name: CI on: release: types: - published push: branches: - master paths: - .github/workflows/ci.yml - cmd/** - internal/** - pkg/** - .dockerignore - .golangci.yml - Dockerfile - go.mod - go.sum pull_request: paths: - .github/workflows/ci.yml - cmd/** - internal/** - pkg/** - .dockerignore - .golangci.yml - Dockerfile - go.mod - go.sum jobs: verify: runs-on: ubuntu-latest permissions: actions: read contents: read env: DOCKER_BUILDKIT: "1" steps: - uses: actions/checkout@v5 - uses: reviewdog/action-misspell@v1 with: locale: "US" level: error exclude: | ./internal/storage/servers.json *.md - name: Linting run: docker build --target lint . - name: Mocks check run: docker build --target mocks . - name: Build test image run: docker build --target test -t test-container . - name: Run tests in test container run: | touch coverage.txt docker run --rm --device /dev/net/tun \ -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \ test-container - name: Build final image run: docker build -t final-image . verify-private: if: | github.repository == 'qdm12/gluetun' && ( github.event_name == 'push' || github.event_name == 'release' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') ) needs: [verify] runs-on: ubuntu-latest environment: secrets steps: - uses: actions/checkout@v5 - run: docker build -t qmcgaw/gluetun . - name: Setup Go for CI utility uses: actions/setup-go@v6 with: go-version-file: ci/go.mod - name: Build utility run: go build -C ./ci -o runner ./cmd/main.go - name: Run Gluetun container with Mullvad configuration run: echo -e "${{ secrets.MULLVAD_WIREGUARD_PRIVATE_KEY }}\n${{ secrets.MULLVAD_WIREGUARD_ADDRESS }}" | ./ci/runner mullvad codeql: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - uses: actions/checkout@v5 - uses: actions/setup-go@v6 with: go-version-file: go.mod - uses: github/codeql-action/init@v4 with: languages: go - uses: github/codeql-action/autobuild@v4 - uses: github/codeql-action/analyze@v4 publish: if: | github.repository == 'qdm12/gluetun' && ( github.event_name == 'push' || github.event_name == 'release' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') ) needs: [verify, codeql] permissions: actions: read contents: read packages: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 # extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: flavor: | latest=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} images: | ghcr.io/qdm12/gluetun qmcgaw/gluetun qmcgaw/private-internet-access tags: | type=ref,event=pr type=semver,pattern=v{{major}}.{{minor}}.{{patch}} type=semver,pattern=v{{major}}.{{minor}} type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 - uses: docker/login-action@v3 with: username: qmcgaw password: ${{ secrets.DOCKERHUB_PASSWORD }} - uses: docker/login-action@v3 with: registry: ghcr.io username: qdm12 password: ${{ github.token }} - name: Short commit id: shortcommit run: echo "::set-output name=value::$(git rev-parse --short HEAD)" - name: Build and push final image uses: docker/build-push-action@v6 with: platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7,linux/ppc64le labels: ${{ steps.meta.outputs.labels }} build-args: | CREATED=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} COMMIT=${{ steps.shortcommit.outputs.value }} VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} tags: ${{ steps.meta.outputs.tags }} push: true