Automated update to primary components (#345) #1072
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: "Commit" | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
defaults: | |
run: | |
shell: 'bash --noprofile --norc -Eeuo pipefail {0}' | |
env: | |
python_version: "3.11" | |
jobs: | |
lint: | |
name: Lint | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout the repository | |
uses: actions/checkout@v4 | |
- uses: seisollc/goat@main | |
with: | |
exclude: (.*tests/(ansible|terraform|cloudformation)/.*|.*build/Dockerfile\.j2$) | |
disable_mypy: true | |
generate-matrixes: | |
name: Generate matrixes for future use in pipelines | |
runs-on: ubuntu-22.04 | |
outputs: | |
image-matrix: ${{ steps.set-image-outputs.outputs.image-matrix }} | |
test-matrix: ${{ steps.set-testing-outputs.outputs.test-matrix }} | |
steps: | |
- name: Checkout the repository | |
uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.python_version }} | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.local/share/virtualenvs | |
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }} | |
- name: Install the dependencies | |
run: python -m pip install --upgrade pipenv | |
- name: Install Task | |
uses: arduino/setup-task@v2 | |
- name: Initialize the repo | |
run: task -v init | |
- name: Gather the image matrix | |
id: set-image-outputs | |
run: | | |
pipenv run python -c \ | |
'from easy_infra import utils; \ | |
print(utils.get_github_actions_matrix())' >> "${GITHUB_OUTPUT}" | |
- name: Gather the testing matrix | |
id: set-testing-outputs | |
run: | | |
pipenv run python -c \ | |
'from easy_infra import utils; \ | |
print(utils.get_github_actions_matrix(testing=True))' >> "${GITHUB_OUTPUT}" | |
test: | |
name: Test | |
needs: [generate-matrixes] | |
if: github.event_name == 'pull_request' | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.generate-matrixes.outputs.test-matrix) }} | |
steps: | |
- name: Checkout the repository | |
uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.python_version }} | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.local/share/virtualenvs | |
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }} | |
- name: Install the dependencies | |
run: | | |
python -m pip install --upgrade pipenv | |
mkdir "${RUNNER_TEMP}/bin" | |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin" | |
chmod +x "${RUNNER_TEMP}/bin/syft" | |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin" | |
chmod +x "${RUNNER_TEMP}/bin/grype" | |
echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}" | |
- name: Install Task | |
uses: arduino/setup-task@v2 | |
- name: Initialize the repo | |
run: task -v init | |
- name: Build the image | |
run: task -v build | |
env: | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
- name: Generate the SBOM | |
run: task -v sbom | |
if: matrix.user == 'root' | |
env: | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
- name: Upload the SBOM | |
uses: actions/upload-artifact@v4 | |
if: matrix.user == 'root' | |
with: | |
name: SBOM_${{ matrix.tool }}_${{ matrix.environment }} | |
path: sbom.2*.json | |
if-no-files-found: error | |
- name: Generate Vuln scan results | |
run: task -v vulnscan | |
if: matrix.user == 'root' | |
env: | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
- name: Upload Vuln scan result | |
uses: actions/upload-artifact@v4 | |
if: matrix.user == 'root' | |
with: | |
name: Vulns_${{ matrix.tool }}_${{ matrix.environment }} | |
path: vulns.2*.json | |
if-no-files-found: error | |
- name: Run tests | |
run: task -v test | |
env: | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
USER: ${{ matrix.user }} | |
DEBUG: "True" | |
bump-version: | |
name: Bump version | |
needs: [lint] | |
if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}" | |
permissions: | |
contents: write | |
runs-on: ubuntu-22.04 | |
outputs: | |
git_tag: ${{ steps.bump-version.outputs.git_tag }} | |
steps: | |
- name: Checkout the repository | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ secrets.SEISO_AUTOMATION_PAT }} | |
fetch-depth: 0 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.python_version }} | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.local/share/virtualenvs | |
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }} | |
- name: Install the dependencies | |
run: python -m pip install --upgrade pipenv | |
- name: Install Task | |
uses: arduino/setup-task@v2 | |
- name: Initialize the repo | |
run: task -v init | |
- name: Bump the version | |
id: bump-version | |
run: | | |
task -v release | |
GIT_TAG="$(git describe --tags)" | |
BRANCH="$(git branch --show-current)" | |
git push --atomic origin "${BRANCH}" "${GIT_TAG}" | |
echo "git_tag=${GIT_TAG}" >> "${GITHUB_OUTPUT}" | |
distribute: | |
name: Distribute | |
needs: [generate-matrixes, bump-version] | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.generate-matrixes.outputs.image-matrix) }} | |
if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}" | |
environment: "${{ needs.bump-version.outputs.git_tag }}" | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout the repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: "${{ needs.bump-version.outputs.git_tag }}" | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.python_version }} | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.local/share/virtualenvs | |
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }} | |
- name: Install the dependencies | |
run: | | |
python -m pip install --upgrade pipenv | |
mkdir "${RUNNER_TEMP}/bin" | |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin" | |
chmod +x "${RUNNER_TEMP}/bin/syft" | |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin" | |
chmod +x "${RUNNER_TEMP}/bin/grype" | |
echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}" | |
- name: Install Task | |
uses: arduino/setup-task@v2 | |
- name: Initialize the repo | |
run: task -v init | |
- name: Build the image | |
run: task -v build | |
env: | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
- name: Generate the SBOM | |
run: task -v sbom | |
env: | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
- name: Upload the SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: SBOM_${{ matrix.tool }}_${{ matrix.environment }} | |
path: sbom.2*.json | |
if-no-files-found: error | |
- name: Generate Vuln scan results | |
run: task -v vulnscan | |
env: | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
- name: Upload Vuln scan result | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Vulns_${{ matrix.tool }}_${{ matrix.environment }} | |
path: vulns.2*.json | |
if-no-files-found: error | |
- name: Run tests | |
run: task -v test | |
env: | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
USER: ${{ matrix.user }} | |
DEBUG: "True" | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Publish the image to Docker Hub | |
run: task -v publish | |
env: | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
- name: Install cosign | |
uses: sigstore/cosign-installer@main | |
- name: Sign the image | |
run: | | |
image_and_versioned_tag=$(pipenv run python -c \ | |
"from easy_infra.utils import get_image_and_tag; \ | |
print(get_image_and_tag(tool='${TOOL}', environment='${ENVIRONMENT}'))") | |
versioned_tag="${image_and_versioned_tag#*:}" | |
# Requires that the image is available in the local daemon and was pushed to the remote repo | |
image_and_digest=$(docker inspect --format='{{index .RepoDigests 0}}' \ | |
"${image_and_versioned_tag}" ) | |
echo -n "${COSIGN_PASSWORD}" | | |
cosign sign --yes --key cosign.key \ | |
-a git_sha="${GITHUB_SHA}" \ | |
-a tag="${versioned_tag}" \ | |
"${image_and_digest}" | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
TOOL: ${{ matrix.tool }} | |
ENVIRONMENT: ${{ matrix.environment }} | |
finalize-the-release: | |
name: Finalize the release | |
needs: [bump-version, distribute] | |
if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}" | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout the repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: "${{ needs.bump-version.outputs.git_tag }}" | |
- name: Download the SBOMs and Vuln scan results | |
uses: actions/download-artifact@v4 | |
with: | |
path: ${{ runner.temp }} | |
- name: Publish the release to GitHub | |
uses: softprops/action-gh-release@v2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
name: ${{ needs.bump-version.outputs.git_tag }} | |
tag_name: ${{ needs.bump-version.outputs.git_tag }} | |
generate_release_notes: true | |
files: | | |
${{ runner.temp }}/Vulns_*/vulns.*.json | |
${{ runner.temp }}/SBOM_*/sbom.*.json | |
fail_on_unmatched_files: true | |
draft: false | |
prerelease: false | |
- name: Publish the release README to Docker Hub | |
uses: peter-evans/dockerhub-description@v4 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
repository: seiso/easy_infra |