Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] - autoclosed #3513
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Local Remote Execution | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
paths-ignore: | |
- 'docs/**' | |
permissions: read-all | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
jobs: | |
local: | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-24.04, macos-14] | |
toolchain: [lre-cc, lre-rs] | |
exclude: | |
- os: macos-14 | |
toolchain: lre-cc | |
name: Local / ${{ matrix.toolchain }} / ${{ matrix.os }} | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 45 | |
steps: | |
- name: Checkout | |
uses: >- # v4.1.1 | |
actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Install Nix | |
uses: >- # v10 | |
DeterminateSystems/nix-installer-action@de22e16c4711fca50c816cc9081563429d1cf563 | |
- name: Free disk space | |
uses: >- # v2.0.0 | |
endersonmenezes/free-disk-space@3f9ec39ebae520864ac93467ee395f5237585c21 | |
with: | |
remove_android: true | |
remove_dotnet: true | |
remove_haskell: true | |
remove_tool_cache: false | |
- name: Cache Nix derivations | |
uses: >- # v4 | |
DeterminateSystems/magic-nix-cache-action@fc6aaceb40b9845a02b91e059ec147e78d1b4e41 | |
- name: Build example with ${{ matrix.toolchain }} toolchain | |
env: | |
TOOLCHAIN: ${{ matrix.toolchain }} | |
run: > | |
nix develop --impure --command | |
bash -c "bazel run \ | |
--verbose_failures \ | |
@local-remote-execution//examples:${TOOLCHAIN}" | |
remote: | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [large-ubuntu-22.04] | |
toolchain: [lre-cc, lre-rs] | |
name: Remote / ${{ matrix.toolchain }} / ${{ matrix.os }} | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 45 | |
steps: | |
- name: Checkout | |
uses: >- # v4.1.1 | |
actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Install Nix | |
uses: >- # v10 | |
DeterminateSystems/nix-installer-action@de22e16c4711fca50c816cc9081563429d1cf563 | |
- name: Free disk space | |
uses: >- # v2.0.0 | |
endersonmenezes/free-disk-space@3f9ec39ebae520864ac93467ee395f5237585c21 | |
with: | |
remove_android: true | |
remove_dotnet: true | |
remove_haskell: true | |
remove_tool_cache: false | |
- name: Cache Nix derivations | |
uses: >- # v4 | |
DeterminateSystems/magic-nix-cache-action@fc6aaceb40b9845a02b91e059ec147e78d1b4e41 | |
- name: Start Kubernetes cluster | |
run: > | |
nix run .#native up | |
- name: Start NativeLink operator | |
env: | |
REPO_URL: ${{ github.event.pull_request.head.repo.clone_url || format('https://github.com/{0}.git', github.repository) }} | |
BRANCH: ${{ github.event.pull_request.head.ref || github.ref_name }} | |
COMMIT: ${{ github.event.pull_request.head.sha || github.sha }} | |
TOOLCHAIN: ${{ matrix.toolchain }} | |
run: | | |
nix develop --impure --command bash -c 'cat > kustomization.yaml << EOF | |
apiVersion: kustomize.config.k8s.io/v1beta1 | |
kind: Kustomization | |
resources: | |
- kubernetes/resources/flux | |
- kubernetes/resources/nativelink-core | |
- kubernetes/resources/gateway-routes | |
- kubernetes/workers/resources/worker-init | |
- kubernetes/workers/resources/${TOOLCHAIN} | |
patches: | |
- patch: |- | |
- op: replace | |
path: /spec/url | |
value: ${REPO_URL} | |
- op: replace | |
path: /spec/ref/branch | |
value: ${BRANCH} | |
- op: replace | |
path: /spec/ref/commit | |
value: ${COMMIT} | |
target: | |
kind: GitRepository | |
name: nativelink | |
- patch: |- | |
- op: replace | |
path: /spec/postBuild/substitute/PLACEHOLDER_FLAKE_OUTPUT | |
value: ./src_root#image | |
target: | |
kind: Kustomization | |
name: nativelink-alert-core | |
- patch: |- | |
- op: replace | |
path: /spec/postBuild/substitute/PLACEHOLDER_FLAKE_OUTPUT | |
value: ./src_root#nativelink-worker-init | |
target: | |
kind: Kustomization | |
name: nativelink-alert-worker-init | |
- patch: |- | |
- op: replace | |
path: /spec/postBuild/substitute/PLACEHOLDER_FLAKE_OUTPUT | |
value: ./src_root#nativelink-worker-${TOOLCHAIN} | |
target: | |
kind: Kustomization | |
name: nativelink-alert-${TOOLCHAIN} | |
EOF | |
kubectl apply -k . && | |
rm kustomization.yaml' | |
- name: Wait for Tekton resources | |
run: > | |
nix develop --impure --command | |
bash -c "flux reconcile kustomization -n default \ | |
--timeout=15m \ | |
nativelink-tekton-resources" | |
- name: Wait for alerts | |
env: | |
TOOLCHAIN: ${{ matrix.toolchain }} | |
run: > | |
nix develop --impure --command | |
bash -c "flux reconcile kustomization -n default \ | |
--timeout=15m \ | |
nativelink-alert-core && \ | |
flux reconcile kustomization -n default \ | |
--timeout=15m \ | |
nativelink-alert-worker-init && \ | |
flux reconcile kustomization -n default \ | |
--timeout=15m \ | |
nativelink-alert-${TOOLCHAIN}" | |
- name: Trigger pipelines | |
run: | | |
nix develop --impure --command bash -c 'cat > dummy-repo.yaml << EOF | |
apiVersion: source.toolkit.fluxcd.io/v1 | |
kind: GitRepository | |
metadata: | |
name: dummy-repository | |
namespace: default | |
spec: | |
interval: 2m | |
url: https://github.com/TraceMachina/nativelink | |
ref: | |
branch: main | |
EOF | |
kubectl apply -f dummy-repo.yaml && | |
rm dummy-repo.yaml' | |
- name: Wait for Tekton pipelines | |
run: > | |
nix develop --impure --command bash << 'EOF' | |
until pr=$(kubectl get pipelinerun -o name | \ | |
grep rebuild-nativelink-run-); do | |
echo "Waiting for pipeline to be created..." | |
sleep 1 | |
done | |
echo "Found pipeline: $pr" | |
kubectl wait --for=create $pr | |
echo "Waiting for pipeline to succeed..." | |
kubectl wait \ | |
--for=condition=Succeeded \ | |
--timeout=45m \ | |
pipelinerun \ | |
-l tekton.dev/pipeline=rebuild-nativelink | |
EOF | |
- name: Wait for NativeLink Kustomization | |
run: > | |
nix develop --impure --command | |
bash -c "flux reconcile kustomization -n default \ | |
--timeout=15m \ | |
nativelink-core" | |
- name: Wait for Worker Kustomization | |
env: | |
TOOLCHAIN: ${{ matrix.toolchain }} | |
run: > | |
nix develop --impure --command | |
bash -c "flux reconcile kustomization -n default \ | |
--timeout=15m \ | |
nativelink-${TOOLCHAIN}" | |
- name: Wait for NativeLink | |
run: > | |
nix develop --impure --command | |
bash -c "kubectl rollout status deploy/nativelink" | |
- name: Wait for worker | |
env: | |
TOOLCHAIN: ${{ matrix.toolchain }} | |
run: > | |
nix develop --impure --command | |
bash -c "kubectl rollout status deploy/nativelink-worker-${TOOLCHAIN}" | |
- name: Get gateway IPs | |
id: gateway-ips | |
run: | | |
echo "nativelink_ip=$(kubectl get gtw nativelink-gateway -o=jsonpath='{.status.addresses[0].value}')" >> "$GITHUB_ENV" | |
- name: Print cluster state | |
run: | | |
kubectl get svc -A | |
kubectl get pod -A | |
kubectl get svc -A | |
kubectl get deployments -A | |
kubectl describe gtw | |
echo "nativelink" | |
kubectl logs -l app=nativelink | |
echo "worker" | |
kubectl logs -l app=nativelink-worker | |
- name: Build example with ${{ matrix.toolchain }} toolchain | |
env: | |
TOOLCHAIN: ${{ matrix.toolchain }} | |
run: > | |
nix develop --impure --command | |
bash -c "bazel run \ | |
--remote_cache=grpc://$nativelink_ip \ | |
--remote_executor=grpc://$nativelink_ip \ | |
--verbose_failures \ | |
@local-remote-execution//examples:${TOOLCHAIN}" |