Skip to content

Commit 6056e6d

Browse files
hyperpolymathhyperpolymath
committed
chore(ci): maximize ci/cd values via dependabot and permissions
1 parent f30f388 commit 6056e6d

3 files changed

Lines changed: 8 additions & 77 deletions

File tree

.github/workflows/boj-build.yml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,17 @@
11
name: BoJ Server Build Trigger
2-
32
on:
43
push:
5-
branches: [ main, master ]
4+
branches: [main, master]
65
workflow_dispatch:
7-
86
jobs:
97
trigger-boj:
108
runs-on: ubuntu-latest
119
steps:
1210
- name: Checkout
1311
uses: actions/checkout@v4
14-
1512
- name: Trigger BoJ Server (Casket/ssg-mcp)
1613
run: |
1714
# Send a secure trigger to boj-server to build this repository
1815
curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"}
1916
continue-on-error: true
17+
permissions: read-all

.github/workflows/ci.yaml

Lines changed: 5 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,16 @@
11
# SPDX-License-Identifier: PMPL-1.0-or-later
22
name: CI Pipeline
3-
43
on:
54
push:
65
branches: [main, develop]
76
pull_request:
87
branches: [main, develop]
9-
108
env:
119
REGISTRY: ghcr.io
1210
RUST_VERSION: "1.75"
1311
ELIXIR_VERSION: "1.16"
1412
OTP_VERSION: "26"
1513
JULIA_VERSION: "1.10"
16-
1714
jobs:
1815
# ===========================================================================
1916
# Rust Optimizer
@@ -26,13 +23,11 @@ jobs:
2623
working-directory: src/rust-routing
2724
steps:
2825
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
29-
3026
- name: Install Rust
3127
uses: dtolnay/rust-action@stable
3228
with:
3329
toolchain: ${{ env.RUST_VERSION }}
3430
components: clippy, rustfmt
35-
3631
- name: Cache cargo
3732
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
3833
with:
@@ -43,30 +38,23 @@ jobs:
4338
~/.cargo/git/db/
4439
src/rust-routing/target/
4540
key: ${{ runner.os }}-cargo-${{ hashFiles('src/rust-routing/Cargo.lock') }}
46-
4741
- name: Install protoc
4842
run: |
4943
sudo apt-get update
5044
sudo apt-get install -y protobuf-compiler
51-
5245
- name: Check formatting
5346
run: cargo fmt --all -- --check
54-
5547
- name: Clippy
5648
run: cargo clippy --all-targets --all-features -- -D warnings
57-
5849
- name: Build
5950
run: cargo build --release
60-
6151
- name: Test
6252
run: cargo test --all-features
63-
6453
- name: Upload artifact
6554
uses: actions/upload-artifact@v6
6655
with:
6756
name: rust-optimizer
6857
path: src/rust-routing/target/release/veds-optimizer
69-
7058
# ===========================================================================
7159
# Elixir API
7260
# ===========================================================================
@@ -86,42 +74,32 @@ jobs:
8674
ports:
8775
- 5432:5432
8876
options: >-
89-
--health-cmd pg_isready
90-
--health-interval 10s
91-
--health-timeout 5s
92-
--health-retries 5
77+
--health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
9378
steps:
9479
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
95-
9680
- name: Setup Elixir
9781
uses: erlef/setup-beam@v1
9882
with:
9983
elixir-version: ${{ env.ELIXIR_VERSION }}
10084
otp-version: ${{ env.OTP_VERSION }}
101-
10285
- name: Cache deps
10386
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
10487
with:
10588
path: |
10689
src/elixir-api/deps
10790
src/elixir-api/_build
10891
key: ${{ runner.os }}-mix-${{ hashFiles('src/elixir-api/mix.lock') }}
109-
11092
- name: Install dependencies
11193
run: mix deps.get
112-
11394
- name: Check formatting
11495
run: mix format --check-formatted
115-
11696
- name: Compile (warnings as errors)
11797
run: mix compile --warnings-as-errors
118-
11998
- name: Run tests
12099
run: mix test
121100
env:
122101
DATABASE_URL: postgres://postgres:postgres@localhost:5432/veds_test
123102
MIX_ENV: test
124-
125103
# ===========================================================================
126104
# Clojure Constraints
127105
# ===========================================================================
@@ -133,30 +111,24 @@ jobs:
133111
working-directory: src/clojure-constraints
134112
steps:
135113
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
136-
137114
- name: Setup Java
138115
uses: actions/setup-java@v5
139116
with:
140117
distribution: 'temurin'
141118
java-version: '21'
142-
143119
- name: Setup Clojure
144120
uses: DeLaGuardo/setup-clojure@13.5
145121
with:
146122
cli: 1.11.1.1435
147-
148123
- name: Cache deps
149124
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
150125
with:
151126
path: ~/.m2/repository
152127
key: ${{ runner.os }}-clj-${{ hashFiles('src/clojure-constraints/deps.edn') }}
153-
154128
- name: Run tests
155129
run: clojure -M:test
156-
157130
- name: Build uberjar
158131
run: clojure -T:build uber
159-
160132
# ===========================================================================
161133
# Julia Visualization
162134
# ===========================================================================
@@ -168,26 +140,21 @@ jobs:
168140
working-directory: src/julia-viz
169141
steps:
170142
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
171-
172143
- name: Setup Julia
173144
uses: julia-actions/setup-julia@v2
174145
with:
175146
version: ${{ env.JULIA_VERSION }}
176-
177147
- name: Cache Julia packages
178148
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
179149
with:
180150
path: |
181151
~/.julia/artifacts
182152
~/.julia/packages
183153
key: ${{ runner.os }}-julia-${{ hashFiles('src/julia-viz/Project.toml') }}
184-
185154
- name: Install dependencies
186155
run: julia --project=. -e 'using Pkg; Pkg.instantiate()'
187-
188156
- name: Run tests
189157
run: julia --project=. -e 'using Pkg; Pkg.test()'
190-
191158
# ===========================================================================
192159
# Ada/SPARK Verification
193160
# ===========================================================================
@@ -199,22 +166,17 @@ jobs:
199166
working-directory: src/ada-spark-verify
200167
steps:
201168
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
202-
203169
- name: Setup GNAT
204170
run: |
205171
sudo apt-get update
206172
sudo apt-get install -y gnat gprbuild
207-
208173
- name: Build
209174
run: gprbuild -P veds_verify.gpr -XMODE=release
210-
211175
- name: Run verification tests
212176
run: ./bin/veds_verify
213-
214-
# SPARK proof (optional, requires SPARK Pro or Community)
215-
# - name: Run SPARK proofs
216-
# run: gnatprove -P veds_verify.gpr --level=2
217-
177+
# SPARK proof (optional, requires SPARK Pro or Community)
178+
# - name: Run SPARK proofs
179+
# run: gnatprove -P veds_verify.gpr --level=2
218180
# ===========================================================================
219181
# Integration Tests
220182
# ===========================================================================
@@ -224,20 +186,16 @@ jobs:
224186
needs: [rust-build, elixir-build, clojure-build]
225187
steps:
226188
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
227-
228189
- name: Setup Python
229190
uses: actions/setup-python@v6
230191
with:
231192
python-version: '3.12'
232-
233193
- name: Install test dependencies
234194
run: pip install -r tests/integration/requirements.txt
235-
236195
- name: Run integration tests
237196
run: pytest tests/integration/ -v --tb=short
238197
env:
239198
HYPOTHESIS_PROFILE: ci
240-
241199
# ===========================================================================
242200
# Property Tests
243201
# ===========================================================================
@@ -246,18 +204,14 @@ jobs:
246204
runs-on: ubuntu-latest
247205
steps:
248206
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
249-
250207
- name: Setup Python
251208
uses: actions/setup-python@v6
252209
with:
253210
python-version: '3.12'
254-
255211
- name: Install test dependencies
256212
run: pip install -r tests/integration/requirements.txt
257-
258213
- name: Run property tests
259214
run: pytest tests/property/ -v --hypothesis-profile=ci
260-
261215
# ===========================================================================
262216
# Security Scanning
263217
# ===========================================================================
@@ -266,21 +220,18 @@ jobs:
266220
runs-on: ubuntu-latest
267221
steps:
268222
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
269-
270223
- name: Run Trivy vulnerability scanner
271224
uses: aquasecurity/trivy-action@master
272225
with:
273226
scan-type: 'fs'
274227
scan-ref: '.'
275228
severity: 'CRITICAL,HIGH'
276229
exit-code: '1'
277-
278230
- name: Rust audit
279231
working-directory: src/rust-routing
280232
run: |
281233
cargo install cargo-audit
282234
cargo audit
283-
284235
# ===========================================================================
285236
# Build and Push Images
286237
# ===========================================================================
@@ -305,17 +256,14 @@ jobs:
305256
context: src/julia-viz
306257
steps:
307258
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
308-
309259
- name: Set up Docker Buildx
310260
uses: docker/setup-buildx-action@v3
311-
312261
- name: Login to GHCR
313262
uses: docker/login-action@v3
314263
with:
315264
registry: ${{ env.REGISTRY }}
316265
username: ${{ github.actor }}
317266
password: ${{ secrets.GITHUB_TOKEN }}
318-
319267
- name: Extract metadata
320268
id: meta
321269
uses: docker/metadata-action@v5
@@ -326,7 +274,6 @@ jobs:
326274
type=ref,event=branch
327275
type=semver,pattern={{version}}
328276
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
329-
330277
- name: Build and push
331278
uses: docker/build-push-action@v6
332279
with:
@@ -336,7 +283,6 @@ jobs:
336283
labels: ${{ steps.meta.outputs.labels }}
337284
cache-from: type=gha
338285
cache-to: type=gha,mode=max
339-
340286
# ===========================================================================
341287
# Update ArgoCD
342288
# ===========================================================================
@@ -347,7 +293,6 @@ jobs:
347293
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
348294
steps:
349295
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
350-
351296
- name: Update image tags in kustomization
352297
run: |
353298
cd deploy/k3s/base
@@ -356,11 +301,11 @@ jobs:
356301
ghcr.io/veds/elixir-api=ghcr.io/${{ github.repository_owner }}/veds-elixir-api:${{ github.sha }} \
357302
ghcr.io/veds/clojure-constraints=ghcr.io/${{ github.repository_owner }}/veds-clojure-constraints:${{ github.sha }} \
358303
ghcr.io/veds/julia-viz=ghcr.io/${{ github.repository_owner }}/veds-julia-viz:${{ github.sha }}
359-
360304
- name: Commit and push
361305
run: |
362306
git config user.name "GitHub Actions"
363307
git config user.email "actions@github.com"
364308
git add deploy/
365309
git commit -m "ci: update image tags to ${{ github.sha }}" || exit 0
366310
git push
311+
permissions: read-all

0 commit comments

Comments
 (0)