-
Notifications
You must be signed in to change notification settings - Fork 8
188 lines (155 loc) · 5.38 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
name: CI
# only run tests for pull requests cause no file has to be changed without review
# open -> open the pull request
# synchronize -> push to branch of pull request
on:
pull_request:
types: [opened, synchronize]
jobs:
test:
uses: ./.github/workflows/testing.yml
build-docs:
runs-on: ubuntu-22.04
strategy:
matrix:
python-version: ["3.10"]
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: "pip"
- name: Install dependencies
run: |
sudo apt-get update && sudo apt-get -y install pandoc
pip install --upgrade pip wheel
pip install .[doc]
- name: build docs
run: |
cd doc
sphinx-apidoc -fT -o source/module_reference ../logprep
make clean html
code-quality:
runs-on: ubuntu-22.04
strategy:
matrix:
python-version: ["3.10"]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: azure/[email protected]
with:
version: "latest"
id: install
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: "pip"
- name: Get changed python files
id: changed-files
uses: tj-actions/changed-files@v41
with:
files: |
**/*.py
- name: Install dependencies
run: |
pip install --upgrade pip wheel
pip install .[dev]
- name: check black formating
run: |
black --check --diff --config ./pyproject.toml .
- name: lint helm charts
run: |
helm lint --strict ./charts/logprep
- name: lint changed and added files
if: steps.changed-files.outputs.all_changed_files
run: |
pylint --rcfile=.pylintrc --fail-under 9.5 ${{ steps.changed-files.outputs.all_changed_files }}
- name: Run tests and collect coverage
run: pytest tests/unit --cov=logprep --cov-report=xml
- name: Upload coverage reports to Codecov with GitHub Action
uses: codecov/codecov-action@v2
containerbuild:
strategy:
fail-fast: false
matrix:
python-version: ["3.10", "3.11", "3.12"]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build image and export to Docker
uses: docker/build-push-action@v6
with:
context: .
load: true
build-args: |
LOGPREP_VERSION=dev
PYTHON_VERSION=${{ matrix.python-version }}
tags: |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
- name: Ensure logprep is available in image
run: |
docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version
# This step will build the image again, but every layer will already be cached, so it is nearly instantaneous.
- name: Push image
uses: docker/build-push-action@v6
id: build-and-push
with:
context: .
push: true
build-args: |
LOGPREP_VERSION=dev
PYTHON_VERSION=${{ matrix.python-version }}
tags: |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
# To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get date
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-
- name: Scan image using Trivy
uses: aquasecurity/[email protected]
env:
TRIVY_CACHE_DIR: ./cache
with:
scan-type: image
image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
trivy-config: trivy.yaml
# Trivy-db uses `0600` permissions.
# But `action/cache` use `runner` user by default
# So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.4.1'
- name: Sign image with a key
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
- uses: anchore/sbom-action@v0
with:
image: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}