Bump github/codeql-action in the github-actions-all group #5301
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build | |
on: | |
push: | |
branches: | |
- '**' | |
pull_request: | |
release: | |
types: [edited, published] | |
schedule: | |
- cron: '0 10 * * *' # everyday at 10am | |
workflow_dispatch: | |
inputs: | |
dispatch-tag: | |
description: "Tag to apply to pushed images" | |
required: true | |
default: "dispatch" | |
permissions: | |
actions: read | |
contents: read | |
jobs: | |
diagnostics: | |
name: "Diagnostics" | |
uses: felddy/reusable-workflows/.github/workflows/diagnostics.yml@v2 | |
config: | |
name: "Config" | |
uses: ./.github/workflows/_config.yml | |
metadata: | |
name: "Metadata" | |
needs: [config] | |
uses: felddy/reusable-workflows/.github/workflows/docker-metadata.yml@v2 | |
with: | |
image_name: ${{ needs.config.outputs.image_name }} | |
foundry-secrets: | |
name: "Foundry secrets" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 | |
with: | |
egress-policy: block | |
- name: Check foundry.com credentials | |
run: | | |
return_code=0 | |
if [ -z "${{ secrets.FOUNDRY_USERNAME }}" ]; then | |
echo "::warning::Set the FOUNDRY_USERNAME secret." | |
return_code=1 | |
fi | |
if [ -z "${{ secrets.FOUNDRY_PASSWORD }}" ]; then | |
echo "::warning::Set the FOUNDRY_PASSWORD secret." | |
return_code=1 | |
fi | |
exit $return_code | |
docker-secrets: | |
name: "Docker secrets" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 | |
with: | |
egress-policy: block | |
- name: Check docker.com credentials | |
run: | | |
return_code=0 | |
if [ -z "${{ secrets.DOCKER_USERNAME }}" ]; then | |
echo "::warning::Set the DOCKER_USERNAME secret." | |
return_code=1 | |
fi | |
if [ -z "${{ secrets.DOCKER_PASSWORD }}" ]; then | |
echo "::warning::Set the DOCKER_PASSWORD secret." | |
return_code=1 | |
fi | |
exit $return_code | |
artifact-key: | |
name: "Artifact key" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2 | |
with: | |
egress-policy: block | |
- name: Check artifact key | |
run: | | |
if [ -z "${{ secrets.ARTIFACT_KEY }}" ]; then | |
echo "::warning::Set the ARTIFACT_KEY secret." | |
exit 1 | |
fi | |
lint: | |
name: "Lint" | |
needs: [config] | |
uses: felddy/reusable-workflows/.github/workflows/common-lint.yml@v2 | |
build-normal-test-image: | |
name: "Build normal test image" | |
needs: | |
- config | |
- lint | |
- metadata | |
uses: felddy/reusable-workflows/.github/workflows/docker-build-image.yml@v2 | |
with: | |
artifact_name: ${{ needs.config.outputs.image_artifact_name_stem }}-${{ needs.config.outputs.test_platform }} | |
build_arg_1_name: VERSION | |
cache_from_scopes: ${{ needs.config.outputs.test_platform }} | |
cache_to_scope: ${{ needs.config.outputs.test_platform }} | |
image_archive_name_stem: ${{ needs.config.outputs.test_platform }} | |
image_labels: ${{ needs.metadata.outputs.image_labels }} | |
platforms: ${{ needs.config.outputs.test_platform }} | |
secrets: | |
build_arg_1_value: ${{ needs.metadata.outputs.source_version }} | |
build-pre-installed-test-image: | |
name: "Build pre-installed test image" | |
needs: | |
- artifact-key | |
- config | |
- foundry-secrets | |
- lint | |
- metadata | |
uses: felddy/reusable-workflows/.github/workflows/docker-build-image.yml@v2 | |
with: | |
artifact_name: pre-installed-${{ needs.config.outputs.image_artifact_name_stem }}-${{ needs.config.outputs.test_platform }} | |
build_arg_1_name: FOUNDRY_PASSWORD | |
build_arg_2_name: FOUNDRY_USERNAME | |
build_arg_3_name: VERSION | |
cache_from_scopes: ${{ needs.config.outputs.test_platform }}-pre-installed | |
cache_to_scope: ${{ needs.config.outputs.test_platform }}-pre-installed | |
image_archive_name_stem: ${{ needs.config.outputs.test_platform }} | |
image_labels: ${{ needs.metadata.outputs.image_labels }} | |
platforms: ${{ needs.config.outputs.test_platform }} | |
secrets: | |
build_arg_1_value: ${{ secrets.FOUNDRY_PASSWORD }} | |
build_arg_2_value: ${{ secrets.FOUNDRY_USERNAME }} | |
build_arg_3_value: ${{ needs.metadata.outputs.source_version }} | |
image_archive_key: ${{ secrets.ARTIFACT_KEY }} | |
# Since we need to pass the foundryvtt.com credentials to the tests, we can't | |
# use the standard reusable test workflow. Instead, we'll use a modified | |
# version of the workflow that accepts the credential secrets and is stored in | |
# this repository. | |
test-normal-image: | |
name: "Test normal image" | |
needs: | |
- artifact-key | |
- build-normal-test-image | |
- config | |
- foundry-secrets | |
uses: ./.github/workflows/docker-pytest-image.yml | |
with: | |
data_artifact_name: ${{ needs.config.outputs.data_artifact_name }} | |
data_artifact_path: ${{ needs.config.outputs.data_artifact_path }} | |
image_artifact_name: ${{ needs.build-normal-test-image.outputs.artifact_name }} | |
image_archive_name: ${{ needs.build-normal-test-image.outputs.image_archive_name }} | |
secrets: | |
data_archive_key: ${{ secrets.ARTIFACT_KEY }} | |
foundry_password: ${{ secrets.FOUNDRY_PASSWORD }} | |
foundry_username: ${{ secrets.FOUNDRY_USERNAME }} | |
test-pre-installed-image: | |
name: "Test pre-installed image" | |
needs: | |
- artifact-key | |
- build-pre-installed-test-image | |
- config | |
uses: ./.github/workflows/docker-pytest-image.yml | |
with: | |
data_artifact_name: pre-installed-${{ needs.config.outputs.data_artifact_name }} | |
data_artifact_path: ${{ needs.config.outputs.data_artifact_path }} | |
image_artifact_name: ${{ needs.build-pre-installed-test-image.outputs.artifact_name }} | |
image_archive_name: ${{ needs.build-pre-installed-test-image.outputs.image_archive_name }} | |
secrets: | |
data_archive_key: ${{ secrets.ARTIFACT_KEY }} | |
image_archive_key: ${{ secrets.ARTIFACT_KEY }} | |
build-each-platform: | |
name: "Build platform" | |
needs: | |
- config | |
- lint | |
- metadata | |
- test-normal-image | |
- test-pre-installed-image | |
if: github.event_name != 'pull_request' | |
strategy: | |
matrix: | |
platform: ${{ fromJson(needs.config.outputs.platforms_json) }} | |
exclude: | |
- platform: ${{ needs.config.outputs.test_platform }} | |
uses: felddy/reusable-workflows/.github/workflows/docker-build-image.yml@v2 | |
with: | |
artifact_name: ${{ needs.config.outputs.image_artifact_name_stem }}-${{ matrix.platform }} | |
build_arg_1_name: VERSION | |
cache_from_scopes: ${{ matrix.platform }} | |
cache_to_scope: ${{ matrix.platform }} | |
image_labels: ${{ needs.metadata.outputs.image_labels }} | |
image_archive_name_stem: ${{ matrix.platform }} | |
platforms: ${{ matrix.platform }} | |
secrets: | |
build_arg_1_value: ${{ needs.metadata.outputs.source_version }} | |
generate-sboms: | |
name: "Bill of Materials" | |
needs: | |
- build-each-platform | |
- config | |
permissions: | |
contents: write | |
strategy: | |
matrix: | |
platform: ${{ fromJson(needs.config.outputs.platforms_json) }} | |
uses: felddy/reusable-workflows/.github/workflows/sbom-artifact.yml@v2 | |
with: | |
image_artifact_name: ${{ needs.config.outputs.image_artifact_name_stem }}-${{ matrix.platform }} | |
sbom_artifact_name: ${{ needs.config.outputs.sbom_artifact_name_stem }}-${{ matrix.platform }} | |
build-multi-arch-image: | |
name: "Publish image" | |
needs: | |
- build-each-platform | |
- config | |
- docker-secrets | |
- metadata | |
if: github.event_name != 'pull_request' | |
permissions: | |
packages: write | |
uses: felddy/reusable-workflows/.github/workflows/docker-multi-arch-push.yml@v2 | |
with: | |
artifact_name_pattern: ${{ needs.config.outputs.image_artifact_name_stem }}-* | |
image_tags: ${{ needs.metadata.outputs.image_tags }} | |
secrets: | |
docker_password: ${{ secrets.DOCKER_PASSWORD }} | |
docker_username: ${{ secrets.DOCKER_USERNAME }} | |
publish-readme: | |
name: "Publish docs" | |
needs: | |
- build-multi-arch-image | |
- config | |
- docker-secrets | |
- metadata | |
if: needs.metadata.outputs.latest == 'true' | |
uses: felddy/reusable-workflows/.github/workflows/docker-publish-description.yml@v2 | |
with: | |
image_name: ${{ needs.config.outputs.image_name }} | |
secrets: | |
docker_password: ${{ secrets.DOCKER_PASSWORD }} | |
docker_username: ${{ secrets.DOCKER_USERNAME }} |