-
Notifications
You must be signed in to change notification settings - Fork 0
130 lines (125 loc) · 4.22 KB
/
ci.yml
File metadata and controls
130 lines (125 loc) · 4.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
---
name: "CI"
permissions:
contents: read
on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
- cron: '47 5 * * 0'
env:
python_version: "3.13"
defaults:
run:
shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
jobs:
lint:
name: Lint
runs-on: ubuntu-24.04
steps:
- name: Checkout the repository
uses: actions/checkout@v6
with:
persist-credentials: 'false'
- name: Bootstrap repository
uses: ./.github/actions/bootstrap
with:
token: ${{ secrets.GITHUB_TOKEN }}
python-version: ${{ env.python_version }}
- name: Lint
run: task -v lint
test:
name: Test
runs-on: ubuntu-24.04
permissions:
contents: write
steps:
- name: Checkout the repository
uses: actions/checkout@v6
# Necessary for hooks to succeed during tests for commits/schedule
if: github.event_name != 'pull_request'
with:
fetch-depth: 0
persist-credentials: 'false'
- name: Checkout the repository
uses: actions/checkout@v6
# Necessary for hooks to succeed during tests for PRs
if: github.event_name == 'pull_request'
with:
ref: ${{ github.event.pull_request.head.ref }}
fetch-depth: 0
persist-credentials: 'false'
- name: Bootstrap repository
uses: ./.github/actions/bootstrap
with:
token: ${{ secrets.GITHUB_TOKEN }}
python-version: ${{ env.python_version }}
- name: Validate the repo
run: task -v validate
- name: Install license compliance tool
run: |
mkdir "${RUNNER_TEMP}/bin"
# Install grant via curl until official Docker image is available
# See: https://github.com/anchore/grant/issues/222
curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/grant"
echo "${RUNNER_TEMP}/bin" | tee -a "${GITHUB_PATH}"
- name: Run the tests
run: task -v test
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run SBOM generation
run: task -v sbom
- name: Upload SBOM artifacts
uses: actions/upload-artifact@v6
with:
name: sbom-files
path: |
sbom.*.json
if-no-files-found: error
- name: Check license compliance
run: task -v license-check
- name: Upload license check results
uses: actions/upload-artifact@v6
with:
name: license-check-results
path: license-check.json
if-no-files-found: error
- name: Run vulnerability scan
run: task -v vulnscan
- name: Upload vulnerability scan results
uses: actions/upload-artifact@v6
with:
name: vuln-scan-results
path: vulns.json
if-no-files-found: error
finalizer:
# This gives us something to set as required in the repo settings. Some projects use dynamic fan-outs using matrix strategies and the fromJSON function, so
# you can't hard-code what _should_ run vs not. Having a finalizer simplifies that so you can just check that the finalizer succeeded, and if so, your
# requirements have been met
# Example: https://x.com/JonZeolla/status/1877344137713766516
name: Finalize the pipeline
runs-on: ubuntu-24.04
# Keep this aligned with the above jobs
needs: [lint, test]
if: always() # Ensure it runs even if "needs" fails or is cancelled
steps:
- name: Check for failed or cancelled jobs
run: |
if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ||
"${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then
echo "One or more required jobs failed or was cancelled. Marking finalizer as failed."
exit 1
fi
- name: Checkout the repository
uses: actions/checkout@v6
- name: Scan workflow logs for warnings and errors
run: scripts/scan_workflow_logs.sh ${{ github.run_id }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Finalize
run: echo "Pipeline complete!"