-
Notifications
You must be signed in to change notification settings - Fork 1
142 lines (128 loc) · 3.77 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: ci
concurrency:
group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true
on:
workflow_call:
inputs:
registry:
required: false
type: string
default: "ghcr.io"
description: "registry to push and get the image"
image_name:
required: true
type: string
description: "name of the image"
username:
required: true
type: string
description: "username to push the image can use github.actor"
target_branch:
required: false
type: string
default: "master"
description: "Sets the target to build Dockerfile"
git_lfs:
required: false
type: boolean
default: false
description: "git lfs checkout"
coverage_file_path:
required: false
type: string
default: "coverage.xml"
description: "absolute path to coverage file"
test_command:
required: false
type: string
default: "python -m pytest"
description: "test command"
secrets:
registry_token:
required: true
description: "token to have access to registry"
repos_token:
required: true
description: "token to have access to code and infra repository"
jobs:
image_tag:
name: Image tag for docker image pull
runs-on: ubuntu-latest
outputs:
docker_image: ${{ steps.image_name.outputs.lowercase }}
steps:
- id: image_name
uses: ASzc/change-string-case-action@v2
with:
string: ${{ inputs.image_name }}
security-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Bandit
uses: jpetrucciani/bandit-check@main
test:
name: Run Tests and Coverage
runs-on: ubuntu-latest
needs:
- image_tag
container:
image: ${{ inputs.registry }}/${{ needs.image_tag.outputs.docker_image }}/${{ inputs.target_branch }}:latest
options: --user root
credentials:
username: ${{ inputs.username }}
password: ${{ secrets.registry_token }}
steps:
- uses: actions/checkout@v2
with:
lfs: ${{ inputs.git_lfs }}
- name: Set Permissions
run: |
chmod -R 777 "$(pwd)"
- name: Run Python tests
run: |
mkdir -p ${{ github.workspace }}/coverage_report
${{ inputs.test_command }} --cov --cov-report=xml:coverage.xml
- name: Coverage Report
uses: orgoro/coverage@v3
if: github.event_name == 'pull_request'
with:
coverageFile: coverage.xml
token: ${{ secrets.repos_token }}
static-analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: jpetrucciani/ruff-check@main
with:
flags: '--exclude ./env/'
secrets-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Secret Scanning
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified --allow-verification-overlap
security-check:
name: "Create bundle"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: advanced-security/codeql-bundle-action/download-bundle@v2
id: download-bundle
with:
tag: "latest"
- uses: advanced-security/codeql-bundle-action/create-bundle@v2
id: create-bundle
with:
bundle-path: ${{ steps.download-bundle.outputs.bundle-path }}
packs: "octo/cpp-queries,octo/cpp-all,octo/cpp-customizations"
- uses: actions/upload-artifact@v3
with:
name: codeql-bundle.tar.gz
path: ${{ steps.create-bundle.outputs.output-path }}