Adjusted other endpoints for consistent behavior #3816

Workflow file for this run

.github/workflows/devguard-scanner.yaml at f4a3de8

	# DevSecOps Workflow Definition
	# This workflow is triggered on every push to the repository
	name: DevGuard-Workflow

	on:
	workflow_dispatch:
	push:

	jobs:
	golangci:
	name: lint
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
	with:
	submodules: recursive
	persist-credentials: false
	- uses: cachix/install-nix-action@v31
	with:
	install_url: https://releases.nixos.org/nix/nix-2.34.4/install
	extra_nix_config: \|
	experimental-features = nix-command flakes
	substituters = https://cache.nixos.org https://nix.garage.l3montree.cloud
	trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
	- name: golangci-lint
	run: nix develop . --command golangci-lint run --timeout=30m

	tests:
	name: tests
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- name: Check out code
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
	with:
	submodules: recursive
	persist-credentials: false
	- uses: cachix/install-nix-action@v31
	with:
	install_url: https://releases.nixos.org/nix/nix-2.34.4/install
	extra_nix_config: \|
	experimental-features = nix-command flakes
	substituters = https://cache.nixos.org https://nix.garage.l3montree.cloud
	trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
	- name: Run unittests
	run: nix develop . --command bash -c "go test \$(go list ./... \| grep -v '/mocks') -coverprofile=coverage.out && go tool cover -func=coverage.out"
	- name: Archive code coverage results
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2
	with:
	name: code-coverage
	path: coverage.out


	code-scanning:
	uses: l3montree-dev/devguard-action/.github/workflows/code-scanning.yml@nix
	permissions:
	contents: read
	security-events: write
	with:
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
	api-url: https://api.main.devguard.org
	fail-on-risk: high
	fail-on-cvss: high
	web-ui: https://main.devguard.org
	continue-on-open-code-risk: true
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}


	api-pipeline:
	uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
	permissions:
	contents: read
	packages: write
	security-events: write
	with:
	nix-target-amd64: devguard-amd64
	nix-target-arm64: devguard-arm64
	nix-version: '2.34.4'
	image-name: ghcr.io/${{ github.repository }}
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
	api-url: https://api.main.devguard.org
	web-ui: https://main.devguard.org
	fail-on-cvss: high
	fail-on-risk: high
	nix-cache-substituter: https://nix.garage.l3montree.cloud
	nix-cache-public-key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
	nix-cache-s3-bucket: nix
	nix-cache-region: garage
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}

	scanner-pipeline:
	needs: [tests]
	uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
	permissions:
	contents: read
	packages: write
	security-events: write
	with:
	nix-target-amd64: devguard-scanner-amd64
	nix-target-arm64: devguard-scanner-arm64
	nix-version: '2.34.4'
	image-name: ghcr.io/${{ github.repository }}/scanner
	artifact-name-suffix: scanner
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
	api-url: https://api.main.devguard.org
	web-ui: https://main.devguard.org
	fail-on-cvss: high
	fail-on-risk: high
	nix-cache-substituter: https://nix.garage.l3montree.cloud
	nix-cache-public-key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
	nix-cache-s3-bucket: nix
	nix-cache-region: garage
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}

	postgresql-pipeline:
	uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
	permissions:
	contents: read
	packages: write
	security-events: write
	with:
	nix-target-amd64: postgresql-amd64
	nix-target-arm64: postgresql-arm64
	nix-version: '2.34.4'
	image-name: ghcr.io/${{ github.repository }}/postgresql
	artifact-name-suffix: postgresql
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
	api-url: https://api.main.devguard.org
	web-ui: https://main.devguard.org
	fail-on-cvss: high
	fail-on-risk: high
	nix-cache-substituter: https://nix.garage.l3montree.cloud
	nix-cache-public-key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
	nix-cache-s3-bucket: nix
	nix-cache-region: garage
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}

	release:
	name: Build and Release Binaries
	runs-on: ubuntu-latest
	permissions:
	contents: write
	# needs: [golangci, tests, sign-scanner, devguard]
	if: startsWith(github.ref, 'refs/tags/') \|\| github.ref == 'refs/heads/test-release'
	outputs:
	tag: ${{ steps.tag.outputs.tag }}
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	persist-credentials: false

	- uses: cachix/install-nix-action@v31
	with:
	install_url: https://releases.nixos.org/nix/nix-2.34.4/install
	extra_nix_config: \|
	experimental-features = nix-command flakes
	substituters = https://cache.nixos.org https://nix.garage.l3montree.cloud
	trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=

	- name: Get tag
	id: tag
	run: \|
	if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
	echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
	echo "TAG_NO_V=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
	else
	echo "tag=test-$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
	fi

	- name: Build cross-platform binaries
	run: \|
	nix develop . --command bash -c "
	mkdir -p dist

	BUILD_FLAGS=\"-s -w -buildid= -X main.version=${STEPS_TAG_OUTPUTS_TAG} -X main.commit=${{ github.sha }} -X main.date=\$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions\"

	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-linux-amd64 ./cmd/devguard-scanner
	GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-linux-arm64 ./cmd/devguard-scanner
	GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-windows-amd64.exe ./cmd/devguard-scanner
	GOOS=windows GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-windows-arm64.exe ./cmd/devguard-scanner
	GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-darwin-amd64 ./cmd/devguard-scanner
	GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-darwin-arm64 ./cmd/devguard-scanner
	"
	env:
	STEPS_TAG_OUTPUTS_TAG: ${{ steps.tag.outputs.tag }}

	- name: Create archives
	run: \|
	cd dist

	# Create tar.gz archives for Unix-like systems
	tar -czf devguard-scanner-linux-amd64.tar.gz devguard-scanner-linux-amd64
	tar -czf devguard-scanner-linux-arm64.tar.gz devguard-scanner-linux-arm64
	tar -czf devguard-scanner-darwin-amd64.tar.gz devguard-scanner-darwin-amd64
	tar -czf devguard-scanner-darwin-arm64.tar.gz devguard-scanner-darwin-arm64

	# Create zip archives for Windows
	zip devguard-scanner-windows-amd64.zip devguard-scanner-windows-amd64.exe
	zip devguard-scanner-windows-arm64.zip devguard-scanner-windows-arm64.exe

	# Remove individual binaries, keep archives
	rm -f devguard-scanner-linux-amd64 devguard-scanner-linux-arm64 devguard-scanner-darwin-amd64 devguard-scanner-darwin-arm64
	rm -f devguard-scanner-windows-amd64.exe devguard-scanner-windows-arm64.exe


	- name: Generate checksums
	run: \|
	cd dist
	sha256sum .tar.gz .zip > checksums.txt
	echo "Generated checksums for all release artifacts"

	- name: Sign release artifacts with devguard-scanner
	uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
	with:
	entrypoint: /bin/sh
	args: \|
	-c "
	cd dist
	for file in .tar.gz .zip checksums.txt; do
	if [ -f \"\$file\" ]; then
	echo \"Signing \$file with devguard-scanner...\"
	devguard-scanner sign --token ${{ secrets.DEVGUARD_TOKEN }} \"\$file\" > ${file}.sig
	fi
	done
	"

	- name: Create GitHub Release
	uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
	with:
	tag_name: ${{ steps.tag.outputs.tag }}
	name: "DevGuard Scanner ${{ steps.tag.outputs.tag }}"
	draft: false
	prerelease: ${{ contains(steps.tag.outputs.tag, 'test-') }}
	body: \|
	## 🚀 DevGuard Release ${{ steps.tag.outputs.tag }}

	Secure software supply chain scanning and security analysis toolkit

	### Release Assets

	#### 📱 Binaries
	- `devguard-scanner-linux-amd64.tar.gz` - Linux x64 binary
	- `devguard-scanner-linux-arm64.tar.gz` - Linux ARM64 binary
	- `devguard-scanner-darwin-amd64.tar.gz` - macOS x64 binary
	- `devguard-scanner-darwin-arm64.tar.gz` - macOS ARM64 (Apple Silicon) binary
	- `devguard-scanner-windows-amd64.zip` - Windows x64 binary
	- `devguard-scanner-windows-arm64.zip` - Windows ARM64 binary

	#### 🐳 Container Images
	- Registry:
	- `ghcr.io/l3montree-dev/devguard:${{ steps.tag.outputs.tag }}` (Main platform)
	- `ghcr.io/l3montree-dev/devguard-web:${{ steps.tag.outputs.tag }}` (Frontend of the platform)
	- `ghcr.io/l3montree-dev/devguard/scanner:${{ steps.tag.outputs.tag }}` (Scanner tool)

	#### Helm Charts

	`oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard` (Main platform Helm chart)

	```bash
	helm install my-devguard oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard --version ${{ env.TAG_NO_V }}
	```

	### Quick Start

	#### Download and Install
	```bash
	# Linux/macOS - Download and extract
	curl -L https://github.com/l3montree-dev/devguard/releases/download/${{ steps.tag.outputs.tag }}/devguard-scanner-linux-amd64.tar.gz \| tar -xz
	chmod +x devguard-scanner-linux-amd64
	sudo mv devguard-scanner-linux-amd64 /usr/local/bin/devguard-scanner

	# Verify installation
	devguard-scanner --version
	```

	#### Docker Usage
	```bash
	# Pull DevGuard Scanner from registry
	docker pull ghcr.io/l3montree-dev/devguard/scanner:${{ steps.tag.outputs.tag }}

	# Pull DevGuard Platform from registry
	docker pull ghcr.io/l3montree-dev/devguard:${{ steps.tag.outputs.tag }}
	```

	#### Go Install
	```bash
	go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@${{ steps.tag.outputs.tag }}
	```

	---

	📖 Documentation: [DevGuard Documentation](https://github.com/l3montree-dev/devguard)
	🐛 Report Issues: [GitHub Issues](https://github.com/l3montree-dev/devguard/issues)
	💬 Community: [Discussions](https://github.com/l3montree-dev/devguard/discussions)
	files: \|
	dist/*.tar.gz
	dist/*.zip
	dist/checksums.txt
	dist/*.sig
	dist/*.link
	dist/*.provenance.json
	dist/*.sbom.json
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adjusted other endpoints for consistent behavior #3816

Workflow file

Adjusted other endpoints for consistent behavior #3816

Uh oh!

Workflow file for this run