version: 2.1 only_branches: &only_branches filters: branches: ignore: - main only_maintainers: &only_maintainers filters: branches: # Forked pull requests have CIRCLE_BRANCH set to pull/XXX ignore: /pull\/[0-9]+/ orbs: go: circleci/go@1.7.0 codecov: codecov/codecov@3.1.0 snyk: snyk/snyk@1.1.2 gh: circleci/github-cli@1.1.0 jobs: test_acc: parameters: pattern: type: string resource_class: large machine: image: ubuntu-2004:202010-01 environment: ACC_PATTERN: << parameters.pattern >> AWS_DEFAULT_REGION: us-east-1 CHECKPOINT_DISABLE: 'true' # Disable terraform version check CLOUDSDK_CORE_PROJECT: driftctl-qa-1 GOOGLE_APPLICATION_CREDENTIALS: /tmp/google.json ACC_GOOGLE_CREDENTIALS: /tmp/google-admin.json steps: - checkout - go/install: version: "1.18.3" - go/load-cache: key: test_acc - run: make install-tools - run: name: Setup Google credentials command: | echo ${GCLOUD_KEYFILE} | base64 -d > /tmp/google.json echo ${ACC_GCLOUD_KEYFILE} | base64 -d > /tmp/google-admin.json - run: name: Run acceptance tests command: make acc no_output_timeout: 30m - codecov/upload: flags: << parameters.pattern >> file: cover-acc.out - run: name: Discord notification when: on_fail command: | curl -X POST \ -H "Content-Type: application/json" \ -d "{\"content\": \"❌ Acceptance tests failed\nSuite: ${ACC_PATTERN}\n<${CIRCLE_BUILD_URL}>\" }"\ ${DISCORD_WEBHOOK} - go/save-cache: key: test_acc path: /home/circleci/.go_workspace/pkg/mod - store_test_results: path: ./ lint: docker: - image: golang:1.18 steps: - checkout - run: name: Enforce Go Formatted Code command: | go fmt ./... if [[ -z $(git status --porcelain) ]]; then echo "Git directory is clean." else echo "Git directory is dirty. Run make fmt locally and commit any formatting fixes or generated code." git status --porcelain exit 1 fi - run: make install-tools - run: make lint test: resource_class: large executor: name: go/default tag: '1.18.3' steps: - checkout - go/load-cache: key: test-docker - run: make install-tools - run: name: Run tests command: make test - go/save-cache: key: test-docker - codecov/upload: flags: unit - store_test_results: path: ./ release: resource_class: large docker: - image: cimg/go:1.18 steps: - checkout - gh/setup: version: 2.2.0 - run: name: "Ensure GnuPG is available" command: gpg --version - run: name: "Import signing key" command: | echo ${SIGNINGKEY} | base64 -d | gpg --import - run: name: "Build and publish release" command: make release no_output_timeout: 30m - persist_to_workspace: root: ~/project paths: - bin/driftctl_SHA256SUMS publish-aur: environment: AUR_GIT: ssh://aur@aur.archlinux.org/driftctl-bin.git docker: - image: cimg/base:2020.01 steps: - checkout - attach_workspace: at: ~/project # Add ssh private key to allow access to AUR repository # This key is bound to user snyk on AUR - add_ssh_keys: fingerprints: - "ba:05:09:d6:a6:2a:45:34:89:c4:5e:22:23:22:e8:9f" - run: name: Bump package version command: | mkdir -p ~/.ssh echo 'aur.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuBKrPzbawxA/k2g6NcyV5jmqwJ2s+zpgZGZ7tpLIcN' >> ~/.ssh/known_hosts # Ensure ssh is properly configured ssh aur@aur.archlinux.org list-repos git clone "${AUR_GIT}" driftctl-bin cd driftctl-bin git config user.name "snyk" git config user.email elie.charra@snyk.io cp ~/project/bin/driftctl_SHA256SUMS . ./bump.sh "${CIRCLE_TAG}" echo "--- PKGBUILD ---" cat PKGBUILD echo "--- .SRCINFO ---" cat .SRCINFO git add PKGBUILD .SRCINFO git commit -m "Updated to version ${CIRCLE_TAG}" git push release-docs: docker: - image: cimg/base:2020.01 steps: - checkout - attach_workspace: at: ~/project - run: name: Trigger driftctl-docs new version command: | curl -X POST https://api.github.com/repos/snyk/driftctl-docs/dispatches \ -d '{"event_type": "new_version"}' \ -H "Authorization: token $GITHUB_TOKEN" issue-tagging: machine: image: ubuntu-2004:202010-01 steps: - checkout - gh/setup: version: 2.2.0 - attach_workspace: at: ~/project - run: name: Auto label issues with the newly released version command: | ./scripts/issue-tagging.sh update-lambda: environment: FUNCTION_NAME: driftctl-version docker: - image: cimg/base:2021.04 steps: - run: name: "Update Lambda version" command: | wget "https://github.com/snyk/lambda-env-updater/releases/download/v1.0.0/lambda-env-updater_linux_amd64" && chmod +x lambda-env-updater_linux_amd64 ./lambda-env-updater_linux_amd64\ -name ${FUNCTION_NAME}\ -env "LATEST_VERSION=${CIRCLE_TAG}" security-oss: docker: - image: cimg/go:1.18 steps: - checkout - snyk/scan: severity-threshold: medium monitor-on-build: true project: ${CIRCLE_PROJECT_REPONAME} organization: snyk-iac-group-seceng security-code: docker: - image: cimg/go:1.18.3 steps: - checkout - snyk/scan: command: code test severity-threshold: medium monitor-on-build: false project: ${CIRCLE_PROJECT_REPONAME} organization: snyk-iac-group-seceng workflows: nightly: jobs: - test_acc: name: "Acceptance tests: << matrix.pattern >>" matrix: parameters: pattern: - TestAcc_Aws - TestAcc_Github_ - TestAcc_Google - TestAcc_Azure_ - TestAcc_StateReader_ context: - driftctl-acc triggers: - schedule: cron: "0 3 * * *" filters: branches: only: - main pullrequest: jobs: - lint: <<: *only_branches - test: <<: *only_branches - security-code: name: Snyk code context: - driftctl-snyk <<: *only_maintainers - security-oss: name: Snyk test context: - driftctl-snyk <<: *only_maintainers # Disabled since it makes every PR to stay in "pending" state # https://ideas.circleci.com/cloud-feature-requests/p/show-overall-all-checks-have-passed-status-in-github-even-on-builds-with-incompl # pullrequest_acc: # jobs: # - hold: # type: approval # presents manual approval button in the UI # - test_acc: # name: "Acceptance tests: << matrix.pattern >>" # requires: # - hold # matrix: # parameters: # pattern: # - TestAcc_Aws # - TestAcc_Github_ # - TestAcc_Google # - TestAcc_Azure_ # context: # - driftctl-acc push: jobs: - test: filters: branches: only: - main release: jobs: - lint: filters: tags: only: /^v.*/ branches: ignore: /.*/ - test: filters: tags: only: /^v.*/ branches: ignore: /.*/ - release: context: - driftctl - driftctl-snyk - driftctl-signing requires: - lint - test filters: tags: only: /^v.*/ branches: ignore: /.*/ - publish-aur: requires: - release filters: tags: only: /^v.*/ branches: ignore: /.*/ - update-lambda: context: driftctl-version-lambda requires: - release filters: tags: only: /^v.*/ branches: ignore: /.*/ - release-docs: context: - driftctl requires: - release filters: tags: only: /^v.*/ branches: ignore: /.*/ - issue-tagging: context: - driftctl requires: - release filters: tags: only: /^v.*/ branches: ignore: /.*/