Port to pdm #2221
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| # About steps requiring the GITGUARDIAN_API_KEY: | |
| # | |
| # For security reasons, secrets are not available when a workflow is triggered by a pull request from a fork. This | |
| # causes all steps requiring the GITGUARDIAN_API_KEY to fail. To avoid this, we skip those steps when we are triggered | |
| # by a pull request from a fork. | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - '*' | |
| tags-ignore: | |
| - '*' | |
| paths-ignore: | |
| - 'doc/**' | |
| - 'README.md' | |
| jobs: | |
| lint: | |
| name: Lint package | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python 3.10 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install --upgrade pdm pre-commit | |
| pdm sync --dev | |
| - uses: actions/cache@v3 | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: pre-commit|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} | |
| - name: Install pre-commit hooks | |
| run: pre-commit install --install-hooks | |
| - name: Skip ggshield hooks when running from a fork | |
| # See note about steps requiring the GITGUARDIAN_API at the top of this file | |
| if: ${{ github.event.pull_request.head.repo.fork }} | |
| run: | | |
| echo "SKIP=ggshield,ggshield-local" >> $GITHUB_ENV | |
| - name: Run pre-commit checks | |
| run: | | |
| pre-commit run --show-diff-on-failure --all-files | |
| env: | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| - name: Check commit messages | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| PR_REF="${GITHUB_REF%/merge}/head" | |
| git fetch origin "$PR_REF" | |
| if git log --format=%s "origin/$GITHUB_BASE_REF..FETCH_HEAD" | grep '^fixup!' ; then | |
| echo 'Error: this pull request contains fixup commits. Squash them.' | |
| exit 1 | |
| fi | |
| # In case `git log` fails | |
| exit "${PIPESTATUS[0]}" | |
| build: | |
| name: Build and Test | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-22.04, macos-13, windows-2022] | |
| python-version: ['3.9', '3.10', '3.11'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Get enough commits to run `ggshield secret scan commit-range` on ourselves | |
| fetch-depth: 10 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install --upgrade pdm | |
| pdm sync --global --project . --group dev --group tests | |
| - name: Override base Docker image used for functional tests on Windows | |
| if: matrix.os == 'windows-2022' | |
| # This is required because GitHub Windows runner is not configured to | |
| # run Linux-based Docker images | |
| shell: bash | |
| run: | | |
| echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV | |
| - name: Ensure a clean package installation | |
| run: | | |
| python -m pip install --upgrade check-wheel-contents | |
| pdm build --no-sdist | |
| # The created wheel (.whl) file will be found and analyzed within the `dist/` folder | |
| check-wheel-contents dist/ | |
| - name: Run unit tests | |
| run: | | |
| pdm run coverage run --source ggshield -m pytest --disable-pytest-warnings --disable-socket tests/unit | |
| - name: Gather coverage report | |
| run: | | |
| pdm run coverage report --fail-under=80 | |
| pdm run coverage xml | |
| - uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: false | |
| - name: Run functional tests | |
| # See note about steps requiring the GITGUARDIAN_API at the top of this file | |
| if: ${{ !github.event.pull_request.head.repo.fork }} | |
| shell: bash | |
| run: | | |
| make functest | |
| env: | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
| TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }} | |
| TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }} | |
| TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }} | |
| TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }} | |
| build_os_packages: | |
| uses: ./.github/workflows/build_release_assets.yml | |
| secrets: inherit | |
| test_github_secret_scan_action: | |
| name: Test GitHub action for `secret scan` | |
| # See note about steps requiring the GITGUARDIAN_API at the top of this file | |
| if: ${{ !github.event.pull_request.head.repo.fork }} | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Scan commits for hardcoded secrets | |
| uses: ./actions-unstable/secret | |
| env: | |
| GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
| GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
| GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
| test_github_iac_scan_action: | |
| name: Test GitHub action for `iac scan` | |
| # See note about steps requiring the GITGUARDIAN_API at the top of this file | |
| if: ${{ !github.event.pull_request.head.repo.fork }} | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Scan commits for IaC vulnerabilities | |
| uses: ./actions-unstable/iac | |
| with: | |
| args: . | |
| env: | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
| test_github_sca_scan_action: | |
| name: Test GitHub action for `sca scan` | |
| # See note about steps requiring the GITGUARDIAN_API at the top of this file | |
| if: ${{ !github.event.pull_request.head.repo.fork }} | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Scan commits for SCA vulnerabilities | |
| uses: ./actions-unstable/sca | |
| with: | |
| args: . | |
| env: | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
| dockerhub-unstable: | |
| name: Push Docker image to Docker Hub | |
| runs-on: ubuntu-22.04 | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| needs: | |
| - lint | |
| - build | |
| - test_github_iac_scan_action | |
| - test_github_sca_scan_action | |
| - test_github_secret_scan_action | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Build and push | |
| uses: docker/build-push-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| repository: gitguardian/ggshield | |
| tags: unstable | |
| github_packages-unstable: | |
| name: Push Docker image to GitHub Packages | |
| runs-on: ubuntu-22.04 | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| needs: | |
| - lint | |
| - build | |
| - test_github_iac_scan_action | |
| - test_github_sca_scan_action | |
| - test_github_secret_scan_action | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Push to GitHub Packages | |
| uses: docker/build-push-action@v1 | |
| with: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: docker.pkg.github.com | |
| repository: gitguardian/ggshield/ggshield | |
| tags: unstable |