${{ inputs.mage-version }}-golangci-lint=${{ inputs.golangci-lint-version }} + key: go-tools-go=${{ steps.go.outputs.go-version }}-mage=${{ inputs.mage-version }}-golangci-lint=${{ inputs.golangci-lint-version }} - name: Mage if: ${{ steps.cache.outputs.cache-hit != 'true' }} From 67413aaaf3242dc29cd5341ed98b0a2356023929 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:41:11 +0100 Subject: [PATCH 22/25] Update actions/internal/plugins/package/package.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- actions/internal/plugins/package/package.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/internal/plugins/package/package.sh b/actions/internal/plugins/package/package.sh index d5e2f766..647fb06c 100755 --- a/actions/internal/plugins/package/package.sh +++ b/actions/internal/plugins/package/package.sh @@ -108,7 +108,7 @@ for file in $(find "$backend_folder" -type f -name "${exe_basename}_*"); do pushd $tmp > /dev/null mkdir -p "$plugin_id" - # Copy all files but the executables, preserving permissions and mod times (simialr to rsync) + # Copy all files but the executables, preserving permissions and mod times (similar to rsync) pushd "$dist" > /dev/null # -name "${exe_basename}*" -prune: Ignore (prune) all executables # -o -type f -print: OR, print file name From 713234e3e08ed6979129b59587f3fef45d8705a1 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:42:52 +0100 Subject: [PATCH 23/25] Update actions/internal/plugins/setup/action.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- actions/internal/plugins/setup/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index 541a1ca0..58adf961 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -71,7 +71,7 @@ runs: node-version: "${{ inputs.node-version }}" node-version-file: "${{ inputs.node-version-file }}" cache: ${{ inputs.act-cache-warmup != 'true' && steps.package-manager.outputs.name || '' }} - cache-dependency-path: ${{ inputs.act-cache-warmup != 'true' && steps.package-manager.outputs.lockFilePath }} + cache-dependency-path: ${{ inputs.act-cache-warmup != 'true' && steps.package-manager.outputs.lockFilePath || '' }} # Install additional dependencies that are not built-in to the slim act image # but are included in the default GitHub Actions runner image and are needed for plugin-ci-workflows. From 55f98aff5f737ce1d88a2cc85c582ce538ffcf5f Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Thu, 18 Dec 2025 18:55:28 +0100 Subject: [PATCH 24/25] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- actions/internal/plugins/setup/action.yml | 2 +- actions/internal/plugins/trufflehog/action.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c22f9da4..8cbcb3a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,7 +39,7 @@ on: type: string required: false go-setup-caching: - description: Defines if setup-go action should have caching enabled (https://github.com/actions/setup-go#caching-dependency-files-and-build-outputs)olangci-lint version to use + description: Defines if setup-go action should have caching enabled (https://github.com/actions/setup-go#caching-dependency-files-and-build-outputs) type: boolean required: false default: true diff --git a/actions/internal/plugins/setup/action.yml b/actions/internal/plugins/setup/action.yml index 6177cfbc..f2cd48e7 100644 --- a/actions/internal/plugins/setup/action.yml +++ b/actions/internal/plugins/setup/action.yml @@ -101,7 +101,7 @@ runs: path: | ${{ steps.go-bin.outputs.gobin }}/golangci-lint ${{ steps.go-bin.outputs.gobin }}/mage - key: go-tools-go=${{ steps.go.outputs.go-version }}-mage=${{ inputs.mage-version }}-golangci-lint=${{ inputs.golangci-lint-version }} + key: go-tools-os=${{ runner.os }}-arch=${{ runner.arch }}-go=${{ steps.go.outputs.go-version }}-mage=${{ inputs.mage-version }}-golangci-lint=${{ inputs.golangci-lint-version }} - name: Mage if: ${{ steps.cache.outputs.cache-hit != 'true' }} diff --git a/actions/internal/plugins/trufflehog/action.yml b/actions/internal/plugins/trufflehog/action.yml index 74ee18ad..3de0dc45 100644 --- a/actions/internal/plugins/trufflehog/action.yml +++ b/actions/internal/plugins/trufflehog/action.yml @@ -42,7 +42,7 @@ runs: uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: /usr/local/bin/trufflehog - key: trufflehog-${{ inputs.trufflehog-version }} + key: trufflehog-${{ runner.os }}-${{ runner.arch }}-${{ inputs.trufflehog-version }} - name: Install Trufflehog if: ${{ steps.cache.outputs.cache-hit != 'true' }} From 89a9453200e91b0bd4bed3250b3ad7dce6c749e0 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerra Date: Wed, 7 Jan 2026 14:41:52 +0100 Subject: [PATCH 25/25] Update actions/internal/plugins/package/package.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- actions/internal/plugins/package/package.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/internal/plugins/package/package.sh b/actions/internal/plugins/package/package.sh index 19d60617..e4b7e767 100755 --- a/actions/internal/plugins/package/package.sh +++ b/actions/internal/plugins/package/package.sh @@ -111,7 +111,7 @@ for file in $(find "$backend_folder" -type f -name "${exe_basename}_*"); do # Copy all files but the executables, preserving permissions and mod times (similar to rsync) pushd "$dist" > /dev/null # -name "${exe_basename}*" -prune: Ignore (prune) all executables - # -o -type f -print: OR, print file name + # -o -type f -print0: OR, print file name (NUL-terminated) for use with xargs -0 # Copy with cp, preserving permissions and create any required parent directories to the dest folder find . -name "${exe_basename}*" -prune -o -type f -print0 | xargs -0 cp -p --parents -t "$tmp/$plugin_id" popd > /dev/null