Update workflows and workflow templates

exasol · Sep 26, 2024 · 46dd4ee · 46dd4ee
1 parent 9a2c155
commit 46dd4ee
Show file tree

Hide file tree

Showing 6 changed files with 95 additions and 31 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,7 +8,7 @@ on:
       - "main"
       - "master"
   pull_request:
-    types: [ opened, reopened ]
+    types: [opened, reopened]
   schedule:
     # “At 00:00 on every 7th day-of-month from 1 through 31.” (https://crontab.guru)
     - cron: "0 0 1/7 * *"
@@ -17,6 +17,7 @@ jobs:
 
   CI:
     uses: ./.github/workflows/merge-gate.yml
+    secrets: inherit
 
   Metrics:
     needs: [ CI ]

diff --git a/...lbox/templates/github/workflows/ci-cd.yml → ...toolbox/templates/github/workflows/cd.yml b/...lbox/templates/github/workflows/ci-cd.yml → ...toolbox/templates/github/workflows/cd.yml
@@ -1,4 +1,4 @@
-name: CI/CD
+name: CD
 
 on:
   push:
@@ -11,19 +11,9 @@ jobs:
     name: Check Release Tag
     uses: ./.github/workflows/check-release-tag.yml
 
-  ci-job:
-    name: Checks
-    needs: [ check-tag-version-job ]
-    uses: ./.github/workflows/checks.yml
-    secrets: inherit
-
   cd-job:
     name: Continuous Delivery
     needs: [ ci-job ]
     uses: ./.github/workflows/build-and-publish.yml
     secrets:
       PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
-
-  metrics:
-    needs: [ ci-job ]
-    uses: ./.github/workflows/report.yml
diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml
@@ -8,8 +8,8 @@ on:
 
 jobs:
 
-  version-check-job:
-    name: Version Check
+  Version-Check:
+    name: Version
     runs-on: ubuntu-latest
 
     steps:
@@ -22,17 +22,17 @@ jobs:
         uses: exasol/python-toolbox/.github/actions/[email protected]
 
       - name: Check Version(s)
-        run: |
+        run: poetry run version-check `poetry run python -c "from noxconfig import PROJECT_CONFIG; print(PROJECT_CONFIG.version_file)"`
           echo "Please enable the version check by replacing this output with shell command bellow:"
           echo ""
           echo "poetry run version-check <<VERSION_PY>>"
           echo ""
           echo "Note: <<VERSION_PY>> needs to point to the version file of the project (version.py)."
           exit 1
 
-  build-documentation-job:
-    name: Build Documentation
-    needs: [version-check-job]
+  Documentation:
+    name: Docs
+    needs: [ Version-Check ]
     runs-on: ubuntu-latest
 
     steps:
@@ -46,9 +46,9 @@ jobs:
         run: |
           poetry run python -m nox -s build-docs
 
-  lint-job:
+  Lint:
     name: Linting (Python-${{ matrix.python-version }})
-    needs: [version-check-job]
+    needs: [ Version-Check ]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -74,9 +74,9 @@ jobs:
           path: .lint.txt
           include-hidden-files: true
 
-  type-check-job:
+  Type-Check:
     name: Type Checking (Python-${{ matrix.python-version }})
-    needs: [version-check-job]
+    needs: [ Version-Check ]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -95,9 +95,37 @@ jobs:
       - name: Run type-check
         run: poetry run nox -s type-check
 
-  tests-job:
+  Security:
+    name: Security Checks (Python-${{ matrix.python-version }})
+    needs: [ Version-Check ]
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: [ "3.8", "3.9", "3.10", "3.11" ]
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: exasol/python-toolbox/.github/actions/[email protected]
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Run security linter
+        run: poetry run nox -s security
+
+      - name: Upload Artifacts
+        uses: actions/[email protected]
+        with:
+          name: security-python${{ matrix.python-version }}
+          path: .security.json
+          include-hidden-files: true
+
+  Tests:
     name: Tests (Python-${{ matrix.python-version }}, Exasol-${{ matrix.exasol-version}})
-    needs: [build-documentation-job, lint-job, type-check-job]
+    needs: [ Documentation, Lint, Type-Check, Security]
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: ${{ secrets.ALTERNATIVE_GITHUB_TOKEN ||  secrets.GITHUB_TOKEN }}

diff --git a/exasol/toolbox/templates/github/workflows/ci.yml b/exasol/toolbox/templates/github/workflows/ci.yml
@@ -15,11 +15,10 @@ on:
 
 jobs:
 
-  ci-job:
-    name: Checks
-    uses: ./.github/workflows/checks.yml
+  CI:
+    uses: ./.github/workflows/merge-gate.yml
     secrets: inherit
 
-  metrics:
-    needs: [ ci-job ]
+  Metrics:
+    needs: [ CI ]
     uses: ./.github/workflows/report.yml
diff --git a/exasol/toolbox/templates/github/workflows/merge-gate.yml b/exasol/toolbox/templates/github/workflows/merge-gate.yml
@@ -0,0 +1,46 @@
+name: Merge-Gate
+
+on:
+  workflow_call:
+    secrets:
+      ALTERNATIVE_GITHUB_TOKEN:
+        required: false
+
+jobs:
+
+  fast-checks:
+    name: Fast
+    uses: ./.github/workflows/checks.yml
+
+  slow-checks:
+    name: Slow
+    runs-on: ubuntu-latest
+
+    # Even though the "manual-approval" environment will be created automatically,
+    # it still needs to be configured to require manual approval.
+    # See project settings on GitHub (Settings / Environments / manual-approval).
+    environment: manual-approval
+
+    # Replace the steps below with the required actions 
+    # and/or add additional jobs if required
+    # Note: 
+    #   If you add additional jobs, make sure they are added as a requirement 
+    #   to the approve-merge jobs input requirements (needs).
+    steps:
+      - name: Tests
+        run: |
+          echo "Slow tests ran successfully"
+
+
+  # This job ensures inputs have been executed successfully.
+  approve-merge:
+    name: Allow Merge 
+    runs-on: ubuntu-latest
+    # If you need additional jobs to be part of the merge gate, add them below
+    needs: [ fast-checks, slow-checks ]
+
+    # Each job requires a step, so we added this dummy step.
+    steps:
+      - name: Approve 
+        run: |
+          echo "Merge Approved"
diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml
@@ -9,7 +9,6 @@ on:
 jobs:
 
   report:
-    name: Generate Status Report
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: ${{ secrets.ALTERNATIVE_GITHUB_TOKEN ||  secrets.GITHUB_TOKEN }}
@@ -33,12 +32,13 @@ jobs:
         run: |
           cp coverage-python3.9/.coverage ../
           cp lint-python3.9/.lint.txt ../
+          cp security-python3.9/.security.json ../
 
       - name: Generate Report
         run: poetry run nox -s report -- -- --format json | tee metrics.json
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4.4.0
         with:
           name: metrics.json
           path: metrics.json