Skip to content

Commit

Permalink
unlinked helx-actions
Browse files Browse the repository at this point in the history
  • Loading branch information
@pchachicho
pchachicho committed Jun 7, 2024
1 parent 473816a commit 98257d9
Show file tree
Hide file tree
Showing 4 changed files with 333 additions and 10 deletions.
63 changes: 61 additions & 2 deletions .github/workflows/build-push-dev-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,64 @@ on:

jobs:
build-push-dev-image:
uses: helxplatform/helx-github-actions/.github/workflows/build-push-dev-image.yml@main
secrets: inherit
runs-on: ubuntu-latest
steps:

- name: Checkout Code
uses: actions/checkout@v3
with:
ref: ${{ github.head_ref }}
# fetch-depth: 0 means, get all branches and commits
fetch-depth: 0

- name: Set short git commit SHA
id: vars
run: |
echo "short_sha=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_OUTPUT
# https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

- name: Confirm git commit SHA output
run: echo ${{ steps.vars.outputs.short_sha }}

# Docker Buildx is important to caching in the Build And Push Container
# step
# https://github.com/marketplace/actions/build-and-push-docker-images

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
network=host
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
logout: true

- name: Login to Container Registry
uses: docker/login-action@v3
with:
registry: containers.renci.org
username: ${{ secrets.CONTAINERHUB_USERNAME }}
password: ${{ secrets.CONTAINERHUB_TOKEN }}
logout: true


# Notes on Cache:
# https://docs.docker.com/build/ci/github-actions/examples/#inline-cache
- name: Build Push Container
uses: docker/build-push-action@v5
with:
context: .
push: true
# Push to renci-registry and dockerhub here.
# cache comes from dockerhub.
tags: |
${{ github.repository }}:develop
${{ github.repository }}:${{ steps.vars.outputs.short_sha }}
containers.renci.org/${{ github.repository }}:develop
containers.renci.org/${{ github.repository }}:${{ steps.vars.outputs.short_sha }}
cache-from: type=registry,ref=${{ github.repository }}:buildcache-dev
cache-to: type=registry,ref=${{ github.repository }}:buildcache-dev,mode=max
110 changes: 108 additions & 2 deletions .github/workflows/build-push-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,111 @@ on:
- '*'
jobs:
build-push-release:
uses: helxplatform/helx-github-actions/.github/workflows/build-push-release.yml@main
secrets: inherit
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
with:
ref: ${{ github.head_ref }}
fetch-depth: 0

- name: Set short git commit SHA
id: vars
run: |
echo "short_sha=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_OUTPUT
# https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

- name: Confirm git commit SHA output
run: echo ${{ steps.vars.outputs.short_sha }}

# https://github.com/marketplace/actions/git-semantic-version
- name: Semver Check
uses: paulhatch/[email protected]
id: version
with:
# The prefix to use to identify tags
tag_prefix: "v"
# A string which, if present in a git commit, indicates that a change represents a
# major (breaking) change, supports regular expressions wrapped with '/'
major_pattern: "/breaking:|major:/"
# A string which indicates the flags used by the `major_pattern` regular expression. Supported flags: idgs
major_regexp_flags: "ig"
# Same as above except indicating a minor change, supports regular expressions wrapped with '/'
minor_pattern: "/feat:|feature:|minor:/"
# A string which indicates the flags used by the `minor_pattern` regular expression. Supported flags: idgs
minor_regexp_flags: "ig"
# A string to determine the format of the version output
# version_format: "${major}.${minor}.${patch}-prerelease${increment}"
version_format: "${major}.${minor}.${patch}"
search_commit_body: false

# Docker Buildx is important to caching in the Build And Push Container
# step
# https://github.com/marketplace/actions/build-and-push-docker-images
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
network=host
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
logout: true

- name: Login to Container Registry
uses: docker/login-action@v3
with:
registry: containers.renci.org
username: ${{ secrets.CONTAINERHUB_USERNAME }}
password: ${{ secrets.CONTAINERHUB_TOKEN }}
logout: true

# Notes on Cache:
# https://docs.docker.com/build/ci/github-actions/examples/#inline-cache
- name: Build Push Container
uses: docker/build-push-action@v5
with:
push: true
# Push to renci-registry and dockerhub here.
# cache comes from dockerhub.
tags: |
containers.renci.org/${{ github.repository }}:v${{ steps.version.outputs.version }}
containers.renci.org/${{ github.repository }}:latest
containers.renci.org/${{ github.repository }}:${{ steps.vars.outputs.short_sha }}
${{ github.repository }}:v${{ steps.version.outputs.version }}
${{ github.repository }}:latest
${{ github.repository }}:${{ steps.vars.outputs.short_sha }}
cache-from: type=registry,ref=${{ github.repository }}:buildcache-release
cache-to: type=registry,ref=${{ github.repository }}:buildcache-release,mode=max

#==========================TAG & RELEASE W/ NOTES =========================

# Note: GITHUB_TOKEN is autogenerated feature of github app
# which is auto-enabled when using github actions.
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication
# https://docs.github.com/en/rest/git/tags?apiVersion=2022-11-28#create-a-tag-object
# https://docs.github.com/en/rest/git/refs?apiVersion=2022-11-28#create-a-reference
# This creates a "lightweight" ref tag.
- name: Create Tag for Release
run: |
curl \
-s --fail -X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/git/refs \
-d '{"ref":"refs/tags/v${{ steps.version.outputs.version }}","sha":"${{ github.sha }}"}'
# https://cli.github.com/manual/gh_release_create
- name: Create Release
env:
RELEASE_VERSION: ${{ steps.version.outputs.version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release create ${{ env.RELEASE_VERSION }} \
-t "${{ env.RELEASE_VERSION }}" \
--generate-notes \
--latest
120 changes: 117 additions & 3 deletions .github/workflows/code-checks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,120 @@ on:
- .githooks

jobs:
build-push-release:
uses: helxplatform/helx-github-actions/.github/workflows/code-checks.yml@main
secrets: inherit
############################## flake8-linter ##############################
flake8-linter:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.12'

# Currently actions/setup-python supports caching
# but the cache is not as robust as cache action.
# Here we cache the entire python env which speeds subsequent builds up alot. (alot being scientific term)
# Ref: https://blog.allenai.org/python-caching-in-github-actions-e9452698e98d
- uses: actions/cache@v3
name: Cache Python
with:
path: ${{ env.pythonLocation }}
key: ${{ env.pythonLocation }}-${{ hashFiles('setup.py') }}-${{ hashFiles('requirements.txt') }}-${{ hashFiles('pyproject.toml') }}

- name: Install Requirements
run: |
pip install -r requirements.txt
- name: Lint with flake8
run: |
pip install flake8
flake8 --ignore=E,W src
# We continue on error here until the code is clean
# flake8 --ignore=E,W --exit-zero .
continue-on-error: true

################################### PYTEST ###################################
pytest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.12'

- name: Install Requirements
run: |
pip install -r requirements.txt
pip install coverage
pip install .
- name: Test with pytest
run: |
make test
############################ Bandit ################################
bandit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.12'

- name: Install Requirements
run: |
pip install -r requirements.txt
pip install bandit
pip install .
# Only report high security issues
- name: Test with Bandit
run: |
bandit -r src -n3 -lll
############################## test-image-build ##############################
test-image-build:
runs-on: ubuntu-latest
# if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- uses: actions/checkout@v3

- name: Set short git commit SHA
id: vars
run: |
echo "short_sha=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_OUTPUT
# https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

- name: Confirm git commit SHA output
run: echo ${{ steps.vars.outputs.short_sha }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
logout: true

- name: Parse Github Reference Name
id: branch
run: |
REF=${{ github.ref_name }}
echo "GHR=${REF%/*}" >> $GITHUB_OUTPUT
# Notes on Cache:
# https://docs.docker.com/build/ci/github-actions/examples/#inline-cache
- name: Build Container
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: |
${{ github.repository }}:test_${{ steps.branch.outputs.GHR }}
cache-from: type=registry,ref=${{ github.repository }}:buildcache
cache-to: type=registry,ref=${{ github.repository }}:buildcache,mode=max
50 changes: 47 additions & 3 deletions .github/workflows/trivy-pr-scan.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

name: trivy-pr-scan
on:
pull_request:
Expand All @@ -19,5 +18,50 @@ on:

jobs:
trivy-pr-scan:
uses: helxplatform/helx-github-actions/.github/workflows/trivy-pr-scan.yml@main
secrets: inherit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
network=host
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
logout: true

# Notes on Cache:
# https://docs.docker.com/build/ci/github-actions/examples/#inline-cache
- name: Build Container
uses: docker/build-push-action@v5
with:
context: .
push: false
load: true
tags: ${{ github.repository }}:vuln-test
cache-from: type=registry,ref=${{ github.repository }}:buildcache
cache-to: type=registry,ref=${{ github.repository }}:buildcache,mode=max

# We will not be concerned with Medium and Low vulnerabilities
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ github.repository }}:vuln-test'
format: 'sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
output: 'trivy-results.sarif'
exit-code: '1'
# Scan results should be viewable in GitHub Security Dashboard
# We still fail the job if results are found, so below will always run
# unless manually canceled.
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: '!cancelled()'
with:
sarif_file: 'trivy-results.sarif'

0 comments on commit 98257d9

Please sign in to comment.