Merge branch 'develop' #1516
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pipeline | |
on: | |
push: | |
branches: | |
- develop | |
- feat/* | |
- hotfix/* | |
- main | |
pull_request: | |
branches: | |
- develop | |
- feat/* | |
- hotfix/* | |
- main | |
env: | |
CONTAINER_NAME: ${{ github.repository }} | |
CONTAINER_REGISTRY_GHCR: ghcr.io | |
CONTAINER_PLATFORMS: linux/amd64,linux/arm64/v8 | |
# https://github.com/docker/buildx/releases | |
BUILDX_VERSION: 0.17.1 | |
jobs: | |
init: | |
name: Init | |
runs-on: ubuntu-24.04 | |
outputs: | |
VERSION: ${{ steps.version.outputs.version }} | |
VERSION_FULL: ${{ steps.version.outputs.version_full }} | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
with: | |
# We need all Git history for "version.sh" | |
fetch-depth: 0 | |
# Ensure "version.sh" submodule are up-to-date | |
submodules: recursive | |
- name: Generate versions | |
id: version | |
run: | | |
echo "version=$(bash cicd/version/version.sh -g . -c)" >> $GITHUB_OUTPUT | |
echo "version_full=$(bash cicd/version/version.sh -g . -c -m)" >> $GITHUB_OUTPUT | |
sast-creds: | |
name: SAST - Credentials | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
with: | |
# We need all Git history for testing credentials | |
fetch-depth: 0 | |
# Ensure all submodules up-to-date | |
submodules: recursive | |
- name: Run tests | |
uses: trufflesecurity/[email protected] | |
with: | |
base: ${{ github.event.repository.default_branch }} | |
extra_args: --only-verified | |
head: HEAD~1 | |
sast-semgrep: | |
name: SAST - Semgrep | |
runs-on: ubuntu-24.04 | |
permissions: | |
# Allow to write to GitHub Security | |
security-events: write | |
container: | |
image: returntocorp/semgrep | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Run tests | |
# Semgrep can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | |
continue-on-error: true | |
env: | |
SEMGREP_RULES: p/cwe-top-25 p/owasp-top-ten p/dockerfile | |
run: semgrep ci --sarif --output=semgrep.sarif | |
- name: Upload results to GitHub Security | |
uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: semgrep.sarif | |
test: | |
name: Test | |
permissions: | |
id-token: write | |
runs-on: ubuntu-24.04 | |
needs: | |
- init | |
strategy: | |
fail-fast: false | |
matrix: | |
# Run all test suites | |
step: | |
- static | |
# TODO: Enable unit tests (Azure login and config file required) | |
# - unit | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Set up uv | |
uses: astral-sh/[email protected] | |
with: | |
enable-cache: true | |
python-version: "3.12" | |
version: "0.5.x" | |
- name: Set up Azure CLI | |
run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash | |
# - name: Login to Azure | |
# uses: Azure/[email protected] | |
# with: | |
# client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
# tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
- name: Cache pytest | |
uses: actions/[email protected] | |
with: | |
key: pytest-${{ github.head_ref || github.ref_name }}-${{ hashFiles('requirements-dev.txt') }} | |
path: .pytest_cache | |
- name: Cache Ruff | |
uses: actions/[email protected] | |
with: | |
key: ruff-${{ github.head_ref || github.ref_name }}-${{ hashFiles('requirements-dev.txt') }} | |
path: .ruff_cache | |
- name: Set up dependencies | |
run: make install-deps | |
- name: Set up local config | |
run: mv config-remote-example.yaml config.yaml | |
# - name: Configure environment variables | |
# run: echo "${{ secrets.DOTENV_UNIT_TESTS }}" > .env | |
- name: Run tests | |
run: make test-${{ matrix.step }} version_full=${{ needs.init.outputs.VERSION_FULL }} | |
- name: Upload artifacts | |
uses: actions/[email protected] | |
if: always() | |
with: | |
compression-level: 9 | |
name: test-${{ matrix.step }} | |
path: test-reports/* | |
build-image: | |
name: Build & publish image | |
needs: | |
- init | |
- sast-creds | |
- sast-semgrep | |
runs-on: ubuntu-24.04 | |
permissions: | |
attestations: write | |
id-token: write | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Configure Git | |
run: | | |
git config user.name "${{ github.actor }}" | |
git config user.email "${{ github.actor }}@users.noreply.github.com" | |
- name: Setup QEMU | |
id: setup-qemu | |
uses: docker/[email protected] | |
with: | |
platforms: ${{ env.CONTAINER_PLATFORMS }} | |
- name: Setup Docker Buildx | |
uses: docker/[email protected] | |
with: | |
version: v${{ env.BUILDX_VERSION }} | |
- name: Login to registry | |
uses: docker/[email protected] | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY_GHCR }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Container meta | |
id: meta | |
uses: docker/[email protected] | |
with: | |
images: ${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }} | |
tags: | | |
type=raw,value=latest,enable={{is_default_branch}} | |
type=ref,event=branch | |
type=ref,event=pr | |
type=schedule | |
type=schedule,pattern={{date 'YYYYMMDD'}} | |
type=semver,pattern={{version}},value=${{ needs.init.outputs.VERSION_FULL }} | |
type=sha | |
labels: | | |
org.opencontainers.image.documentation=https://github.com/${{ env.CONTAINER_NAME }} | |
org.opencontainers.image.vendor=${{ github.actor }} | |
- name: Build/push container | |
id: build | |
uses: docker/[email protected] | |
with: | |
build-args: | | |
VERSION=${{ needs.init.outputs.VERSION_FULL }} | |
cache-from: | | |
type=gha,scope=buildkit-${{ github.ref_name }} | |
type=gha,scope=buildkit-develop | |
type=gha,scope=buildkit-main | |
cache-to: type=gha,scope=buildkit-${{ github.ref_name }} | |
context: . | |
file: cicd/Dockerfile | |
labels: ${{ steps.meta.outputs.labels }} | |
outputs: type=registry,oci-mediatypes=true,compression=estargz,compression-level=9,force-compression=true | |
platforms: ${{ env.CONTAINER_PLATFORMS }} | |
push: true | |
sbom: true | |
tags: ${{ steps.meta.outputs.tags }} | |
- name: Generate attestations | |
uses: actions/[email protected] | |
with: | |
push-to-registry: true | |
subject-digest: ${{ steps.build.outputs.digest }} | |
subject-name: ${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }} | |
create-release: | |
name: Create release | |
needs: | |
- build-image | |
- init | |
- test | |
permissions: | |
# Allow to create releases | |
contents: write | |
runs-on: ubuntu-24.04 | |
outputs: | |
RELEASE_ID: ${{ steps.create-release.outputs.result }} | |
# Only publish on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version | |
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Create release | |
id: create-release | |
uses: actions/[email protected] | |
with: | |
script: | | |
const isMain = context.ref == `refs/heads/main`; | |
const repoName = context.repo.repo; | |
console.log(isMain ? 'Creating release for default branch' : 'Creating release for non-default branch'); | |
const { data } = await github.rest.repos.createRelease({ | |
draft: true, | |
generate_release_notes: true, | |
name: `${repoName} v${{ needs.init.outputs.VERSION }}`, | |
owner: context.repo.owner, | |
prerelease: !isMain, | |
repo: repoName, | |
tag_name: 'v${{ needs.init.outputs.VERSION }}', | |
target_commitish: context.ref, | |
}); | |
return data.id | |
publish-release: | |
name: Publish release | |
permissions: | |
# Allow to write releases | |
contents: write | |
runs-on: ubuntu-24.04 | |
needs: | |
- create-release | |
# Only publish on non-scheduled default branch | |
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
steps: | |
- name: publish release | |
id: publish-release | |
uses: actions/[email protected] | |
with: | |
script: | | |
github.rest.repos.updateRelease({ | |
draft: false, | |
owner: context.repo.owner, | |
release_id: ${{ needs.create-release.outputs.RELEASE_ID }}, | |
repo: context.repo.repo, | |
}); |