upstream/mattermost
1
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2026-05-28 04:35:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 20

Merge 9e969a1ee0 into 508f1551e3

Browse source
This commit is contained in:
Jesse Hallam 2026-05-25 05:45:35 +02:00 committed by GitHub
commit bcb87c83fb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 105 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.github/workflows/mmctl-test-template.yml vendored
View file

@ -21,6 +21,10 @@ on:
required: false
default: false
type: boolean
build-image:
description: "The build image to use (Docker Hub ref normally, ghcr.io ref for in-flight Go bumps)"
required: true
type: string
jobs:
test:
@ -41,12 +45,13 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup BUILD_IMAGE
id: build
env:
BUILD_IMAGE: ${{ inputs.build-image }}
run: |
echo "BUILD_IMAGE=${BUILD_IMAGE}" >> "${GITHUB_OUTPUT}"
if [[ ${{ inputs.fips-enabled }} == 'true' ]]; then
echo "BUILD_IMAGE=mattermost/mattermost-build-server-fips:${{ inputs.go-version }}" >> "${GITHUB_OUTPUT}"
echo "LOG_ARTIFACT_NAME=${{ inputs.logsartifact }}-fips" >> "${GITHUB_OUTPUT}"
else
echo "BUILD_IMAGE=mattermost/mattermost-build-server:${{ inputs.go-version }}" >> "${GITHUB_OUTPUT}"
echo "LOG_ARTIFACT_NAME=${{ inputs.logsartifact }}" >> "${GITHUB_OUTPUT}"
fi

1
.github/workflows/server-ci-nightly-race.yml vendored
View file

@ -46,6 +46,7 @@ jobs:
logsartifact: race-detector-server-test-logs
go-version: ${{ needs.go.outputs.version }}
fips-enabled: false
build-image: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
fullyparallel: false
race-enabled: true
runner: ubuntu-22.04

3
.github/workflows/server-ci-weekly.yml vendored
View file

@ -47,6 +47,7 @@ jobs:
logsartifact: postgres-binary-server-test-logs
go-version: ${{ needs.go.outputs.version }}
fips-enabled: false
build-image: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
# Unsharded run on a single 8-core runner: fullyparallel=true causes
# resource exhaustion (too many server instances, WebSocket hubs, and
# DB connections) and crashes the hosted runner. See #35995.
@ -64,6 +65,7 @@ jobs:
logsartifact: postgres-server-fips-test-logs
go-version: ${{ needs.go.outputs.version }}
fips-enabled: true
build-image: mattermost/mattermost-build-server-fips:${{ needs.go.outputs.version }}
# Unsharded run on a single 8-core runner: see note on test-postgres-binary.
fullyparallel: false
@ -79,3 +81,4 @@ jobs:
logsartifact: mmctl-fips-test-logs
go-version: ${{ needs.go.outputs.version }}
fips-enabled: true
build-image: mattermost/mattermost-build-server-fips:${{ needs.go.outputs.version }}

100
.github/workflows/server-ci.yml vendored
View file

@ -17,8 +17,6 @@ on:
- ".github/workflows/server-test-template.yml"
- ".github/workflows/server-test-merge-template.yml"
- ".github/workflows/mmctl-test-template.yml"
- "!server/build/Dockerfile.buildenv"
- "!server/build/Dockerfile.buildenv-fips"
- "tools/mattermost-govet/**"
- "!server/**/*.md"
- "!server/NOTICE.txt"
@ -32,9 +30,17 @@ jobs:
go:
name: Compute Go Version
runs-on: ubuntu-22.04
permissions:
id-token: write # for chainguard (FIPS base image pull)
contents: read
packages: write # for ghcr.io push
outputs:
version: ${{ steps.calculate.outputs.GO_VERSION }}
gomod-changed: ${{ steps.changed-files.outputs.any_changed }}
image: ${{ steps.resolve.outputs.image }}
image-fips: ${{ steps.resolve.outputs.image-fips }}
env:
CHAINCTL_IDENTITY: ee399b4c72dd4e58e3d617f78fc47b74733c9557/922f2d48307d6f5f
steps:
- name: Checkout mattermost project
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@ -48,11 +54,73 @@ jobs:
with:
files: |
**/go.mod
- name: buildenv/docker-login
# Private FIPS image on Docker Hub requires auth to inspect. Skip on fork PRs where secrets
# are unavailable; the FIPS build steps below are also skipped for forks.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Resolve image references
id: resolve
env:
GO_VERSION: ${{ steps.calculate.outputs.GO_VERSION }}
COMMIT_SHA: ${{ github.sha }}
run: |
if docker manifest inspect "mattermost/mattermost-build-server:${GO_VERSION}" > /dev/null 2>&1; then
echo "image=mattermost/mattermost-build-server:${GO_VERSION}" >> "${GITHUB_OUTPUT}"
else
echo "image=ghcr.io/mattermost/mattermost-build-server:${COMMIT_SHA}" >> "${GITHUB_OUTPUT}"
echo "BUILDENV_NEEDED=true" >> "${GITHUB_ENV}"
fi
if docker manifest inspect "mattermost/mattermost-build-server-fips:${GO_VERSION}" > /dev/null 2>&1; then
echo "image-fips=mattermost/mattermost-build-server-fips:${GO_VERSION}" >> "${GITHUB_OUTPUT}"
else
echo "image-fips=ghcr.io/mattermost/mattermost-build-server-fips:${COMMIT_SHA}" >> "${GITHUB_OUTPUT}"
echo "BUILDENV_FIPS_NEEDED=true" >> "${GITHUB_ENV}"
fi
- name: Login to ghcr.io
if: env.BUILDENV_NEEDED == 'true' || env.BUILDENV_FIPS_NEEDED == 'true'
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Chainctl
if: env.BUILDENV_FIPS_NEEDED == 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
uses: chainguard-dev/setup-chainctl@c125f765e82b09a42af3185f3214465314d75c5d # v0.5.0
with:
identity: ${{ env.CHAINCTL_IDENTITY }}
- name: Build and push buildenv to ghcr.io
if: env.BUILDENV_NEEDED == 'true'
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
provenance: false
file: server/build/Dockerfile.buildenv
push: true
tags: ${{ steps.resolve.outputs.image }}
labels: org.opencontainers.image.source=https://github.com/mattermost/mattermost
- name: Build and push buildenv-fips to ghcr.io
if: env.BUILDENV_FIPS_NEEDED == 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
provenance: false
file: server/build/Dockerfile.buildenv-fips
push: true
tags: ${{ steps.resolve.outputs.image-fips }}
labels: org.opencontainers.image.source=https://github.com/mattermost/mattermost
check-mocks:
name: Check mocks
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -69,7 +137,7 @@ jobs:
name: Check go mod tidy
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -86,7 +154,7 @@ jobs:
name: Check go fix
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -103,7 +171,7 @@ jobs:
name: check-style
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -118,7 +186,7 @@ jobs:
name: Check serialization methods for hot structs
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -135,7 +203,7 @@ jobs:
name: Vet API
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -150,7 +218,7 @@ jobs:
name: Check migration files
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -165,7 +233,7 @@ jobs:
name: Generate email templates
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -182,7 +250,7 @@ jobs:
name: Check store layers
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -199,7 +267,7 @@ jobs:
name: Check mmctl docs
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server
@ -236,6 +304,7 @@ jobs:
enablecoverage: ${{ github.event_name != 'pull_request' || !startsWith(github.event.pull_request.base.ref, 'release-') }}
go-version: ${{ needs.go.outputs.version }}
fips-enabled: false
build-image: ${{ needs.go.outputs.image }}
shard-index: ${{ matrix.shard }}
shard-total: 4
# -- Merge test results (handles both single-run and future sharded runs) --
@ -262,6 +331,7 @@ jobs:
logsartifact: elasticsearch-v8-server-test-logs
go-version: ${{ needs.go.outputs.version }}
fips-enabled: false
build-image: ${{ needs.go.outputs.image }}
elasticsearch-version: "8.9.0"
test-target: "test-server-elasticsearch"
@ -277,6 +347,7 @@ jobs:
logsartifact: opensearch-v2-server-test-logs
go-version: ${{ needs.go.outputs.version }}
fips-enabled: false
build-image: ${{ needs.go.outputs.image }}
opensearch-version: "2.19.0"
test-target: "test-server-opensearch"
@ -299,6 +370,7 @@ jobs:
logsartifact: "postgres-server-fips-test-logs-shard-${{ matrix.shard }}"
go-version: ${{ needs.go.outputs.version }}
fips-enabled: true
build-image: ${{ needs.go.outputs.image-fips }}
shard-index: ${{ matrix.shard }}
shard-total: 4
merge-postgres-fips-test-results:
@ -322,6 +394,7 @@ jobs:
logsartifact: mmctl-test-logs
go-version: ${{ needs.go.outputs.version }}
fips-enabled: false
build-image: ${{ needs.go.outputs.image }}
test-mmctl-fips:
if: contains(github.head_ref, 'fips') || needs.go.outputs.gomod-changed == 'true'
name: Run mmctl tests (FIPS)
@ -335,12 +408,13 @@ jobs:
logsartifact: mmctl-fips-test-logs
go-version: ${{ needs.go.outputs.version }}
fips-enabled: true
build-image: ${{ needs.go.outputs.image-fips }}
build-mattermost-server:
name: Build mattermost server app
needs: go
runs-on: ubuntu-22.04
container: mattermost/mattermost-build-server:${{ needs.go.outputs.version }}
container: ${{ needs.go.outputs.image }}
defaults:
run:
working-directory: server

9
.github/workflows/server-test-template.yml vendored
View file

@ -64,6 +64,10 @@ on:
required: false
type: boolean
default: false
build-image:
description: "The build image to use (Docker Hub ref normally, ghcr.io ref for in-flight Go bumps)"
required: true
type: string
permissions:
contents: read
@ -109,12 +113,13 @@ jobs:
- name: Setup BUILD_IMAGE
id: build
env:
BUILD_IMAGE: ${{ inputs.build-image }}
run: |
echo "BUILD_IMAGE=${BUILD_IMAGE}" >> "${GITHUB_OUTPUT}"
if [[ ${{ inputs.fips-enabled }} == 'true' ]]; then
echo "BUILD_IMAGE=mattermost/mattermost-build-server-fips:${{ inputs.go-version }}" >> "${GITHUB_OUTPUT}"
echo "LOG_ARTIFACT_NAME=${{ inputs.logsartifact }}-fips" >> "${GITHUB_OUTPUT}"
else
echo "BUILD_IMAGE=mattermost/mattermost-build-server:${{ inputs.go-version }}" >> "${GITHUB_OUTPUT}"
echo "LOG_ARTIFACT_NAME=${{ inputs.logsartifact }}" >> "${GITHUB_OUTPUT}"
fi