chore(deps): update aquasecurity/trivy-action action to v0.29.0 #562
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| "on": | |
| pull_request: | |
| push: | |
| branches: | |
| - master | |
| paths: | |
| - ".github/workflows/ci.yml" | |
| - ".github/cookiecutter-example.yml" | |
| - "{{ cookiecutter.project_slug }}/**" | |
| - "cookiecutter.json" | |
| - "requirements-dev.txt" | |
| permissions: read-all | |
| # Cancel running jobs when a pull request is updated | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} | |
| cancel-in-progress: true | |
| jobs: | |
| test-generic: | |
| name: Generic CookieCutter Tests | |
| runs-on: ubuntu-latest | |
| env: | |
| PY_COLORS: 1 | |
| TOXENV: pypy3-piplatest | |
| TOX_PARALLEL_NO_SPINNER: 1 | |
| steps: | |
| ### GENERIC COOKIECUTTER INITIALIZATION STEPS ### | |
| - name: check out the codebase | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 | |
| - name: set up python 3 | |
| uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4 | |
| with: | |
| python-version: "3.7" | |
| - name: setup/activate pre-commit cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3 | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: ${{ hashFiles('**/.pre-commit-config.yaml') }} | |
| - name: setup/activate cookiecutter-venv cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3 | |
| with: | |
| path: cookiecutter-venv | |
| key: ${{ hashFiles('requirements-dev.txt') }} | |
| - name: install cookiecutter development dependencies | |
| run: | | |
| python3 -m venv cookiecutter-venv | |
| source cookiecutter-venv/bin/activate | |
| python3 -m pip install -r requirements-dev.txt | |
| - name: Generate example project from cookiecutter. | |
| run: | | |
| source cookiecutter-venv/bin/activate | |
| cookiecutter . --config-file .github/cookiecutter-example.yml --no-input | |
| # trivia: https://github.com/JonasPammer/cookiecutter-pypackage/issues/91 | |
| - name: run pip-compile commands in generated project | |
| run: | | |
| source ../cookiecutter-venv/bin/activate | |
| pip-compile --resolver=backtracking --generate-hashes | |
| pip-compile --resolver=backtracking requirements-dev.in | |
| pip-compile --resolver=backtracking requirements-build.in | |
| working-directory: ./some-package | |
| - name: install dependencies of generated project | |
| run: | | |
| python3 -m venv project-venv | |
| source project-venv/bin/activate | |
| python3 -m pip install -r requirements-dev.txt | |
| python3 -m pip install -r requirements.txt --require-hashes | |
| working-directory: ./some-package | |
| - name: Run pre-commit on all files in generated project | |
| run: | | |
| git init | |
| git add . | |
| source project-venv/bin/activate | |
| SKIP=pip-compile pre-commit run --all-files --show-diff-on-failure | |
| working-directory: ./some-package | |
| - name: upload generated project as CI Artifact | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3 | |
| with: | |
| name: cookiecutter-pypackage-example | |
| path: | | |
| ./some-package | |
| !./some-package/project-venv | |
| ### COOKIECUTTER SPECIFIC STEPS ### | |
| ## TEST PyPy ## | |
| - name: set up python 3 (pypy) | |
| uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4 | |
| with: | |
| python-version: "pypy-3.7" | |
| - name: Run tox with '${{ env.TOXENV }}' environment | |
| run: | | |
| source project-venv/bin/activate | |
| tox | |
| working-directory: ./some-package | |
| ## TEST DOCKERFILE ## | |
| - name: set up qemu | |
| uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2 | |
| - name: set up docker buildx | |
| uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2 | |
| - name: Build Dockerfile of generated project | |
| uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4 | |
| with: | |
| context: ./some-package | |
| tags: jonaspammer/some-package:latest | |
| load: true | |
| push: false | |
| - name: Run Trivy vulnerability scanner on generated docker image | |
| uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 | |
| with: | |
| image-ref: jonaspammer/some-package:latest | |
| format: table | |
| exit-code: 1 | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| # We've successfully built it, we've successfully statically scanned it, | |
| # and now we run it | |
| - name: Run Docker Smoke Test | |
| run: python3 docker_smoke_test.py | |
| working-directory: ./some-package | |
| # as per ci.yml of actual cookie | |
| test: | |
| name: ${{ matrix.os }} / CPython ${{ matrix.python-version }} / ${{ matrix.pip-version }} pip (Tox, Coverage and Build) | |
| runs-on: ${{ matrix.os }}-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - Ubuntu | |
| - Windows | |
| - macOS | |
| python-version: | |
| - "3.7" | |
| - "3.8" | |
| - "3.9" | |
| - "3.10" | |
| pip-version: | |
| - "latest" | |
| - "previous" | |
| env: | |
| PY_COLORS: 1 | |
| TOXENV: pip${{ matrix.pip-version }} | |
| TOX_PARALLEL_NO_SPINNER: 1 | |
| steps: | |
| ### INITIALIZATION ### | |
| - name: check out the codebase | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 | |
| - name: set up python ${{ matrix.python-version }} using github's action | |
| uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4 | |
| if: "!endsWith(matrix.python-version, '-dev')" | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: log python version info (${{ matrix.python-version }}) | |
| run: python --version --version | |
| - name: install cookiecutter development dependencies | |
| run: python -m pip install -r requirements-dev.txt | |
| - name: Generate example project from cookiecutter. | |
| run: cookiecutter . --config-file .github/cookiecutter-example.yml --no-input | |
| - name: get pip cache dir | |
| id: pip-cache | |
| run: | | |
| echo "::set-output name=dir::$(pip cache dir)" | |
| - name: setup/activate pip cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3 | |
| with: | |
| path: ${{ steps.pip-cache.outputs.dir }} | |
| key: >- | |
| ${{ runner.os }}-pip- | |
| ${{ hashFiles('*/setup.*') }}- | |
| ${{ hashFiles('*/requirements*') }}- | |
| ${{ hashFiles('*/tox.ini') }}- | |
| ${{ hashFiles('*/.pre-commit-config.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| ${{ runner.os }}- | |
| # trivia: https://github.com/JonasPammer/cookiecutter-pypackage/issues/91 | |
| - name: run pip-compile commands in generated project | |
| run: | | |
| pip-compile --resolver=backtracking --generate-hashes | |
| pip-compile --resolver=backtracking requirements-dev.in | |
| pip-compile --resolver=backtracking requirements-build.in | |
| working-directory: ./some-package | |
| - name: install dependencies of generated project | |
| run: | | |
| python -m pip install -r requirements-dev.txt | |
| python -m pip install -r requirements.txt --require-hashes | |
| working-directory: ./some-package | |
| ### ACTUAL STEPS ### | |
| ## RUN TESTS ## | |
| - name: Run tox with '${{ env.TOXENV }}' environment | |
| run: tox | |
| working-directory: ./some-package | |
| - name: generate coverage xml | |
| run: .tox/pip${{ matrix.pip-version }}/${{ matrix.os == 'Windows' && 'Scripts' || 'bin' }}/coverage xml -o coverage.xml | |
| working-directory: ./some-package | |
| ## TEST SETUPTOOLS BUILD ## | |
| # as per .github/workflows/release-to-pypi.yml | |
| - name: install build dependencies of generated project | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install -r requirements-build.txt | |
| working-directory: ./some-package | |
| - name: Build python package (wheel etc.) | |
| run: python -m build | |
| working-directory: ./some-package |