Skip to content

Commit

Permalink
dev: Automated test/build with GitHub Actions
Browse files Browse the repository at this point in the history
  • Loading branch information
@clemlesne
clemlesne committed Jan 12, 2024
1 parent a03c155 commit 68d5b1d
Showing 1 changed file with 229 additions and 0 deletions.
229 changes: 229 additions & 0 deletions .github/workflows/pipeline.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,229 @@
name: pipeline

on:
push:
branches:
- develop
- feat/*
- hotfix/*
- main
pull_request:
branches:
- develop
- feat/*
- hotfix/*
- main

env:
CONTAINER_NAME: ${{ github.repository }}
CONTAINER_REGISTRY_GHCR: ghcr.io
CONTAINER_PLATFORMS: linux/amd64,linux/arm64/v8
# https://github.com/docker/buildx/releases
BUILDX_VERSION: 0.11.2

jobs:
init:
name: Init
runs-on: ubuntu-22.04
outputs:
VERSION: ${{ steps.version.outputs.version }}
VERSION_FULL: ${{ steps.version.outputs.version_full }}
steps:
- name: Checkout
uses: actions/[email protected]
with:
# We need all Git history for "version.sh"
fetch-depth: 0
# Ensure "version.sh" submodule are up-to-date
submodules: recursive

- name: Version
id: version
run: |
echo "version=$(bash cicd/version/version.sh -g . -c)" >> $GITHUB_OUTPUT
echo "version_full=$(bash cicd/version/version.sh -g . -c -m)" >> $GITHUB_OUTPUT
sast-creds:
name: SAST - Credentials
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/[email protected]
with:
# We need all Git history for testing credentials
fetch-depth: 0
# Ensure all submodules up-to-date
submodules: recursive

- name: SAST - Credentials
uses: trufflesecurity/[email protected]
with:
base: ${{ github.event.repository.default_branch }}
extra_args: --only-verified
head: HEAD
path: .

build-image:
name: Build & publish image
needs:
- init
- sast-creds
- sast-semgrep
runs-on: ubuntu-22.04
permissions:
# Allow to write to GitHub Security
security-events: write
# Allow to write to GitHub Packages
packages: write
steps:
- name: Checkout
uses: actions/[email protected]

- name: Configure Git
run: |
git config user.name "${{ github.actor }}"
git config user.email "${{ github.actor }}@users.noreply.github.com"
- name: Setup QEMU
id: setup-qemu
uses: docker/[email protected]
with:
platforms: ${{ env.CONTAINER_PLATFORMS }}

- name: Setup Docker Buildx
uses: docker/[email protected]
with:
version: v${{ env.BUILDX_VERSION }}

- name: Login to registry - GitHub
uses: docker/[email protected]
with:
registry: ${{ env.CONTAINER_REGISTRY_GHCR }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Container meta
id: meta
uses: docker/[email protected]
with:
images: ${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=ref,event=branch
type=ref,event=pr
type=schedule
type=schedule,pattern={{date 'YYYYMMDD'}}
type=semver,pattern={{version}},value=${{ needs.init.outputs.VERSION_FULL }}
type=sha
labels: |
org.opencontainers.image.documentation=https://github.com/${{ env.CONTAINER_NAME }}
org.opencontainers.image.vendor=${{ github.actor }}
- name: Store tag
id: tag
run: |
branch=$(echo "${{ github.ref_name }}" | sed 's/\//-/g')
tag=$(echo "${{ steps.meta.outputs.tags }}" | grep -m1 $branch)
echo "tag=$tag" >> $GITHUB_OUTPUT
- name: Build/push container
uses: docker/[email protected]
with:
build-args: |
VERSION=${{ needs.init.outputs.VERSION_FULL }}
cache-from: type=gha
cache-to: type=gha
context: .
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ env.CONTAINER_PLATFORMS }}
provenance: true
push: true
sbom: true
tags: ${{ steps.meta.outputs.tags }}

sast-semgrep:
name: SAST - Semgrep
runs-on: ubuntu-22.04
permissions:
# Allow to write to GitHub Security
security-events: write
container:
image: returntocorp/semgrep
steps:
- name: Checkout
uses: actions/[email protected]

- name: Run tests
# Semgrep can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security
continue-on-error: true
env:
SEMGREP_RULES: p/cwe-top-25 p/owasp-top-ten p/dockerfile
run: semgrep ci --sarif --output=semgrep.sarif

- name: Upload results to GitHub Security
uses: github/codeql-action/[email protected]
with:
sarif_file: semgrep.sarif

create-release:
name: Create release
needs:
- build-image
- init
permissions:
# Allow to create releases
contents: write
runs-on: ubuntu-22.04
outputs:
RELEASE_ID: ${{ steps.create-release.outputs.result }}
# Only publish on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main')
steps:
- name: Checkout
uses: actions/[email protected]

- name: Create release
id: create-release
uses: actions/[email protected]
with:
script: |
const isMain = context.ref == `refs/heads/${context.payload.repository.default_branch}`;
const repoName = context.repo.repo;
console.log(isMain ? 'Creating release for default branch' : 'Creating release for non-default branch');
const { data } = await github.rest.repos.createRelease({
draft: true,
generate_release_notes: true,
name: `${repoName} v${{ needs.init.outputs.VERSION }}`,
owner: context.repo.owner,
prerelease: !isMain,
repo: repoName,
tag_name: 'v${{ needs.init.outputs.VERSION }}',
target_commitish: context.ref,
});
return data.id
publish-release:
name: Publish release
permissions:
# Allow to write releases
contents: write
runs-on: ubuntu-22.04
needs:
- create-release
- init
# Only publish on non-scheduled default branch
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/${context.payload.repository.default_branch}')
steps:
- name: publish release
id: publish-release
uses: actions/[email protected]
with:
script: |
github.rest.repos.updateRelease({
draft: false,
owner: context.repo.owner,
release_id: ${{ needs.create-release.outputs.RELEASE_ID }},
repo: context.repo.repo,
});

0 comments on commit 68d5b1d

Please sign in to comment.