CE Refactor Part 2: create Services package and update main.go #49
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push Consent Engine Docker Image | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'exchange/consent-engine/**' | |
| - 'exchange/shared/**' | |
| - '.github/workflows/build-consent-engine.yml' | |
| tags: | |
| - 'consent-engine-v*' | |
| - 'v*' | |
| pull_request: | |
| paths: | |
| - 'exchange/consent-engine/**' | |
| - 'exchange/shared/**' | |
| - '.github/workflows/build-consent-engine.yml' | |
| workflow_dispatch: | |
| env: | |
| # === Service-specific variables === | |
| SERVICE_PATH: 'exchange/consent-engine' | |
| IMAGE_NAME: ${{ github.repository }}/consent-engine | |
| TEST_DB_NAME: consent_engine_test | |
| # ================================ | |
| REGISTRY: ghcr.io | |
| GO_VERSION: '1.24' | |
| TEST_DB_USER: postgres | |
| TEST_DB_PASS: password | |
| jobs: | |
| # ---------------------------------------------------- | |
| # JOB 1: VALIDATE (Runs on PRs and on push) | |
| # ---------------------------------------------------- | |
| validate: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # To check out the code | |
| security-events: write # To upload TruffleHog results | |
| services: | |
| postgres: | |
| image: postgres:15 | |
| env: | |
| POSTGRES_USER: ${{ env.TEST_DB_USER }} | |
| POSTGRES_PASSWORD: ${{ env.TEST_DB_PASS }} | |
| POSTGRES_DB: ${{ env.TEST_DB_NAME }} | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run Go Mod Tidy | |
| run: cd ${{ env.SERVICE_PATH }} && go mod tidy | |
| - name: Check for unclean Go Mod | |
| run: | | |
| if ! git diff --exit-code -- ${{ env.SERVICE_PATH }}/go.mod ${{ env.SERVICE_PATH }}/go.sum; then | |
| echo "::error::go.mod or go.sum files have uncommitted changes. Please run 'go mod tidy' and commit." | |
| git diff -- ${{ env.SERVICE_PATH }}/go.mod ${{ env.SERVICE_PATH }}/go.sum | |
| exit 1 | |
| fi | |
| echo "Go mod files are clean." | |
| - name: Build application | |
| run: cd ${{ env.SERVICE_PATH }} && go build . | |
| - name: Run unit & integration tests | |
| env: | |
| TEST_DB_HOST: localhost | |
| TEST_DB_PORT: 5432 | |
| TEST_DB_USERNAME: ${{ env.TEST_DB_USER }} | |
| TEST_DB_PASSWORD: ${{ env.TEST_DB_PASS }} | |
| TEST_DB_DATABASE: ${{ env.TEST_DB_NAME }} | |
| TEST_DB_SSLMODE: disable | |
| run: cd ${{ env.SERVICE_PATH }} && go test ./... -count=1 | |
| - name: Scan repository for secrets (TruffleHog) | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.before || 'main' }} | |
| head: HEAD | |
| extra_args: --only-verified | |
| # ---------------------------------------------------- | |
| # JOB 2: PUBLISH (Runs ONLY on push to main) | |
| # ---------------------------------------------------- | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: [validate] # Depends on the 'validate' job | |
| if: github.event_name == 'push' # Only run this job on a push | |
| permissions: | |
| contents: read # To check out the code | |
| packages: write # To push images to GHCR | |
| security-events: write # To upload Trivy SARIF results | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| # Removed 'type=ref,event=pr' - this job only runs on push | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha,format=long | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| labels: | | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} | |
| org.opencontainers.image.description=Consent Engine service for managing data consent workflows | |
| org.opencontainers.image.licenses=Apache-2.0 | |
| - name: Build and push Docker image | |
| id: build-push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ${{ env.SERVICE_PATH }} | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-args: | | |
| SERVICE_PATH=${{ env.SERVICE_PATH }} | |
| BUILD_VERSION=${{ github.sha }} | |
| BUILD_TIME=${{ github.event.head_commit.timestamp || github.event.repository.pushed_at || '2025-01-01T00:00:00Z' }} | |
| GIT_COMMIT=${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |