Skip Comment Feature (#530) #344
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- 'docs/**' | |
- 'INTHEWILD.md' | |
- 'README.md' | |
- '.github/**' | |
- '.pre-commit-config.yaml' | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
permissions: | |
contents: read | |
concurrency: | |
group: 'build' | |
cancel-in-progress: true | |
jobs: | |
security: | |
uses: ./.github/workflows/security-shared.yml | |
secrets: inherit | |
test: | |
runs-on: [self-hosted, public, linux, x64] | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 | |
with: | |
token: ${{ secrets.PAT }} | |
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v3 | |
with: | |
# needed for terraform-setup https://github.com/hashicorp/setup-terraform/issues/84 | |
node-version: '16' | |
- name: Install Go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4 | |
with: | |
go-version: 1.19 | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2 | |
with: | |
terraform_version: 0.14.5 | |
- name: Terraform Init | |
working-directory: ./tests/terraform/resources | |
run: terraform init | |
- name: Prepare external plugin tests | |
run: | | |
go build -buildmode=plugin -o tests/yor_plugins/example/extra_tags.so tests/yor_plugins/example/*.go | |
go build -buildmode=plugin -o tests/yor_plugins/tag_group_example/extra_tag_groups.so tests/yor_plugins/tag_group_example/*.go | |
- name: Test | |
run: | | |
go build -v && go test ./src/... -covermode=count -coverprofile=coverage.out | |
go tool cover -func=coverage.out -o=coverage.out | |
- name: Go Coverage Badge # Pass the `coverage.out` output to this action | |
uses: tj-actions/coverage-badge-go@7f447a2281e6c95d57526e53b2e800dfb3c07425 # v2 | |
with: | |
filename: coverage.out | |
- name: Verify Changed files | |
uses: tj-actions/verify-changed-files@7f1b21ceb7ef533b97b46e89e2f882ee5cb17ae0 # v16 | |
id: verify-changed-files | |
with: | |
files: README.md | |
- name: Commit + Push changes | |
if: steps.verify-changed-files.outputs.files_changed == 'true' | |
env: | |
GITHUB_TOKEN: ${{ secrets.PAT }} | |
run: | | |
git config --local user.email "action@github.com" | |
git config --local user.name "GitHub Action" | |
git add README.md | |
git commit -m "chore: Updated coverage badge." | |
git push origin | |
linter: | |
name: golangci-lint | |
runs-on: [self-hosted, public, linux, x64] | |
permissions: | |
checks: write | |
contents: read | |
pull-requests: write | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 | |
- name: golangci-lint | |
uses: reviewdog/action-golangci-lint@94d61e3205b61acf4ddabfeb13c5f8a13eb4167b # v2 | |
with: | |
tool_name: golangci-lint | |
fail_on_error: true | |
golangci_lint_flags: "--skip-dirs tests/yor_plugins" | |
integration-tests: | |
runs-on: [self-hosted, public, linux, x64] | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 | |
- name: Install Go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4 | |
with: | |
go-version: 1.19 | |
- name: build | |
run: go build | |
- name: Clone Terragoat - vulnerable terraform | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 | |
with: | |
repository: bridgecrewio/terragoat # clone https://github.com/bridgecrewio/terragoat/ | |
fetch-depth: 0 | |
clean: false | |
path: 'terragoat' | |
ref: 063dc2db3bb036160ed39d3705508ee8293a27c8 | |
- name: Run yor | |
run: | | |
git config --local user.email "action@github.com" | |
./yor list-tags -g code2cloud,git > list-tags-result.txt | |
./yor tag -d terragoat -o json --output-json-file result.json | |
go test -race ./tests/integration/... | |
create-release: | |
runs-on: [self-hosted, public, linux, x64] | |
needs: | |
- integration-tests | |
- test | |
- linter | |
permissions: | |
contents: write | |
outputs: | |
version: ${{ steps.version.outputs.new_tag }} | |
steps: | |
- name: Wait for coverage to update | |
run: sleep 10s | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 | |
with: | |
ref: main | |
- name: version | |
uses: anothrNick/github-tag-action@a2c70ae13a881faf2b4953baaa9e49731997ab36 # v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
WITH_V: false | |
RELEASE_BRANCHES: main | |
DEFAULT_BUMP: patch | |
id: version | |
- name: Install Go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4 | |
with: | |
go-version: 1.19 | |
- name: Git Fetch Repo | |
run: | | |
git fetch | |
- uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4 | |
name: goreleaser | |
with: | |
version: latest | |
args: release --rm-dist | |
env: | |
GITHUB_TOKEN: ${{ secrets.PAT }} | |
# - name: Update go reportcard | |
# uses: creekorful/goreportcard-action@v1.0 | |
publish-dockerhub: | |
runs-on: [self-hosted, public, linux, x64] | |
needs: | |
- create-release | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 | |
- name: Publish to Registry | |
uses: elgohr/Publish-Docker-Github-Action@d0321869e187cfd3124343ea2b39b1db31f89685 # v5 | |
with: | |
name: bridgecrew/yor | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
buildoptions: "--no-cache" | |
tags: "latest,${{ needs.create-release.outputs.version }}" | |
- name: Update Docker Hub README | |
uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864 # v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
repository: bridgecrew/yor | |
short-description: ${{ github.event.repository.description }} | |
update-bridgecrew-projects: | |
needs: publish-dockerhub | |
runs-on: [self-hosted, public, linux, x64] | |
steps: | |
- name: update on yor release | |
run: | | |
curl -XPOST -H "Authorization: token ${{ secrets.PAT }}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/yor-action/dispatches --data '{"event_type": "build"}' | |
curl -XPOST -H "Authorization: token ${{ secrets.PAT }}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/yor-choco/dispatches --data '{"event_type": "build"}' | |
curl -X POST "https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-yor&token=${{ secrets.BC_JENKINS_TOKEN }}" |