version: 2.1 only_branches: &only_branches filters: branches: ignore: - main orbs: go: circleci/go@1.5.0 codecov: codecov/codecov@3.1.0 snyk: snyk/snyk@1.1.2 jobs: test_acc: parameters: pattern: type: string machine: image: ubuntu-2004:202010-01 environment: ACC_PATTERN: << parameters.pattern >> AWS_DEFAULT_REGION: us-east-1 CHECKPOINT_DISABLE: 'true' # Disable terraform version check CLOUDSDK_CORE_PROJECT: driftctl-qa-1 GOOGLE_APPLICATION_CREDENTIALS: /tmp/google.json ACC_GOOGLE_CREDENTIALS: /tmp/google-admin.json steps: - checkout - go/install: version: "1.16.2" # Disable cache at it seem to broke go 1.16 installation cache: false - run: make install-tools - run: name: Setup Google credentials command: | echo ${GCLOUD_KEYFILE} | base64 -d > /tmp/google.json echo ${ACC_GCLOUD_KEYFILE} | base64 -d > /tmp/google-admin.json - run: name: Run acceptance tests command: make acc no_output_timeout: 30m - codecov/upload: flags: << parameters.pattern >> file: cover-acc.out - run: name: Discord notification when: on_fail command: | curl -X POST \ -H "Content-Type: application/json" \ -d "{\"content\": \"❌ Acceptance tests failed\nSuite: ${ACC_PATTERN}\n<${CIRCLE_BUILD_URL}>\" }"\ ${DISCORD_WEBHOOK} - store_test_results: path: ./ lint: docker: - image: golang:1.16 steps: - checkout - run: name: Enforce Go Formatted Code command: | go fmt ./... if [[ -z $(git status --porcelain) ]]; then echo "Git directory is clean." else echo "Git directory is dirty. Run make fmt locally and commit any formatting fixes or generated code." git status --porcelain exit 1 fi - run: make install-tools - run: make lint test: machine: image: ubuntu-2004:202107-02 steps: - checkout - run: name: Run tests command: | docker run\ -v$(pwd):/app\ -w /app\ golang:1.16\ bash -c 'make install-tools && make test' - codecov/upload: flags: unit - store_test_results: path: ./ release: docker: - image: golang:1.16 steps: - checkout - run: name: "Ensure GnuPG is available" command: gpg --version - run: name: "Import signing key" command: | echo ${SIGNINGKEY} | base64 -d | gpg --import - run: name: "Build and publish release" command: make release no_output_timeout: 30m - persist_to_workspace: root: ~/project paths: - bin/driftctl_SHA256SUMS publish-aur: environment: AUR_GIT: ssh://aur@aur.archlinux.org/driftctl-bin.git docker: - image: cimg/base:2020.01 steps: - checkout - attach_workspace: at: ~/project # Add ssh private key to allow access to AUR repository # This key is bound to user snyk on AUR - add_ssh_keys: fingerprints: - "ba:05:09:d6:a6:2a:45:34:89:c4:5e:22:23:22:e8:9f" - run: name: Bump package version command: | mkdir -p ~/.ssh echo 'aur.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuBKrPzbawxA/k2g6NcyV5jmqwJ2s+zpgZGZ7tpLIcN' >> ~/.ssh/known_hosts # Ensure ssh is properly configured ssh aur@aur.archlinux.org list-repos git clone "${AUR_GIT}" driftctl-bin cd driftctl-bin git config user.name "snyk" git config user.email elie.charra@snyk.io cp ~/project/bin/driftctl_SHA256SUMS . ./bump.sh "${CIRCLE_TAG}" echo "--- PKGBUILD ---" cat PKGBUILD echo "--- .SRCINFO ---" cat .SRCINFO git add PKGBUILD .SRCINFO git commit -m "Updated to version ${CIRCLE_TAG}" git push update-lambda: environment: FUNCTION_NAME: driftctl-version docker: - image: cimg/base:2021.04 steps: - run: name: "Update Lambda version" command: | wget "https://github.com/snyk/lambda-env-updater/releases/download/v1.0.0/lambda-env-updater_linux_amd64" && chmod +x lambda-env-updater_linux_amd64 ./lambda-env-updater_linux_amd64\ -name ${FUNCTION_NAME}\ -env "LATEST_VERSION=${CIRCLE_TAG}" security-oss: docker: - image: cimg/go:1.17.2 steps: - checkout - snyk/scan: severity-threshold: medium monitor-on-build: true project: ${CIRCLE_PROJECT_REPONAME} organization: snyk-iac-group-seceng security-code: docker: - image: cimg/go:1.17.2 steps: - checkout - snyk/scan: command: code test severity-threshold: medium monitor-on-build: false project: ${CIRCLE_PROJECT_REPONAME} organization: snyk-iac-group-seceng workflows: nightly: jobs: - test_acc: name: "Acceptance tests: << matrix.pattern >>" matrix: parameters: pattern: - TestAcc_Aws - TestAcc_Github_ - TestAcc_Google - TestAcc_Azure_ context: - driftctl-acc triggers: - schedule: cron: "0 3 * * *" filters: branches: only: - main pullrequest: jobs: - lint: <<: *only_branches - test: <<: *only_branches # Disabled since it fail for contributors because of the snyk token stored in a private context # - security-code: # name: Snyk code # context: # - snyk # <<: *only_branches # - security-oss: # name: Snyk test # context: # - snyk # <<: *only_branches # Disabled since it makes every PR to stay in "pending" state # https://ideas.circleci.com/cloud-feature-requests/p/show-overall-all-checks-have-passed-status-in-github-even-on-builds-with-incompl # pullrequest_acc: # jobs: # - hold: # type: approval # presents manual approval button in the UI # - test_acc: # name: "Acceptance tests: << matrix.pattern >>" # requires: # - hold # matrix: # parameters: # pattern: # - TestAcc_Aws # - TestAcc_Github_ # - TestAcc_Google # - TestAcc_Azure_ # context: # - driftctl-acc push: jobs: - test: filters: branches: only: - main release: jobs: - lint: filters: tags: only: /^v.*/ branches: ignore: /.*/ - test: filters: tags: only: /^v.*/ branches: ignore: /.*/ - release: context: - driftctl-snyk - driftctl-signing requires: - lint - test filters: tags: only: /^v.*/ branches: ignore: /.*/ - publish-aur: requires: - release filters: tags: only: /^v.*/ branches: ignore: /.*/ - update-lambda: context: driftctl-version-lambda requires: - release filters: tags: only: /^v.*/ branches: ignore: /.*/