amp-devcontainer/.github/workflows/wc-build-push-test.yml at 5eddcc2d5f7d68a4e2b371bb2dfed8777b0e48a1 · philips-software/amp-devcontainer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
---
name: Build, Push & Test

on:
  workflow_call:
    secrets:
      TEST_GITHUB_TOKEN:
        required: true
      TEST_GITHUB_USER:
        required: true
      TEST_GITHUB_PASSWORD:
        required: true
      TEST_GITHUB_TOTP_SECRET:
        required: true

permissions:
  contents: read

jobs:
  build-push:
    strategy:
      matrix:
        flavor: [cpp, rust]
    uses: ./.github/workflows/wc-build-push.yml
    permissions:
      actions: read
      attestations: write
      contents: write
      id-token: write
      packages: write
      pull-requests: write
    with:
      devcontainer-metadata: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
      dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
      image-name: ${{ github.repository }}-${{ matrix.flavor }}

  dependency-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    needs: build-push
    if: github.event_name == 'pull_request'
    steps:
      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          disable-sudo-and-containers: true
          egress-policy: audit
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
        with:
          comment-summary-in-pr: on-failure
          fail-on-severity: critical

  integration-test:
    strategy:
      matrix:
        flavor: [cpp, rust]
        runner: ["ubuntu-latest", "ubuntu-24.04-arm"]
    needs: build-push
    uses: ./.github/workflows/wc-integration-test.yml
    with:
      flavor: ${{ matrix.flavor }}
      runner: ${{ matrix.runner }}

  acceptance-test:
    strategy:
      matrix:
        flavor: [cpp]
    needs: build-push
    uses: ./.github/workflows/wc-acceptance-test.yml
    secrets:
      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
    with:
      flavor: ${{ matrix.flavor }}

  publish-test-results:
    runs-on: ubuntu-latest
    permissions:
      checks: write
      pull-requests: write
    needs: [acceptance-test, integration-test]
    if: always()
    steps:
      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          disable-sudo: true
          egress-policy: audit
      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          merge-multiple: true
          pattern: test-results-*
      - uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0
        with:
          files: test-report-*.xml

  generate-documents:
    uses: ./.github/workflows/wc-document-generation.yml
    permissions:
      contents: read