-
Notifications
You must be signed in to change notification settings - Fork 96
Expand file tree
/
Copy pathci-main-pull-request-stub-1.0.7.yml
More file actions
160 lines (137 loc) · 9.73 KB
/
ci-main-pull-request-stub-1.0.7.yml
File metadata and controls
160 lines (137 loc) · 9.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for main branch
# inputs are described in the chef/common-github-actions/<GA.yml> with same name as this stub
#
# secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN
name: CI Pull Request on Main Branch
on:
pull_request:
branches: [ main, release/** ]
push:
branches: [ main, release/** ]
workflow_dispatch:
permissions:
contents: read
env:
STUB_VERSION: "1.0.7"
jobs:
echo_version:
name: 'Echo stub version'
runs-on: ubuntu-latest
steps:
- name: echo version of stub and inputs
run: |
echo "CI main pull request stub version $STUB_VERSION"
detect-custom-metadata:
name: 'Detect custom properties'
runs-on: ubuntu-latest
outputs:
primaryApp: ${{ steps.set-custom-metadata.outputs.primaryApplication }}
appBuildLanguage: ${{ steps.set-custom-metadata.outputs.applicationBuildLanguage }}
appBuildProfile: ${{ steps.set-custom-metadata.outputs.applicationBuildProfile }}
steps:
- name: 'Detect app, language, and build profile environment variables from repository custom properties'
id: set-custom-metadata
# GH API returns something like [{"property_name":"GABuildLanguage","value":"go"},{"property_name":"GABuildProfile","value":"cli"},{"property_name":"primaryApplication","value":"chef-360"}]'
run: |
response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values)
primaryApplication=$(echo "$response" | jq -r '.[] | select(.property_name=="primaryApplication") | .value')
GABuildLanguage=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildLanguage") | .value')
GABuildProfile=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildProfile") | .value')
echo "PRIMARY APP... $primaryApplication"
echo "BUILD LANG... $GABuildLanguage"
echo "BUILD PROFILE... $GABuildProfile"
echo "PRIMARY_APPLICATION=$primaryApplication" >> $GITHUB_ENV
echo "GA_BUILD_LANGUAGE=$GABuildLanguage" >> $GITHUB_ENV
echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV
# If workflow_dispatch, use inputs (left), if other trigger, use default env (right)
# echo "::set-output name=build-and-verify::${{ github.event.inputs.build-and-verify || 'true' }}"
echo "::set-output name=primaryApplication::$primaryApplication"
echo "::set-output name=applicationBuildLanguage::$GABuildLanguage"
echo "::set-output name=applicationBuildProfile::$GABuildProfile"
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
call-ci-main-pr-check-pipeline:
uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main
needs: detect-custom-metadata
secrets: inherit
permissions:
id-token: write
contents: read
with:
application: ${{ needs.detect-custom-metadata.outputs.primaryApp }}
visibility: ${{ github.event.repository.visibility }} # private, public, or internal
# go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/*
# if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest"
version: '15.1.2' # ${{ github.event.repository.version }}
detect-version-source-type: 'file' # options include "none" (do not detect), "file", "github-tag" or "github-release"
detect-version-source-parameter: '' # use for file name
language: ${{ needs.detect-custom-metadata.outputs.appBuildLanguage }} # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting
# complexity-checks, linting, trufflehog and trivy
perform-complexity-checks: true
# scc-output-filename: 'scc-output.txt'
perform-language-linting: true # Perform language-specific linting and pre-compilation checks
perform-trufflehog-scan: true
perform-trivy-scan: true
# perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language
build: true
build-profile: ${{ needs.detect-custom-metadata.outputs.appBuildProfile }}
unit-tests: false
unit-test-output-path: "path/to/file.out"
unit-test-command-override: ""
# BlackDuck SAST (Polaris) require a build or binary present in repo to do SAST testing
# requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN
perform-blackduck-polaris: false
polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product
polaris-project-name: ${{ github.event.repository.name }} # arch-sample-cli
polaris-working-directory: '.' # Working directory for the scan, defaults to . but usually lang-dependent like ./src
polaris-coverity-build-command: 'go build -o bin/chef-cli.exe' # Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install"
polaris-coverity-clean-command: 'go clean' # Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean"
polaris-detect-search-depth: '5' # Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan'
polaris-assessment-mode: 'SAST' # Assessment mode (SAST, CI or SOURCE_UPLOAD)
wait-for-scan: true
# polaris-detect-args: '' # Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true"
# coverity_build_command: "go build"
# coverity_clean_command: "go clean"
# polaris-config-path: '' # Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml
# polaris-coverity-config-path: '' # Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml
# polaris-coverity-args: '' # Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make
# perform SonarQube scan, with or without unit test coverage data
# requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com)
perform-sonarqube-scan: false
# perform-sonar-build: true
# build-profile: 'default'
# report-unit-test-coverage: true
perform-docker-scan: false # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container"
# report to central developer dashboard
report-to-atlassian-dashboard: false
quality-product-name: 'Chef-Agents' # product name for quality reporting, like Chef360, Courier, Inspec
# quality-product-name: ${{ github.event.repository.name }} # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec
# quality-sonar-app-name: 'YourSonarAppName'
# quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security
# quality-service-name: 'YourServiceOrRepoName'
# quality-junit-report: 'path/to/junit/report''
# perform Habitat-based and native packaging, publish to package repositories
package-binaries: false # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)
habitat-build: false # Create Habitat packages
publish-habitat-packages: false # Publish Habitat packages to Builder
publish-habitat-hab_package: false # Chef Habitat package to install (e.g., core/nginx)
publish-habitat-hab_version: "1.0.0" # Chef Habitat package version (optional)
publish-habitat-hab_release: "20240101010101" # Chef Habitat package release (optional)
publish-habitat-hab_channel: "stable" # Chef Habitat package channel (e.g., stable, base, base-2025); default is stable
publish-habitat-hab_auth_token: "" # Chef Habitat Builder authentication token (uses secret if not provided)
publish-habitat-runner_os: "ubuntu-latest" # OS runner for Habitat package publishing job, can also be windows-latest
habitat-grype-scan: false # Scan built Habitat packages with Grype for vulnerabilities
publish-packages: false # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)
# generate and export Software Bill of Materials (SBOM) in various formats
generate-sbom: true
export-github-sbom: true # SPDX JSON artifact on job instance
generate-msft-sbom: false
license_scout: false # Run license scout for license compliance (uses .license_scout.yml)
# perform Blackduck software composition analysis (SCA) for 3rd party CVEs, licensing, and operational risk
perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above
blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product'
blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name
# udf1: 'default' # user defined flag 1
# udf2: 'default' # user defined flag 2
# udf3: 'default' # user defined flag 3