Skip to content
.github/workflows/nightly.yaml

Patch release v1.14.1 #1559

Sign in to view logs

Patch release v1.14.1

Patch release v1.14.1 #1559

Workflow file for this run

.github/workflows/nightly.yaml at c0d40f4
name: Nightly

Check failure on line 1 in .github/workflows/nightly.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/nightly.yaml

Invalid workflow file 

(Line: 25, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '', (Line: 61, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '', (Line: 87, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '', (Line: 123, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '', (Line: 157, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '', (Line: 187, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '', (Line: 236, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != ''
on:
workflow_dispatch: {} # Allow for manual triggers
schedule:
- cron: '0 8 * * 0-4' # Sun-Thu, at 8:00 UTC
permissions:
contents: read
jobs:
race-detector:
name: Go Race Detector
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Test with Race Detector
run: CGO_ENABLED=1 make ci-go-race-detector
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Workflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}
native-fuzzer:
name: Go Fuzzer (native)
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- id: go_version
name: Read go version
run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT
- name: Install Go (${{ steps.go_version.outputs.go_version }})
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ steps.go_version.outputs.go_version }}
- name: go test -fuzz
run: go test ./ast -fuzz FuzzParseStatementsAndCompileModules -fuzztime 1h -v -run '^$'
- name: Dump crashers
if: ${{ failure() }}
run: find ast/testdata/fuzz ! -name '*.stmt' ! -type d -print -exec cat {} \;
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Workflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}
go-perf:
name: Go Perf
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Benchmark Test Golang
run: make ci-go-perf
timeout-minutes: 45
env:
DOCKER_RUNNING: 0
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Workflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}
trivy-scan-image:
name: Trivy security scan image
runs-on: ubuntu-24.04
steps:
- name: Checkout code # needed for .trivyignore file
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- run: "docker pull openpolicyagent/opa:edge-static"
# Equivalent to:
# $ trivy image openpolicyagent/opa:edge-static
- name: Run Trivy scan on image
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
with:
image-ref: 'openpolicyagent/opa:edge-static'
format: table
exit-code: '1'
ignore-unfixed: true
vuln-type: os,library
severity: CRITICAL,HIGH
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Workflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}
trivy-scan-repo:
name: Trivy security scan repo
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# Equivalent to:
# $ trivy fs .
- name: Run Trivy scan on repo
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
with:
scan-type: fs
format: table
exit-code: '1'
ignore-unfixed: true
skip-dirs: vendor/
severity: CRITICAL,HIGH
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Workflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}
govulncheck:
name: Go vulnerability check
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- id: go_version
name: Read go version
run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT
- name: Install Go (${{ steps.go_version.outputs.go_version }})
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ steps.go_version.outputs.go_version }}
- run: go install golang.org/x/vuln/cmd/govulncheck@latest
- run: govulncheck ./...
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Workflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}
go-get-test:
name: Go Get Smoke Test
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- id: go_version
name: Read go version
run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT
- name: Install Go (${{ steps.go_version.outputs.go_version }})
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ steps.go_version.outputs.go_version }}
- name: Test go get without proxy
run: |
mkdir -p /tmp/go-get-test
cd /tmp/go-get-test
go mod init test-go-get
# Disable Go module proxy to test direct VCS access
export GOPROXY=direct
# Test go get with current main
if go get github.com/open-policy-agent/opa@main 2>&1 | tee /tmp/go-get-output.log | grep -q "warning"; then
echo "ERROR: Found warnings during go get:"
grep "warning" /tmp/go-get-output.log
exit 1
fi
echo "Success: No warnings found"
timeout-minutes: 10
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Workflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}