-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathci.yml
More file actions
156 lines (151 loc) · 5.58 KB
/
ci.yml
File metadata and controls
156 lines (151 loc) · 5.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
---
name: CI
permissions:
contents: read
on:
pull_request:
branches: [main]
env:
python_version: "{{ cookiecutter.python_version }}"
defaults:
run:
shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
jobs:
test:
name: Test
runs-on: ubuntu-24.04
permissions:
contents: write
steps:
- name: Checkout the repository
uses: actions/checkout@v6
with:
persist-credentials: 'false'
- name: Bootstrap repository
uses: ./.github/actions/bootstrap
with:
token: ${{ "{{ secrets.GITHUB_TOKEN }}" }}
python-version: ${{ "{{ env.python_version }}" }}
- name: Set up QEMU for cross-platform emulation
uses: docker/setup-qemu-action@v3
- name: Install license compliance tool
run: |
mkdir -p "${RUNNER_TEMP}/bin"
# Install grant via curl until official Docker image is available
# See: https://github.com/anchore/grant/issues/222
curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/grant"
echo "${RUNNER_TEMP}/bin" | tee -a "${GITHUB_PATH}"
- name: Build Docker image
run: task -v build
- name: Run tests
run: task -v test
lint:
name: Lint
runs-on: ubuntu-24.04
steps:
- name: Checkout the repository
uses: actions/checkout@v6
with:
persist-credentials: 'false'
- name: Bootstrap repository
uses: ./.github/actions/bootstrap
with:
token: ${{ "{{ secrets.GITHUB_TOKEN }}" }}
python-version: ${{ "{{ env.python_version }}" }}
- name: Run linting
run: task -v lint
- name: Validate configuration
run: task -v validate
build:
name: Build
runs-on: ubuntu-24.04
strategy:
matrix:
platform:
- linux/amd64
- linux/arm64
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
persist-credentials: 'false'
- name: Bootstrap repository
uses: ./.github/actions/bootstrap
with:
token: ${{ "{{ secrets.GITHUB_TOKEN }}" }}
python-version: ${{ "{{ env.python_version }}" }}
- name: Set up QEMU for cross-platform emulation
uses: docker/setup-qemu-action@v3
- name: Build Docker image
run: task -v build
env:
PLATFORM: ${{ "{{ matrix.platform }}" }}
- name: Install license compliance tool
run: |
mkdir "${RUNNER_TEMP}/bin"
# Install grant via curl until official Docker image is available
# See: https://github.com/anchore/grant/issues/222
curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/grant"
echo "${RUNNER_TEMP}/bin" | tee -a "${GITHUB_PATH}"
- name: Generate SBOM
run: task -v sbom
env:
PLATFORM: ${{ "{{ matrix.platform }}" }}
- name: Set env var for unique artifact uploads
run: echo SANITIZED_PLATFORM="$(echo "${{ "{{ matrix.platform }}" }}" | sed 's/\//_/g')" | tee -a "${GITHUB_ENV}"
- name: Upload SBOM artifacts
uses: actions/upload-artifact@v5
with:
name: sbom-${{ "{{ env.SANITIZED_PLATFORM }}" }}
path: |
sbom.*.json
if-no-files-found: error
- name: Check license compliance
run: task -v license-check
env:
PLATFORM: ${{ "{{ matrix.platform }}" }}
- name: Upload license check results
uses: actions/upload-artifact@v5
with:
name: license-check-${{ "{{ env.SANITIZED_PLATFORM }}" }}
path: license-check.*.json
if-no-files-found: error
- name: Run vulnerability scan
run: task -v vulnscan
env:
PLATFORM: ${{ "{{ matrix.platform }}" }}
- name: Upload vulnerability scan results
uses: actions/upload-artifact@v5
with:
name: vulns-${{ "{{ env.SANITIZED_PLATFORM }}" }}
path: vulns.*.json
if-no-files-found: error
finalizer:
# This gives us something to set as required in the repo settings. Some projects use dynamic fan-outs using matrix strategies and the fromJSON function, so
# you can't hard-code what _should_ run vs not. Having a finalizer simplifies that so you can just check that the finalizer succeeded, and if so, your
# requirements have been met
# Example: https://x.com/JonZeolla/status/1877344137713766516
name: Finalize the pipeline
runs-on: ubuntu-24.04
# Keep this aligned with the above jobs
needs: [lint, test, build]
if: always() # Ensure it runs even if "needs" fails or is cancelled
steps:
- name: Check for failed or cancelled jobs
run: |
# Use contains() to check for any failure or cancellation
if [[ "{% raw %}${{ contains(needs.*.result, 'failure') }}{% endraw %}" == "true" ||
"{% raw %}${{ contains(needs.*.result, 'cancelled') }}{% endraw %}" == "true" ]]; then
echo "One or more required jobs failed or was cancelled. Marking finalizer as failed."
exit 1
fi
- name: Checkout the repository
uses: actions/checkout@v6
- name: Scan workflow logs for warnings and errors
run: scripts/scan_workflow_logs.sh {% raw %}${{ github.run_id }}{% endraw %}
env:
GITHUB_TOKEN: "{% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}"
- name: Finalize
run: echo "Pipeline complete!"