github.com/letsencrypt/boulder@v0.20251208.0/.github/workflows/boulder-ci.yml (about) 1 # Boulder CI test suite workflow 2 3 name: Boulder CI 4 5 # Controls when the action will run. 6 on: 7 # Triggers the workflow on push or pull request events but only for the main branch 8 push: 9 branches: 10 - main 11 - release-branch-* 12 pull_request: 13 branches: 14 - '**' 15 16 # Allows you to run this workflow manually from the Actions tab 17 workflow_dispatch: 18 19 # A workflow run is made up of one or more jobs that can run sequentially or in parallel 20 permissions: 21 contents: read 22 23 jobs: 24 # Main test jobs. This looks like a single job, but the matrix 25 # items will multiply it. For example every entry in the 26 # BOULDER_TOOLS_TAG list will run with every test. If there were two 27 # tags and 5 tests there would be 10 jobs run. 28 b: 29 # The type of runner that the job will run on 30 runs-on: ubuntu-24.04 31 32 strategy: 33 # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true 34 fail-fast: false 35 # Test matrix. 36 matrix: 37 # Add additional docker image tags here and all tests will be run with the additional image. 38 BOULDER_TOOLS_TAG: 39 - go1.25.5_2025-12-03 40 # Tests command definitions. Use the entire "docker compose" command you want to run. 41 tests: 42 # Run ./test.sh --help for a description of each of the flags. 43 - "./t.sh --lints --generate" 44 - "./t.sh --integration" 45 # Testing Config Changes: 46 # Config changes that have landed in main but not yet been applied to 47 # production can be made in `test/config-next/<component>.json`. 48 # 49 # Testing DB Schema Changes: 50 # Database migrations in `sa/_db-next/migrations` are only performed 51 # when `docker compose` is called using `-f docker-compose.yml -f 52 # docker-compose.next.yml`. 53 - "./tn.sh --integration" 54 - "./t.sh --unit --enable-race-detection" 55 - "./tn.sh --unit --enable-race-detection" 56 - "./t.sh --start-py" 57 # Same cases but backed by Vitess + MySQL 8 instead of ProxySQL + MariaDB 58 - "./t.sh --use-vitess --integration" 59 - "./tn.sh --use-vitess --integration" 60 - "./t.sh --use-vitess --unit --enable-race-detection" 61 - "./tn.sh --use-vitess --unit --enable-race-detection" 62 - "./t.sh --use-vitess --start-py" 63 64 env: 65 # This sets the docker image tag for the boulder-tools repository to 66 # use in tests. It will be set appropriately for each tag in the list 67 # defined in the matrix. 68 BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }} 69 BOULDER_VTCOMBOSERVER_TAG: vitessv23.0.0_2025-12-02 70 71 # Sequence of tasks that will be executed as part of the job. 72 steps: 73 # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it 74 - uses: actions/checkout@v4 75 with: 76 persist-credentials: false 77 78 - name: Docker Login 79 # You may pin to the exact commit or the version. 80 # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a 81 uses: docker/login-action@v3.6.0 82 with: 83 # Username used to log against the Docker registry 84 username: ${{ secrets.DOCKER_USERNAME}} 85 # Password or personal access token used to log against the Docker registry 86 password: ${{ secrets.DOCKER_PASSWORD}} 87 # Log out from the Docker registry at the end of a job 88 logout: true 89 continue-on-error: true 90 91 # Print the env variable being used to pull the docker image. For 92 # informational use. 93 - name: Print BOULDER_TOOLS_TAG 94 run: echo "Using BOULDER_TOOLS_TAG ${BOULDER_TOOLS_TAG}" 95 96 # Pre-pull the docker containers before running the tests. 97 - name: docker compose pull 98 run: docker compose pull 99 100 # Run the test matrix. This will run 101 - name: "Run Test: ${{ matrix.tests }}" 102 run: ${{ matrix.tests }} 103 104 govulncheck: 105 runs-on: ubuntu-24.04 106 strategy: 107 fail-fast: false 108 109 steps: 110 # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it 111 - uses: actions/checkout@v4 112 with: 113 persist-credentials: false 114 115 - name: Setup Go 116 uses: actions/setup-go@v5 117 with: 118 # When Go produces a security release, we want govulncheck to run 119 # against the most recently released Go version. 120 check-latest: true 121 go-version: "stable" 122 123 - name: Run govulncheck 124 run: go run golang.org/x/vuln/cmd/govulncheck@latest ./... 125 126 vendorcheck: 127 runs-on: ubuntu-24.04 128 strategy: 129 # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true 130 fail-fast: false 131 matrix: 132 go-version: [ '1.25.5' ] 133 134 steps: 135 # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it 136 - uses: actions/checkout@v4 137 with: 138 persist-credentials: false 139 140 - name: Setup Go ${{ matrix.go-version }} 141 uses: actions/setup-go@v5 142 with: 143 go-version: ${{ matrix.go-version }} 144 145 - name: Verify vendor 146 shell: bash 147 run: | 148 go mod tidy 149 go mod vendor 150 git diff --exit-code 151 152 153 # This is a utility build job to detect if the status of any of the 154 # above jobs have failed and fail if so. It is needed so there can be 155 # one static job name that can be used to determine success of the job 156 # in GitHub branch protection. 157 # It does not block on the result of govulncheck so that a new vulnerability 158 # disclosure does not prevent any other PRs from being merged. 159 boulder_ci_test_matrix_status: 160 permissions: 161 contents: none 162 if: ${{ always() }} 163 runs-on: ubuntu-24.04 164 name: Boulder CI Test Matrix 165 needs: 166 - b 167 - vendorcheck 168 steps: 169 - name: Check boulder ci test matrix status 170 if: ${{ needs.b.result != 'success' || needs.vendorcheck.result != 'success' }} 171 run: exit 1