Skip to content

Automated update to primary components (#336) #1047

Automated update to primary components (#336)

Automated update to primary components (#336) #1047

Workflow file for this run

---
name: "Commit"
on:
push:
branches:
- main
pull_request:
branches:
- main
defaults:
run:
shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
env:
python_version: "3.11"
jobs:
lint:
name: Lint
runs-on: ubuntu-22.04
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- uses: seisollc/goat@main
with:
exclude: (.*tests/(ansible|terraform|cloudformation)/.*|.*build/Dockerfile\.j2$)
disable_mypy: true
generate-matrixes:
name: Generate matrixes for future use in pipelines
runs-on: ubuntu-22.04
outputs:
image-matrix: ${{ steps.set-image-outputs.outputs.image-matrix }}
test-matrix: ${{ steps.set-testing-outputs.outputs.test-matrix }}
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v4
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: python -m pip install --upgrade pipenv
- name: Install Task
uses: arduino/setup-task@v2
- name: Initialize the repo
run: task -v init
- name: Gather the image matrix
id: set-image-outputs
run: |
pipenv run python -c \
'from easy_infra import utils; \
print(utils.get_github_actions_matrix())' >> "${GITHUB_OUTPUT}"
- name: Gather the testing matrix
id: set-testing-outputs
run: |
pipenv run python -c \
'from easy_infra import utils; \
print(utils.get_github_actions_matrix(testing=True))' >> "${GITHUB_OUTPUT}"
test:
name: Test
needs: [generate-matrixes]
if: github.event_name == 'pull_request'
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.generate-matrixes.outputs.test-matrix) }}
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v4
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: |
python -m pip install --upgrade pipenv
mkdir "${RUNNER_TEMP}/bin"
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/syft"
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/grype"
echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
- name: Install Task
uses: arduino/setup-task@v2
- name: Initialize the repo
run: task -v init
- name: Build the image
run: task -v build
env:
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
- name: Generate the SBOM
run: task -v sbom
if: matrix.user == 'root'
env:
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
- name: Upload the SBOM
uses: actions/upload-artifact@v4
if: matrix.user == 'root'
with:
name: SBOM_${{ matrix.tool }}_${{ matrix.environment }}
path: sbom.2*.json
if-no-files-found: error
- name: Generate Vuln scan results
run: task -v vulnscan
if: matrix.user == 'root'
env:
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
- name: Upload Vuln scan result
uses: actions/upload-artifact@v4
if: matrix.user == 'root'
with:
name: Vulns_${{ matrix.tool }}_${{ matrix.environment }}
path: vulns.2*.json
if-no-files-found: error
- name: Run tests
run: task -v test
env:
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
USER: ${{ matrix.user }}
DEBUG: "True"
bump-version:
name: Bump version
needs: [lint]
if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}"
permissions:
contents: write
runs-on: ubuntu-22.04
outputs:
git_tag: ${{ steps.bump-version.outputs.git_tag }}
steps:
- name: Checkout the repository
uses: actions/checkout@v4
with:
token: ${{ secrets.SEISO_AUTOMATION_PAT }}
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v4
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: python -m pip install --upgrade pipenv
- name: Install Task
uses: arduino/setup-task@v2
- name: Initialize the repo
run: task -v init
- name: Bump the version
id: bump-version
run: |
task -v release
GIT_TAG="$(git describe --tags)"
BRANCH="$(git branch --show-current)"
git push --atomic origin "${BRANCH}" "${GIT_TAG}"
echo "git_tag=${GIT_TAG}" >> "${GITHUB_OUTPUT}"
distribute:
name: Distribute
needs: [generate-matrixes, bump-version]
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.generate-matrixes.outputs.image-matrix) }}
if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}"
environment: "${{ needs.bump-version.outputs.git_tag }}"
runs-on: ubuntu-22.04
steps:
- name: Checkout the repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: "${{ needs.bump-version.outputs.git_tag }}"
- uses: actions/setup-python@v5
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v4
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: |
python -m pip install --upgrade pipenv
mkdir "${RUNNER_TEMP}/bin"
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/syft"
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/grype"
echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
- name: Install Task
uses: arduino/setup-task@v2
- name: Initialize the repo
run: task -v init
- name: Build the image
run: task -v build
env:
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
- name: Generate the SBOM
run: task -v sbom
env:
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
- name: Upload the SBOM
uses: actions/upload-artifact@v4
with:
name: SBOM_${{ matrix.tool }}_${{ matrix.environment }}
path: sbom.2*.json
if-no-files-found: error
- name: Generate Vuln scan results
run: task -v vulnscan
env:
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
- name: Upload Vuln scan result
uses: actions/upload-artifact@v4
with:
name: Vulns_${{ matrix.tool }}_${{ matrix.environment }}
path: vulns.2*.json
if-no-files-found: error
- name: Run tests
run: task -v test
env:
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
USER: ${{ matrix.user }}
DEBUG: "True"
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Publish the image to Docker Hub
run: task -v publish
env:
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
- name: Install cosign
uses: sigstore/cosign-installer@main
- name: Sign the image
run: |
image_and_versioned_tag=$(pipenv run python -c \
"from easy_infra.utils import get_image_and_tag; \
print(get_image_and_tag(tool='${TOOL}', environment='${ENVIRONMENT}'))")
versioned_tag="${image_and_versioned_tag#*:}"
# Requires that the image is available in the local daemon and was pushed to the remote repo
image_and_digest=$(docker inspect --format='{{index .RepoDigests 0}}' \
"${image_and_versioned_tag}" )
echo -n "${COSIGN_PASSWORD}" |
cosign sign --yes --key cosign.key \
-a git_sha="${GITHUB_SHA}" \
-a tag="${versioned_tag}" \
"${image_and_digest}"
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}
finalize-the-release:
name: Finalize the release
needs: [bump-version, distribute]
if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}"
runs-on: ubuntu-22.04
steps:
- name: Checkout the repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: "${{ needs.bump-version.outputs.git_tag }}"
- name: Download the SBOMs and Vuln scan results
uses: actions/download-artifact@v4
with:
path: ${{ runner.temp }}
- name: Publish the release to GitHub
uses: softprops/action-gh-release@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
name: ${{ needs.bump-version.outputs.git_tag }}
tag_name: ${{ needs.bump-version.outputs.git_tag }}
generate_release_notes: true
files: |
${{ runner.temp }}/Vulns_*/vulns.*.json
${{ runner.temp }}/SBOM_*/sbom.*.json
fail_on_unmatched_files: true
draft: false
prerelease: false
- name: Publish the release README to Docker Hub
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: seiso/easy_infra