WIP #147

Workflow file for this run

.github/workflows/pipeline.yaml at 385efe3

	name: pipeline

	on:
	push:
	branches:
	- develop
	- feat/*
	- hotfix/*
	- main
	pull_request:
	branches:
	- develop
	- feat/*
	- hotfix/*
	- main

	env:
	CONTAINER_NAME: ${{ github.repository }}
	CONTAINER_REGISTRY_GHCR: ghcr.io
	CONTAINER_PLATFORMS: linux/amd64,linux/arm64/v8
	# https://github.com/docker/buildx/releases
	BUILDX_VERSION: 0.11.2

	jobs:
	init:
	name: Init
	runs-on: ubuntu-22.04
	outputs:
	VERSION: ${{ steps.version.outputs.version }}
	VERSION_FULL: ${{ steps.version.outputs.version_full }}
	steps:
	- name: Checkout
	uses: actions/[email protected]
	with:
	# We need all Git history for "version.sh"
	fetch-depth: 0
	# Ensure "version.sh" submodule are up-to-date
	submodules: recursive

	- name: Version
	id: version
	run: \|
	echo "version=$(bash cicd/version/version.sh -g . -c)" >> $GITHUB_OUTPUT
	echo "version_full=$(bash cicd/version/version.sh -g . -c -m)" >> $GITHUB_OUTPUT

	sast-creds:
	name: SAST - Credentials
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout
	uses: actions/[email protected]
	with:
	# We need all Git history for testing credentials
	fetch-depth: 0
	# Ensure all submodules up-to-date
	submodules: recursive

	- name: SAST - Credentials
	uses: trufflesecurity/[email protected]
	with:
	base: ${{ github.event.repository.default_branch }}
	extra_args: --only-verified
	head: HEAD
	path: .

	build-image:
	name: Build & publish image
	needs:
	- init
	- sast-creds
	- sast-semgrep
	runs-on: ubuntu-22.04
	permissions:
	# Allow to write to GitHub Packages
	packages: write
	steps:
	- name: Checkout
	uses: actions/[email protected]

	- name: Configure Git
	run: \|
	git config user.name "${{ github.actor }}"
	git config user.email "${{ github.actor }}@users.noreply.github.com"

	- name: Setup QEMU
	id: setup-qemu
	uses: docker/[email protected]
	with:
	platforms: ${{ env.CONTAINER_PLATFORMS }}

	- name: Setup Docker Buildx
	uses: docker/[email protected]
	with:
	version: v${{ env.BUILDX_VERSION }}

	- name: Login to registry - GitHub
	uses: docker/[email protected]
	with:
	registry: ${{ env.CONTAINER_REGISTRY_GHCR }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Container meta
	id: meta
	uses: docker/[email protected]
	with:
	images: ${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }}
	tags: \|
	type=raw,value=latest,enable={{is_default_branch}}
	type=ref,event=branch
	type=ref,event=pr
	type=schedule
	type=schedule,pattern={{date 'YYYYMMDD'}}
	type=semver,pattern={{version}},value=${{ needs.init.outputs.VERSION_FULL }}
	type=sha
	labels: \|
	org.opencontainers.image.documentation=https://github.com/${{ env.CONTAINER_NAME }}
	org.opencontainers.image.vendor=${{ github.actor }}

	- name: Build/push container
	uses: docker/[email protected]
	with:
	build-args: \|
	VERSION=${{ needs.init.outputs.VERSION_FULL }}
	cache-from: type=gha
	cache-to: type=gha
	context: .
	labels: ${{ steps.meta.outputs.labels }}
	platforms: ${{ env.CONTAINER_PLATFORMS }}
	provenance: true
	push: true
	sbom: true
	tags: ${{ steps.meta.outputs.tags }}

	sast-semgrep:
	name: SAST - Semgrep
	runs-on: ubuntu-22.04
	permissions:
	# Allow to write to GitHub Security
	security-events: write
	container:
	image: returntocorp/semgrep
	steps:
	- name: Checkout
	uses: actions/[email protected]

	- name: Run tests
	# Semgrep can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security
	continue-on-error: true
	env:
	SEMGREP_RULES: p/cwe-top-25 p/owasp-top-ten p/dockerfile
	run: semgrep ci --sarif --output=semgrep.sarif

	- name: Upload results to GitHub Security
	uses: github/codeql-action/[email protected]
	with:
	sarif_file: semgrep.sarif

	create-release:
	name: Create release
	needs:
	- build-image
	- init
	permissions:
	# Allow to create releases
	contents: write
	runs-on: ubuntu-22.04
	outputs:
	RELEASE_ID: ${{ steps.create-release.outputs.result }}
	# Only publish on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version
	if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main')
	steps:
	- name: Checkout
	uses: actions/[email protected]

	- name: Create release
	id: create-release
	uses: actions/[email protected]
	with:
	script: \|
	const isMain = context.ref == `refs/heads/main`;
	const repoName = context.repo.repo;

	console.log(isMain ? 'Creating release for default branch' : 'Creating release for non-default branch');

	const { data } = await github.rest.repos.createRelease({
	draft: true,
	generate_release_notes: true,
	name: `${repoName} v${{ needs.init.outputs.VERSION }}`,
	owner: context.repo.owner,
	prerelease: !isMain,
	repo: repoName,
	tag_name: 'v${{ needs.init.outputs.VERSION }}',
	target_commitish: context.ref,
	});
	return data.id

	publish-release:
	name: Publish release
	permissions:
	# Allow to write releases
	contents: write
	runs-on: ubuntu-22.04
	needs:
	- create-release
	- init
	# Only publish on non-scheduled default branch
	if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main')
	steps:
	- name: publish release
	id: publish-release
	uses: actions/[email protected]
	with:
	script: \|
	github.rest.repos.updateRelease({
	draft: false,
	owner: context.repo.owner,
	release_id: ${{ needs.create-release.outputs.RELEASE_ID }},
	repo: context.repo.repo,
	});

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WIP #147

Workflow file

WIP #147

Jobs

Run details

Workflow file for this run