diff --git a/.github/actions/go-setup/action.yml b/.github/actions/go-setup/action.yml new file mode 100644 index 00000000..3d42d137 --- /dev/null +++ b/.github/actions/go-setup/action.yml @@ -0,0 +1,58 @@ +name: Set up Go toolchain (setup-go boilerplate) +description: > + Shared composite for the `actions/setup-go` boilerplate that follows + every `actions/checkout` in ~every Go-touching job (ci.yml, bench.yml, + chaos.yml, chart.yml, codeql.yml, install-bench.yml, + nccl-fr-fuzz-nightly.yml). + + Callers MUST run `actions/checkout` themselves first — GitHub requires + the repo on disk before a local action path (`./.github/actions/...`) + can resolve. This composite intentionally covers only the setup-go + half of the pair because each caller's checkout already varies + (some pin `fetch-depth: 0`, `ref: `, etc.) and + collapsing the variable half into a shared step would force every + caller into the lowest common denominator. + + Centralises three sources of fragmentation that recurred on every + CI-touching PR: + + 1. The setup-go SHA drifted independently per workflow on + Dependabot bumps. Pinned here once: + actions/setup-go 4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + 2. `go-version-file: go.mod` + `cache: true` pair was copy-pasted + N times; a stray `cache: false` regressed CI wall-time twice + before this consolidation. + 3. Submodule-style call-sites (e.g. `module/`) need a different + `working-directory` for `go.mod` resolution — encoded as an + input instead of duplicating the whole composite. + + SKIPPED callers (intentionally not migrated, see PR body): + - compat-matrix.yml — pins `cache: false` with a zizmor + cache-poisoning justification for publishing workflows. + - release.yml — same zizmor `cache: true # zizmor: ignore[cache-poisoning]` + inline comment that would be lost through input passthrough. + +inputs: + working-directory: + description: > + Directory containing the `go.mod` to resolve the Go toolchain + version from. Defaults to the repo root; pass `module/` (or + similar) for sub-module callers. + required: false + default: '.' + cache: + description: > + Whether to enable setup-go's module cache. Defaults to `'true'`; + pass `'false'` only when a workflow has an explicit reason + (publishing workflows that must avoid cache-poisoning per + zizmor audit). + required: false + default: 'true' + +runs: + using: composite + steps: + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version-file: ${{ inputs.working-directory }}/go.mod + cache: ${{ inputs.cache }} diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index 771b8bd8..cccf4215 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -36,10 +36,7 @@ jobs: timeout-minutes: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: BenchmarkPodEvictedDetector_1kEventWindow run: | set -euo pipefail diff --git a/.github/workflows/chaos.yml b/.github/workflows/chaos.yml index 587db329..820f4b6d 100644 --- a/.github/workflows/chaos.yml +++ b/.github/workflows/chaos.yml @@ -62,10 +62,7 @@ jobs: arch: [amd64, arm64] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: Set up QEMU if: matrix.arch != 'amd64' uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 @@ -112,10 +109,7 @@ jobs: timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: Install sysstat run: sudo apt-get update && sudo apt-get install -y sysstat - name: Build failure-inject @@ -205,10 +199,7 @@ jobs: run_corpus: "true" steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup # Hermetic detector run: synthetic events built in the *_test.go # exercise the detector under -race. Positive cases assert the # emitted verdict carries the correct pattern.id; Negative cases diff --git a/.github/workflows/chart.yml b/.github/workflows/chart.yml index a7c26017..2c7f67c7 100644 --- a/.github/workflows/chart.yml +++ b/.github/workflows/chart.yml @@ -34,10 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: Install helm uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 with: @@ -580,10 +577,7 @@ jobs: needs: render steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - uses: ./.github/actions/kind-cluster-setup with: cluster-name: tracecore-m5b @@ -679,10 +673,7 @@ jobs: needs: render steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - uses: ./.github/actions/kind-cluster-setup with: cluster-name: tracecore-upgrade diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index beea3ff6..bd820404 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -101,10 +101,7 @@ jobs: if: needs.changes.outputs.code == 'true' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: test (race) + coverage-check run: make coverage-check @@ -115,10 +112,7 @@ jobs: if: needs.changes.outputs.code == 'true' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: vet run: make vet - name: lint @@ -132,10 +126,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # full history so doc-check's diff-scope gates resolve base_ref...HEAD merge-base on PR branches - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: license-check run: make license-check - name: build-tags @@ -231,10 +222,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: validator-recipe run: make validator-recipe - name: smoke-quickstart @@ -320,10 +308,7 @@ jobs: if: needs.changes.outputs.code == 'true' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: Build linux/amd64 env: GOOS: linux diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9c5f1d3d..aaa780af 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,10 +23,7 @@ jobs: language: [go] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: languages: ${{ matrix.language }} diff --git a/.github/workflows/install-bench.yml b/.github/workflows/install-bench.yml index 75e32ed6..5b353ed7 100644 --- a/.github/workflows/install-bench.yml +++ b/.github/workflows/install-bench.yml @@ -42,10 +42,7 @@ jobs: timeout-minutes: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - uses: ./.github/actions/kind-cluster-setup with: cluster-name: tracecore-install-bench diff --git a/.github/workflows/nccl-fr-fuzz-nightly.yml b/.github/workflows/nccl-fr-fuzz-nightly.yml index f094640c..ab26889c 100644 --- a/.github/workflows/nccl-fr-fuzz-nightly.yml +++ b/.github/workflows/nccl-fr-fuzz-nightly.yml @@ -21,10 +21,7 @@ jobs: timeout-minutes: 20 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - cache: true + - uses: ./.github/actions/go-setup - name: 10-minute FuzzParseFRPickle run: make test-extras-fuzz-nccl-fr