ensure no diff after go mod tidy #1241

Workflow file for this run

	name: Go package

	on:
	push:
	tags:
	- "v*" # push events to tagged commits
	branches:
	- "**"

	permissions:
	contents: read
	id-token: write # for GitHub id-token auth

	jobs:
	go-test:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: src/go.mod
	cache-dependency-path: src/go.sum

	- name: Run Go unit tests
	run: go test -test.short -v ./...
	working-directory: src

	# - name: Build MacOS binary
	# run: GOOS=darwin go build ./cmd/cli
	# working-directory: src

	# - name: Build Windows binary
	# run: GOOS=windows go build ./cmd/cli
	# working-directory: src

	- name: Verify Go modules
	working-directory: src
	run: \|
	go mod tidy
	git diff --exit-code go.mod go.sum \|\| { echo "Go modules are not up to date"; exit 1; }

	nix-shell-test:
	runs-on: ubuntu-latest
	needs: go-test
	steps:
	- uses: actions/checkout@v4

	- name: Install Nix
	uses: cachix/install-nix-action@v26
	with:
	nix_path: nixpkgs=channel:nixos-unstable

	- name: Check nix-shell default.nix
	run: \|
	set -o pipefail
	nix-shell --pure -E 'with import <nixpkgs> {}; mkShell { buildInputs = [ (import ./default.nix {}) ]; }' --run defang 2>&1 \| sed -u 's\|\s\+got:\|::error file=pkgs/defang/cli.nix,line=9::Replace the vendorHash with the correct value:\|'

	# go-byoc-test:
	# runs-on: ubuntu-latest
	# steps:
	# - name: Configure AWS Credentials for CI
	# uses: aws-actions/configure-aws-credentials@v4
	# with:
	# aws-region: us-west-2
	# output-credentials: true
	# role-to-assume: arn:aws:iam::488659951590:role/ci-role-d4fe904 # ciRoleArn from defang-io/infrastructure stack

	# - name: Configure AWS Credentials for Staging
	# uses: aws-actions/configure-aws-credentials@v4
	# with:
	# aws-region: us-west-2
	# role-duration-seconds: 1200
	# role-chaining: true
	# role-to-assume: arn:aws:iam::426819183542:role/admin # adminUserRoleArn from defang-io/bootstrap stack

	# - uses: actions/checkout@v4

	# - name: Set up Go
	# uses: actions/setup-go@v5
	# with:
	# go-version-file: src/go.mod
	# cache-dependency-path: src/go.sum

	# - name: Run sanity tests
	# run: go run ./cmd/cli compose up -f tests/compose.yaml
	# working-directory: src

	go-playground-test:
	runs-on: ubuntu-latest
	needs: go-test
	steps:
	- uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: src/go.mod
	cache-dependency-path: src/go.sum

	- name: Login using GitHub token
	run: go run ./cmd/cli login --debug
	working-directory: src

	- name: Add dummy config
	run: echo blah \| go run ./cmd/cli config set -n dummy -f tests/sanity/compose.yaml --debug
	working-directory: src

	- name: Run sanity tests UP
	run: go run ./cmd/cli compose up -f tests/sanity/compose.yaml --debug
	working-directory: src

	- name: Run sanity tests DOWN
	run: go run ./cmd/cli compose stop -f tests/sanity/compose.yaml --debug
	working-directory: src

	build-and-sign:
	name: Build app and sign files with Trusted Signing
	environment: release
	needs: go-test
	runs-on: windows-latest # for signtool
	env: # from https://github.com/spiffe/spire/pull/5158
	GOPATH: 'D:\golang\go'
	GOCACHE: 'D:\golang\cache'
	GOMODCACHE: 'D:\golang\modcache'
	steps:
	- uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: src/go.mod
	cache-dependency-path: src/go.sum

	- name: Download Go dependencies
	run: go mod download
	working-directory: src

	- name: Run GoReleaser (Windows and Linux)
	uses: goreleaser/goreleaser-action@v5
	with:
	# distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro'
	# version: latest
	args: build --id defang-cli ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }}
	workdir: src

	# From https://github.com/Azure/trusted-signing-action/pull/37
	- name: Azure login
	uses: azure/login@v1
	if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

	- name: Trusted Signing
	uses: Azure/[email protected]
	if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits
	with:
	endpoint: https://wus2.codesigning.azure.net/ # from Azure portal
	trusted-signing-account-name: DefangLabs # from Azure portal
	certificate-profile-name: signed-binary-test # from Azure portal
	files-folder: ${{ github.workspace }}\src\dist
	files-folder-filter: exe # no dll
	files-folder-recurse: true
	file-digest: SHA256
	timestamp-rfc3161: http://timestamp.acs.microsoft.com
	timestamp-digest: SHA256
	exclude-environment-credential: true
	exclude-workload-identity-credential: true
	exclude-managed-identity-credential: true
	exclude-shared-token-cache-credential: true
	exclude-visual-studio-credential: true
	exclude-visual-studio-code-credential: true
	exclude-azure-cli-credential: false
	exclude-azure-powershell-credential: true
	exclude-azure-developer-cli-credential: true
	exclude-interactive-browser-credential: true

	- name: Upload dist-win folder
	uses: actions/upload-artifact@v4
	with:
	name: dist-win
	path: src/dist
	if-no-files-found: error

	build-and-sign-mac:
	name: Build app and sign MacOS
	needs: go-test
	runs-on: macos-latest # for codesign and notarytool
	steps:
	- uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: src/go.mod
	cache-dependency-path: src/go.sum

	# - name: Download Go dependencies
	# run: go mod download
	# working-directory: src

	- name: Run GoReleaser (macOS)
	uses: goreleaser/goreleaser-action@v5
	with:
	# distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro'
	# version: latest
	args: build --id defang-mac ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }}
	workdir: src
	env:
	MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
	MACOS_P12_BASE64: ${{ secrets.MACOS_P12_BASE64 }}
	MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }}
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}

	- name: Upload dist-mac folder
	uses: actions/upload-artifact@v4
	with:
	name: dist-mac
	path: src/dist
	if-no-files-found: error

	go-release:
	# environment: release
	if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits
	needs:
	- build-and-sign-mac
	- build-and-sign
	runs-on: macos-latest # for notarization
	permissions:
	contents: write # to upload archives as GitHub Releases
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0 # for release notes

	- name: Install Nix (for nix-prefetch-url)
	uses: cachix/install-nix-action@v26

	- name: Download dist-mac folder
	uses: actions/download-artifact@v4
	with:
	name: dist-mac
	path: src/dist

	- name: Download dist-win folder
	uses: actions/download-artifact@v4
	with:
	name: dist-win
	path: src/dist

	- name: List files
	run: ls -lR src/dist

	- name: Run GoReleaser
	uses: goreleaser/goreleaser-action@v5
	with:
	distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro'
	# version: latest
	args: release --config .goreleaser-prebuilt.yml
	workdir: src
	env:
	GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
	GH_PAT_WINGET: ${{ secrets.GH_PAT_WINGET }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository
	DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }}
	DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}

	- name: Notarize macOS app # TODO: move to goreleaser.yml
	shell: bash
	run: \|
	bin/notarize.sh dist/defang_*_macOS.zip
	working-directory: src
	env:
	MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
	MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
	MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }}

	post-release:
	runs-on: ubuntu-latest
	needs: go-release

	env:
	NODE_VERSION: "21"
	NPM_REGISTRY_URL: "https://registry.npmjs.org"

	defaults:
	run:
	shell: bash
	working-directory: ./pkgs/npm

	steps:
	- name: Update Windows s.defang.io/defang_win_amd64.zip short link
	run: \|
	curl --request POST \
	--url https://api.short.io/links/$DEFANG_WIN_AMD64_LNK \
	--header "Authorization: $SHORTIO_PK" \
	--header 'accept: application/json' \
	--header 'content-type: application/json' \
	--data "{\"originalURL\":\"https://github.com/DefangLabs/defang/releases/download/${TAG}/defang_${TAG#v}_windows_amd64.zip\"}"
	env:
	SHORTIO_PK: ${{ secrets.SHORTIO_PK }}
	TAG: ${{ github.ref_name }}
	DEFANG_WIN_AMD64_LNK: "lnk_4vSQ_CDukZ5POEE4o0mMDysr2U"

	- name: Trigger CLI Autodoc
	uses: peter-evans/repository-dispatch@v3
	with:
	token: ${{ secrets.DOCS_ACTION_TRIGGER_TOKEN }}
	repository: DefangLabs/defang-docs
	event-type: cli-autodoc
	client-payload: '{"version": "${{ github.ref_name }}"}'

	- name: Trigger Homebrew Formula Update
	uses: peter-evans/repository-dispatch@v3
	with:
	token: ${{ secrets.HOMEBREW_ACTION_TRIGGER_TOKEN }}
	repository: DefangLabs/homebrew-defang
	event-type: update-homebrew-formula
	client-payload: '{"version": "${{ github.ref_name }}"}'

	- name: Checkout tag
	uses: actions/checkout@v4

	- name: Install node
	uses: actions/setup-node@v4
	with:
	node-version: ${{ env.NODE_VERSION }}
	registry-url: ${{ env.NPM_REGISTRY_URL }}

	- name: Publish to NPM
	run: \|
	# Get version number without the 'v'
	export version_number=`echo "${{ github.ref_name }}" \| cut -c2- `

	echo "Setting version number to ${version_number}"
	# update version placeholder in package.json with version matching binary.
	npm version ${version_number}

	# install dependencies
	npm ci --ignore-scripts

	# build
	npm run build

	# make the cli.js executable
	chmod u+x ./bin/cli.js

	# publish the package
	npm publish --access public
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPMJS_AUTH_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ensure no diff after go mod tidy #1241

Workflow file

ensure no diff after go mod tidy #1241

Jobs

Run details

Workflow file for this run