amp-devcontainer/.github/workflows/continuous-integration.yml at main · philips-software/amp-devcontainer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
---
name: CI

on:
  merge_group:
  pull_request:
  workflow_dispatch:

concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

permissions: {}

jobs:
  build-push-test:
    name: Build → Push → Test
    uses: ./.github/workflows/build-push-test.yml
    permissions:
      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
      attestations: write # is needed by actions/attest-build-provenance to push attestations
      contents: write # is needed by anchore/sbom-action for artifact uploads
      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
      packages: write # is needed to push image manifest when using GitHub Container Registry
      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
    secrets:
      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}

  dependency-review:
    name: 🔍 Dependency Review
    needs: build-push-test
    uses: ./.github/workflows/wc-dependency-review.yml
    permissions:
      contents: read
      pull-requests: write # is needed by actions/dependency-review-action to write PR summaries

  publish-test-results:
    name: 📊 Publish Test Results
    runs-on: ubuntu-latest
    permissions:
      checks: write # is needed by EnricoMi/publish-unit-test-result-action to add a check run with test results
      pull-requests: write # is needed by EnricoMi/publish-unit-test-result-action to annotate PRs
    needs: build-push-test
    if: ${{ !cancelled() }}
    steps:
      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
        with:
          disable-sudo: true
          egress-policy: audit
      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          merge-multiple: true
          pattern: test-results-*
      - uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2.23.0
        with:
          action_fail: true
          action_fail_on_inconclusive: true
          files: test-report-*.xml

  generate-documents:
    name: 📄 Documentation
    uses: ./.github/workflows/wc-document-generation.yml
    permissions:
      contents: read