osc-github-devops/.github/workflows/build-test.yaml at main · os-climate/osc-github-devops · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
---
# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: 2025 The Linux Foundation

# Runs on a new pull request, performs build and runs tests
name: 'Python Build/Test'

# yamllint disable-line rule:truthy
on:
  workflow_dispatch:
  pull_request:
    types: [opened, reopened, edited, synchronize]
    branches:
      - main
      - master
    paths:
      - '**'
      - '!.github/**'
      - '!.*'
      - '!tox.ini'

concurrency:
  group: "${{ github.workflow }}-${{ github.ref }}"
  cancel-in-progress: true

permissions: {}

jobs:
  python-build:
    name: 'Python Build'
    runs-on: 'ubuntu-latest'
    outputs:
      matrix_json: "${{ steps.python-build.outputs.matrix_json }}"
      artefact_name: "${{ steps.python-build.outputs.artefact_name }}"
      artefact_path: "${{ steps.python-build.outputs.artefact_path }}"
    permissions:
      contents: read
    timeout-minutes: 12
    env:
      GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
    steps:
      # Harden the runner used by this workflow
      # yamllint disable-line rule:line-length
      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
        with:
          egress-policy: 'audit'

      # yamllint disable-line rule:line-length
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: 'Build Python project'
        id: python-build
        # yamllint disable-line rule:line-length
        # uses: lfreleng-actions/python-build-action@48381cece78a990a6ba93bd5924bcd40bf0d1a7d # v0.1.20
        # yamllint disable-line rule:line-length
        uses: lfreleng-actions/python-build-action@main # Testing

  python-tests:
    name: 'Python Tests'
    runs-on: 'ubuntu-latest'
    needs: 'python-build'
    # Matrix job
    strategy:
      fail-fast: false
      matrix: "${{ fromJson(needs.python-build.outputs.matrix_json) }}"
    permissions:
      contents: read
    timeout-minutes: 12
    steps:
      # Harden the runner used by this workflow
      # yamllint disable-line rule:line-length
      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
        with:
          egress-policy: audit

      # yamllint disable-line rule:line-length
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: "Python tests [pytest] ${{ matrix.python-version }}"
        # yamllint disable-line rule:line-length
        # uses: lfreleng-actions/python-test-action@b997656111c9b547f8458b18baf6be139e2d2c6c # v0.1.12
        # yamllint disable-line rule:line-length
        uses: lfreleng-actions/python-test-action@main # Testing
        with:
          python_version: ${{ matrix.python-version }}

  python-audit:
    name: 'Python Audit'
    runs-on: 'ubuntu-latest'
    needs: 'python-build'
    # Matrix job
    strategy:
      fail-fast: false
      matrix: "${{ fromJson(needs.python-build.outputs.matrix_json) }}"
    permissions:
      contents: read
    timeout-minutes: 10
    steps:
      # Harden the runner used by this workflow
      # yamllint disable-line rule:line-length
      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
        with:
          egress-policy: 'audit'

      # yamllint disable-line rule:line-length
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: "Audit dependencies ${{ matrix.python-version }}"
        # yamllint disable-line rule:line-length
        # uses: lfreleng-actions/python-audit-action@d2a271bdbf08572dbd8addd3358e5e937ab3739b # v0.2.3
        # yamllint disable-line rule:line-length
        uses: lfreleng-actions/python-audit-action@main # Testing
        with:
          python_version: "${{ matrix.python-version }}"

  sbom:
    name: 'Generate SBOM'
    runs-on: ubuntu-latest
    needs: 'python-build'
    timeout-minutes: 10
    permissions:
      contents: read
    steps:
      # yamllint disable-line rule:line-length
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0

      - name: "Generate SBOM"
        id: sbom
        # yamllint disable-line rule:line-length
        uses: lfreleng-actions/python-sbom-action@ae4aca2ef28d7da4ec95049cc78be43e632d322a  # v0.1.0
        with:
          include_dev: "false"
          sbom_format: "both"

      - name: "Upload SBOM artifacts"
        # yamllint disable-line rule:line-length
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
        with:
          name: sbom-files
          path: |
            sbom-cyclonedx.json
            sbom-cyclonedx.xml
          retention-days: 45

      - name: "Security scan with Grype"
        # yamllint disable-line rule:line-length
        uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8  # v7.0.0
        with:
          sbom: "${{ steps.sbom.outputs.sbom_json_path }}"

      - name: "Summary step"
        run: |
            # Summary step
            echo "SBOM count: ${{ steps.sbom.outputs.component_count }}"
            echo "Tool used: ${{ steps.sbom.outputs.dependency_manager }}"