Problem: minor security issue in github workflow #2781
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: nix flow | |
on: | |
pull_request: | |
merge_group: | |
push: | |
branches: | |
- master | |
- release/** | |
tags: | |
- "*" | |
env: | |
NIXPKGS_ALLOW_INSECURE: 1 | |
jobs: | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
skipPush: true | |
- name: lint | |
run: make lint-ci | |
test: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
# github don't pass secrets for pull request from fork repos, | |
# in that case the push is disabled naturally. | |
signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" | |
- name: Run integration tests | |
run: make nix-integration-test | |
- name: Convert coverage data | |
run: | | |
nix profile install nixpkgs#go_1_22 | |
go tool covdata textfmt -i=coverage -o profile.txt | |
- name: Upload coverage report | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ./profile.txt | |
flags: integration_tests | |
- name: Tar debug files | |
if: failure() | |
run: tar cfz debug_files.tar.gz -C "${TMPDIR-/tmp}/pytest-of-runner" . | |
- uses: actions/upload-artifact@v2 | |
if: failure() | |
with: | |
name: debug_files | |
path: debug_files.tar.gz | |
if-no-files-found: ignore | |
upload-cache: | |
if: github.event_name == 'push' | |
needs: ["test"] | |
strategy: | |
matrix: | |
os: [macos-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
# github don't pass secrets for pull request from fork repos, | |
# in that case the push is disabled naturally. | |
signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" | |
- name: 'instantiate integration test env' | |
run: nix-store -r $(nix-instantiate integration_tests/shell.nix) | |
test-upgrade: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
- name: Run integration tests | |
run: make nix-integration-test-upgrade | |
- name: Convert coverage data | |
run: | | |
nix profile install nixpkgs#go_1_22 | |
go tool covdata textfmt -i=coverage -o profile.txt | |
- name: Upload coverage report | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ./profile.txt | |
flags: integration_tests_upgrade | |
- name: Tar debug files | |
if: failure() | |
run: tar cfz debug_files_upgrade.tar.gz -C ${TMPDIR-/tmp}/pytest-of-runner . | |
- uses: actions/upload-artifact@v2 | |
if: failure() | |
with: | |
name: debug_files_upgrade | |
path: debug_files_upgrade.tar.gz | |
if-no-files-found: ignore | |
test-ledger: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
- name: Run integration tests | |
run: make nix-integration-test-ledger | |
- name: Convert coverage data | |
run: | | |
nix profile install nixpkgs#go_1_22 | |
go tool covdata textfmt -i=coverage -o profile.txt | |
- name: Upload coverage report | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ./profile.txt | |
flags: integration_tests_ledger | |
- name: Tar debug files | |
if: failure() | |
run: tar cfz debug_files_ledger.tar.gz -C ${TMPDIR-/tmp}/pytest-of-runner . | |
- uses: actions/upload-artifact@v2 | |
if: failure() | |
with: | |
name: debug_files_ledger | |
path: debug_files_ledger.tar.gz | |
if-no-files-found: ignore | |
test-solomachine: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
- name: Run integration tests | |
run: make nix-integration-test-solomachine | |
- name: Convert coverage data | |
run: | | |
nix profile install nixpkgs#go_1_22 | |
go tool covdata textfmt -i=coverage -o profile.txt | |
- name: Upload coverage report | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ./profile.txt | |
flags: integration_tests_solomachine | |
- name: Tar debug files | |
if: failure() | |
run: tar cfz debug_files_solomachine.tar.gz -C ${TMPDIR-/tmp}/pytest-of-runner . | |
- uses: actions/upload-artifact@v2 | |
if: failure() | |
with: | |
name: debug_files_solomachine | |
path: debug_files_solomachine.tar.gz | |
if-no-files-found: ignore | |
test-slow: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
- name: Run integration tests | |
run: make nix-integration-test-slow | |
- name: Convert coverage data | |
run: | | |
nix profile install nixpkgs#go_1_22 | |
go tool covdata textfmt -i=coverage -o profile.txt | |
- name: Upload coverage report | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ./profile.txt | |
flags: integration_tests_slow | |
- name: Tar debug files | |
if: failure() | |
run: tar cfz debug_files_slow.tar.gz -C ${TMPDIR-/tmp}/pytest-of-runner . | |
- uses: actions/upload-artifact@v2 | |
if: failure() | |
with: | |
name: debug_files_slow | |
path: debug_files_slow.tar.gz | |
if-no-files-found: ignore | |
test-ibc: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
- name: Run integration tests | |
run: make nix-integration-test-ibc | |
- name: Convert coverage data | |
run: | | |
nix profile install nixpkgs#go_1_22 | |
go tool covdata textfmt -i=coverage -o profile.txt | |
- name: Upload coverage report | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ./profile.txt | |
flags: integration_tests_ibc | |
- name: Tar debug files | |
if: failure() | |
run: tar cfz debug_files_ibc.tar.gz -C ${TMPDIR-/tmp}/pytest-of-runner . | |
- uses: actions/upload-artifact@v2 | |
if: failure() | |
with: | |
name: debug_files_ibc | |
path: debug_files_ibc.tar.gz | |
if-no-files-found: ignore | |
test-byzantine: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
- name: Run integration tests | |
run: make nix-integration-test-byzantine | |
- name: Convert coverage data | |
run: | | |
nix profile install nixpkgs#go_1_22 | |
go tool covdata textfmt -i=coverage -o profile.txt | |
- name: Upload coverage report | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ./profile.txt | |
flags: integration_tests_byzantine | |
- name: Tar debug files | |
if: failure() | |
run: tar cfz debug_files_byzantine.tar.gz -C ${TMPDIR-/tmp}/pytest-of-runner . | |
- uses: actions/upload-artifact@v2 | |
if: failure() | |
with: | |
name: debug_files_byzantine | |
path: debug_files_byzantine.tar.gz | |
if-no-files-found: ignore | |
test-gov: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
- name: Run integration tests | |
run: make nix-integration-test-gov | |
- name: Convert coverage data | |
run: | | |
nix profile install nixpkgs#go_1_22 | |
go tool covdata textfmt -i=coverage -o profile.txt | |
- name: Upload coverage report | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ./profile.txt | |
flags: integration_tests_gov | |
- name: Tar debug files | |
if: failure() | |
run: tar cfz debug_files_gov.tar.gz -C ${TMPDIR-/tmp}/pytest-of-runner . | |
- uses: actions/upload-artifact@v2 | |
if: failure() | |
with: | |
name: debug_files_gov | |
path: debug_files_gov.tar.gz | |
if-no-files-found: ignore | |
test-grpc: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: cachix/install-nix-action@v23 | |
with: | |
extra_nix_config: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: crypto-com | |
- name: Run integration tests | |
run: make nix-integration-test-grpc | |
- name: Convert coverage data | |
run: | | |
nix profile install nixpkgs#go_1_22 | |
go tool covdata textfmt -i=coverage -o profile.txt | |
- name: Upload coverage report | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ./profile.txt | |
flags: integration_tests_grpc | |
- name: Tar debug files | |
if: failure() | |
run: tar cfz debug_files_grpc.tar.gz -C ${TMPDIR-/tmp}/pytest-of-runner . | |
- uses: actions/upload-artifact@v2 | |
if: failure() | |
with: | |
name: debug_files_grpc | |
path: debug_files_grpc.tar.gz | |
if-no-files-found: ignore |