common-github-actions/.github/workflows/trigger.yml at 0d3f8a2954d911a030a4d0b4dba8a9d4c0ff88a9 · chef/common-github-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for main branch
# inputs are described in the chef/common-github-actions/<GA.yml> with same name as this stub
#
# secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN

name: CI Pull Request on Main Branch

on:
  pull_request:
    branches: [ main, release/** ]
  push:
    branches: [ main, release/** ]

  workflow_dispatch:

permissions:
  contents: read

env:
  STUB_VERSION: "1.0.5"

jobs:
  echo_version:
    name: 'Echo stub version'
    runs-on: ubuntu-latest
    steps:
      - name: echo version of stub and inputs
        run: |
          echo "CI main pull request stub version $STUB_VERSION"

  read_version:
    name: 'Read version from Github release'
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.get_version.outputs.version }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          fetch-tags: true

      - name: Read github release version
        id: get_version
        run: |
          VERSION=$(git describe --tags `git rev-list --tags --max-count=1` | sed 's/^v//' 2>/dev/null || echo "")
          echo "Latest release version: $VERSION"
          echo "version=$VERSION" >> $GITHUB_OUTPUT

  call-ci-main-pr-check-pipeline:
    needs: read_version
    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@sandhi/test-integrations
    secrets: inherit
    permissions:
      id-token: write
      contents: read

    with:
      visibility: ${{ github.event.repository.visibility }}   #  private, public, or internal
      go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/*'

      # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest"
      version: ${{ needs.read_version.outputs.version }}
      detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release"
      detect-version-source-parameter: '' # use for file name
      language: 'go'  # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting

      # complexity-checks
      perform-complexity-checks: false
      # scc-output-filename: 'scc-output.txt'
      perform-language-linting: false    # Perform language-specific linting and pre-compilation checks

      # trufflehog secret scanning
      perform-trufflehog-scan: true

      # trivy dependency and container scanning
      perform-trivy-scan: true
      trivy-fail-on-high-critical: true

      # grype vulnerability scanning
      perform-grype-scan: true

      # BlackDuck SAST (Polaris) and SCA scans (requires a build or download to do SAST)
      # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN
      perform-blackduck-polaris: true
      polaris-application-name: "Chef-Chef360"  # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product
      polaris-project-name: ${{ github.event.repository.name }}
      polaris-blackduck-executable: 'path/to/blackduck/binary'
      polaris-executable-detect-path: 'path/to/detect'
      polaris-coverity-build-command: 'go build'
      polaris-coverity-clean-command: 'go clean'
      polaris-fail-on-high-critical: true  # Fail pipeline if HIGH or CRITICAL vulnerabilities found

      # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language
      build: false
      # ga-build-profile: $chef-ga-build-profile
      # language: $chef-ga-build-language   # this will be removed from stub as autodetected in central GA
      unit-tests: false

      # perform SonarQube scan, with or wihout unit test coverage data
      # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com)
      perform-sonarqube-scan: true
      # perform-sonar-build: true
      # build-profile: 'default'
      # report-unit-test-coverage: true

      perform-docker-scan: false  # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container"

      # report to central developer dashboard
      report-to-atlassian-dashboard: false
      quality-product-name: 'Chef-360'   # product name for quality reporting, like Chef360, Courier, Inspec
      # quality-product-name: ${{ github.event.repository.name }}   # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec
      # quality-sonar-app-name: 'YourSonarAppName'
      # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security
      # quality-service-name: 'YourServiceOrRepoName'
      # quality-junit-report: 'path/to/junit/report''

      # perform native and Habitat packaging, publish to package repositories
      package-binaries: false     # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)
      habitat-build: false        # Create Habitat packages
      publish-packages: false     # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)

      # generate and export Software Bill of Materials (SBOM) in various formats
      generate-sbom: true
      export-github-sbom: true      # SPDX JSON artifact on job instance
      perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above
      blackduck-project-group-name: 'Chef-Chef360' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product'
      blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name
      blackduck-fail-on-high-critical: true  # Fail pipeline if HIGH or CRITICAL vulnerabilities found
      generate-blackduck-sbom: false # obsolete, use perform-blackduck-sca-scan instead

      generate-msft-sbom: false
      license_scout: false      # Run license scout for license compliance (uses .license_scout.yml)

      # udf1: 'default' # user defined flag 1
      # udf2: 'default' # user defined flag 2
      # udf3: 'default' # user defined flag 3