.github/workflows/_static_analysis.yaml

@@ -0,0 +1,23 @@
+name: Static Analysis
+
+on:
+  workflow_call:
+
+jobs:
+  static-analysis:
+    name: Run all static analysis checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: newrelic/newrelic-infra-checkers@v1
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v4
+        continue-on-error: ${{ github.event_name != 'pull_request' }}
+        with:
+          only-new-issues: true
+          skip-cache: true
+      - name: Check if CHANGELOG is valid
+        uses: newrelic/release-toolkit/validate-markdown@v1

.github/workflows/_test_build_fake_prerelease.yaml

@@ -0,0 +1,83 @@
+name: Test Build Fake Prerelease
+
+on:
+  workflow_call:
+    inputs:
+      integration:
+        required: true
+        type: string
+      goarch_matrix:
+        required: true
+        type: string
+      download_nrjmx:
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      OHAI_PFX_CERTIFICATE_BASE64:
+        required: true
+      OHAI_PFX_PASSPHRASE:
+        required: true
+env:
+  INTEGRATION: ${{ inputs.integration }}
+  REPO_FULL_NAME: ${{ github.event.repository.full_name }}
+  TAG: "v0.0.0"
+
+jobs:
+  test-build-nix:
+    name: Test binary compilation for all platforms:arch
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          git tag "$TAG"
+          if [ -z "$GPG_PASSPHRASE" ]; then
+            echo NO_SIGN=true >> $GITHUB_ENV
+          fi
+      - name: Build all platforms:arch
+        run: make ci/fake-prerelease
+      - name: Upload artifacts for next job
+        uses: actions/upload-artifact@v4
+        with:
+          name: windows-packages
+          path: dist/nri-*.zip
+
+  test-build-windows:
+    name: Create MSI
+    runs-on: windows-latest
+    needs: [test-build-nix]
+    strategy:
+      matrix:
+        goarch: ${{ fromJSON(inputs.goarch_matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - shell: bash
+        run: git tag "$TAG"
+      - name: Download artifact from previous job
+        uses: actions/download-artifact@v4
+        with:
+          name: windows-packages
+      - name: Extract .exe
+        shell: bash
+        run: |
+          7z x nri-${{ inputs.integration }}-${{ matrix.goarch }}.${TAG#v}.zip -o./dist/nri-${{ inputs.integration }}_windows_${{ matrix.goarch }}/
+      - name: Get PFX certificate from GH secrets
+        shell: bash
+        env:
+          PFX_CERTIFICATE_BASE64: ${{ secrets.OHAI_PFX_CERTIFICATE_BASE64 }}
+        run: |
+          if [ -z "$PFX_CERTIFICATE_BASE64" ]; then
+            echo NO_SIGN=true >> $GITHUB_ENV
+          else
+            printf "%s" "$PFX_CERTIFICATE_BASE64" | base64 -d - > wincert.pfx
+          fi
+      - name: Download nrjmx
+        if: ${{ inputs.download_nrjmx }}
+        shell: bash
+        run: build/windows/download_nrjmx.sh
+      - name: Create MSI
+        env:
+          PFX_PASSPHRASE: ${{ secrets.OHAI_PFX_PASSPHRASE }}
+        shell: pwsh
+        run: build\windows\package_msi.ps1 -integration "$env:INTEGRATION" -arch ${{ matrix.goarch }} -tag "$env:TAG" -pfx_passphrase "$env:PFX_PASSPHRASE" -pfx_certificate_description "New Relic"

.github/workflows/_test_build_nix.yaml

@@ -0,0 +1,15 @@
+name: Test Build *Nix
+
+on:
+  workflow_call:
+
+jobs:
+  test-build-nix:
+    name: Test binary compilation for all platforms:arch
+    runs-on: ubuntu-latest
+    env:
+      TAG: "v0.0.0"
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build all platforms:arch
+        run: make ci/build

.github/workflows/_test_integration_nix.yaml

@@ -0,0 +1,18 @@
+name: Integration Tests on *Nix
+
+on:
+  workflow_call:
+
+jobs:
+  test-integration-nix:
+    name: Run integration tests on *Nix
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+      - name: Integration test
+        run: make integration-test

.github/workflows/_test_nix.yaml

@@ -0,0 +1,13 @@
+name: Unit Tests on *Nix
+
+on:
+  workflow_call:
+
+jobs:
+  test-nix:
+    name: Run unit tests on *Nix
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Unit tests
+        run: make ci/test

.github/workflows/_test_windows.yaml

@@ -0,0 +1,20 @@
+name: Unit Tests on Windows
+
+on:
+  workflow_call:
+
+jobs:
+  test-windows:
+    name: Run unit tests on Windows
+    runs-on: windows-2022
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+      - name: Running unit tests
+        shell: pwsh
+        run: |
+          .\build\windows\unit_tests.ps1

.github/workflows/on_push_pr.yaml

@@ -0,0 +1,24 @@
+name: Push/PR pipeline
+
+on:
+  push:
+    branches:
+      - main
+      - master
+      - renovate/**
+  pull_request:
+
+jobs:
+  renovate-config-validator:
+    name: Renovatebot config validator
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Renovatebot config validator
+        run: npm install --global renovate
+
+      - name: Test that the config is valid
+        run: |
+            find -name renovate\*.json\* -exec renovate-config-validator {} \; || renovate-config-validator

.github/workflows/repolinter.yml

@@ -2,30 +2,17 @@
 # workflow_dispatch to work properly
 name: Repolinter Action
 
-# NOTE: This workflow will ONLY check the default branch!
-# Currently there is no elegant way to specify the default
-# branch in the event filtering, so branches are instead
-# filtered in the "Test Default Branch" step.
-on: [push, workflow_dispatch]
+on:
+  push:
+  workflow_dispatch:
 
 jobs:
-  repolint:
-    name: Run Repolinter
-    runs-on: ubuntu-latest
-    steps:
-      - name: Test Default Branch
-        id: default-branch
-        uses: actions/github-script@v2
-        with:
-          script: |
-            const data = await github.repos.get(context.repo)
-            return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0]
-      - name: Checkout Self
-        if: ${{ steps.default-branch.outputs.result == 'true' }}
-        uses: actions/checkout@v4
-      - name: Run Repolinter
-        if: ${{ steps.default-branch.outputs.result == 'true' }}
-        uses: newrelic/repolinter-action@v1
-        with:
-          config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-project.yml
-          output_type: issue
+  repolinter:
+    uses: ./.github/workflows/reusable_repolinter.yaml
+  # uses: newrelic/coreint-automation/.github/workflows/reusable_repolinter.yaml@v1
+
+    # This is only needed for this repository in particular as it is community free but not fully supported like the OHAIs
+    # If you are copying this pipeline as an example for other repositories that are supported, you will have to remove
+    # this with. Or use the one needed for your use case.
+    with:
+      config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-project.yml

.github/workflows/reusable_on_release.yaml

@@ -0,0 +1,105 @@
+name: Release pipeline
+
+# jobs:
+#   job_name:
+#     uses: newrelic/coreint-automation/.github/workflows/reusable_on_release.yaml@v2
+#     with:
+#       tag: ${{ github.event.release.tag_name }}
+#       integration: "integration name" # without the 'nri-' prefix
+#     # When calling this action from the same org we can inherit secrets to avoid specifying them
+#     secrets: inherit
+
+on:
+  workflow_call:
+
+    inputs:
+      tag:
+        description: Tag to be released
+        type: string
+        required: true
+      integration:
+        description: Integration name to be released (without the 'nri-' prefix)
+        type: string
+        required: true
+      # Optional flags
+      test_package:
+        description: Defines if the package should be tested using the 'newrelic/integrations-pkg-test-action/linux' action. Useful if the binary is package with the agent.
+        type: boolean
+        required: false
+        default: true
+      publish_schema:
+        description: Defines the schema for the publish_action.
+        type: string
+        required: false
+        default: "ohi"
+      publish_schema_url:
+        description: Defines the schema_url for the publish_action (it requires publish_schema='custom')
+        type: string
+        required: false
+        default: ""
+
+    secrets: # uppercase secrets to match the already defined organization secrets
+      OHAI_AWS_ROLE_ARN_PRODUCTION:
+        required: true
+      OHAI_AWS_ACCESS_KEY_ID_PRODUCTION:
+        required: true
+      OHAI_AWS_SECRET_ACCESS_KEY_PRODUCTION:
+        required: true
+      OHAI_AWS_ROLE_SESSION_NAME_PRODUCTION:
+        required: true
+      OHAI_GPG_PASSPHRASE:
+        required: true
+      OHAI_GPG_PRIVATE_KEY_BASE64:
+        required: true
+      COREINT_SLACK_TOKEN:
+        required: true
+      COREINT_SLACK_CHANNEL:
+        required: true
+
+jobs:
+  publish-to-s3:
+    name: Send release assets to S3
+    runs-on: ubuntu-latest
+    steps:
+      - name: Publish to S3 action
+        uses: newrelic/infrastructure-publish-action@v1
+        with:
+          # lock enabled
+          disable_lock: false
+          run_id: ${{ github.run_id }}
+          tag: ${{ inputs.tag }}
+          app_name: "nri-${{ inputs.integration }}"
+          repo_name: ${{ github.event.repository.full_name }}
+          access_point_host: "production"
+          schema: ${{ inputs.publish_schema }}
+          schema_url: ${{ inputs.publish_schema_url }}
+          aws_region: "us-east-1"
+          aws_role_arn: ${{ secrets.OHAI_AWS_ROLE_ARN_PRODUCTION }}
+          aws_role_session_name: ${{ secrets.OHAI_AWS_ROLE_SESSION_NAME_PRODUCTION }}
+          aws_access_key_id: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_PRODUCTION }}
+          aws_secret_access_key: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_PRODUCTION }}
+          aws_s3_bucket_name: "nr-downloads-main"
+          # used for locking in case of concurrent releases
+          aws_s3_lock_bucket_name: "onhost-ci-lock"
+          # used for signing package stuff
+          gpg_passphrase: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+          gpg_private_key_base64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }}
+      - name: Test package from prod repo
+        if: ${{ inputs.test_package }}
+        uses: newrelic/integrations-pkg-test-action/linux@v1
+        with:
+          tag: ${{ inputs.tag }}
+          integration: 'nri-${{ inputs.integration }}'
+          packageLocation: repo
+          upgrade: false
+  notify-failure:
+    if: ${{ always() && failure() }}
+    needs: [publish-to-s3]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify failure via Slack
+        uses: archive/github-actions-slack@master
+        with:
+          slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }}
+          slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }}
+          slack-text: "❌ `${{ github.event.repository.full_name }}`: [release pipeline failed](${{ github.server_url }}/${{ github.event.repository.full_name }}/actions/runs/${{ github.run_id }})."