Skip to content

feat: allow on demand updates (#269) #630

feat: allow on demand updates (#269)

feat: allow on demand updates (#269) #630

Workflow file for this run

---
name: "Commit"
on:
push:
branches:
- main
pull_request:
branches:
- main
env:
python_version: "3.10"
jobs:
lint:
name: Lint
runs-on: ubuntu-20.04
steps:
- name: Checkout the repository
uses: actions/checkout@v3
- uses: seisollc/goat@main
with:
exclude: (.*tests/(ansible|terraform|cloudformation)/.*|.*build/Dockerfile\.j2$)
disable_mypy: true
generate-matrixes:
name: Generate matrixes for future use in pipelines
runs-on: ubuntu-20.04
outputs:
image-matrix: ${{ steps.set-image-outputs.outputs.image-matrix }}
test-matrix: ${{ steps.set-testing-outputs.outputs.test-matrix }}
steps:
- name: Checkout the repository
uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v3
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: |
python -m pip install --upgrade pipenv
pipenv install --python ${{ env.python_version }} --deploy --ignore-pipfile --dev
- name: Gather the image matrix
id: set-image-outputs
run: |
pipenv run python -c \
'from easy_infra import utils; \
print(utils.get_github_actions_matrix())' >> "${GITHUB_OUTPUT}"
- name: Gather the testing matrix
id: set-testing-outputs
run: |
pipenv run python -c \
'from easy_infra import utils; \
print(utils.get_github_actions_matrix(testing=True))' >> "${GITHUB_OUTPUT}"
test:
name: Test
needs: [generate-matrixes]
runs-on: ubuntu-20.04
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.generate-matrixes.outputs.test-matrix) }}
steps:
- name: Checkout the repository
uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v3
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: |
python -m pip install --upgrade pipenv
pipenv install --python ${{ env.python_version }} --deploy --ignore-pipfile --dev
mkdir "${RUNNER_TEMP}/bin"
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/syft"
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/grype"
echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
- name: Build the image
run: pipenv run invoke build --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
- name: Generate the SBOM
run: pipenv run invoke sbom --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
- name: Upload the SBOM
uses: actions/upload-artifact@v3
with:
name: SBOM - tool=${{ matrix.tool }}, environment=${{ matrix.environment }}
path: sbom.*.json
if-no-files-found: error
- name: Generate Vuln scan results
run: pipenv run invoke vulnscan --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
- name: Upload Vuln scan result
uses: actions/upload-artifact@v3
with:
name: Vulns - tool=${{ matrix.tool }}, environment=${{ matrix.environment }}
path: vulns.*.json
if-no-files-found: error
- name: Run tests
run: |
find tests -mindepth 1 -type d -exec chmod o+w {} \;
pipenv run invoke test --tool=${{ matrix.tool }} --environment=${{ matrix.environment }} --user=${{ matrix.user }} --debug
bump-version:
name: Bump version
needs: [lint, test]
if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}"
permissions:
contents: write
runs-on: ubuntu-20.04
outputs:
git_tag: ${{ steps.bump-version.outputs.git_tag }}
steps:
- name: Checkout the repository
uses: actions/checkout@v3
with:
token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
fetch-depth: 0
- uses: actions/setup-python@v4
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v3
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: |
python -m pip install --upgrade pipenv
pipenv install --python ${{ env.python_version }} --deploy --ignore-pipfile --dev
- name: Bump the version
id: bump-version
run: |
git config --global user.name 'Seiso Automation'
git config --global user.email '[email protected]'
pipenv run invoke release
GIT_TAG="$(git describe --tags)"
BRANCH="$(git branch --show-current)"
git push --atomic origin "${BRANCH}" "${GIT_TAG}"
echo "git_tag=${GIT_TAG}" >> "${GITHUB_OUTPUT}"
cut-release:
name: Cut a release
needs: [bump-version]
environment: "${{ needs.bump-version.outputs.git_tag }}"
concurrency:
group: "${{ needs.bump-version.outputs.git_tag }}"
cancel-in-progress: true
runs-on: ubuntu-20.04
steps:
- name: Checkout the repository
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: "${{ needs.bump-version.outputs.git_tag }}"
- uses: actions/setup-python@v4
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v3
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: |
python -m pip install --upgrade pipenv
pipenv install --python ${{ env.python_version }} --deploy --ignore-pipfile --dev
mkdir "${RUNNER_TEMP}/bin"
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/syft"
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/grype"
echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
- name: Build the images
run: pipenv run invoke build
- name: Generate the SBOMs
run: pipenv run invoke sbom
- name: Upload the SBOMs
uses: actions/upload-artifact@v3
with:
name: SBOMs
path: sbom.*.json
if-no-files-found: error
- name: Generate Vuln scan results
run: pipenv run invoke vulnscan
- name: Upload Vuln scan result
uses: actions/upload-artifact@v3
with:
name: Vulns
path: vulns.*.json
if-no-files-found: error
- name: Publish the release to GitHub
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
name: ${{ needs.bump-version.outputs.git_tag }}
tag_name: ${{ needs.bump-version.outputs.git_tag }}
generate_release_notes: true
files: |
vulns.*.json
sbom.*.json
fail_on_unmatched_files: true
draft: false
prerelease: false
- name: Publish the release README to Docker Hub
uses: peter-evans/dockerhub-description@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: seiso/easy_infra
distribute:
name: Distribute
needs: [generate-matrixes, bump-version, cut-release]
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.generate-matrixes.outputs.image-matrix) }}
if: github.event_name == 'push'
environment: "${{ needs.bump-version.outputs.git_tag }}"
runs-on: ubuntu-20.04
steps:
- name: Checkout the repository
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: "${{ needs.bump-version.outputs.git_tag }}"
- uses: actions/setup-python@v4
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v3
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: |
python -m pip install --upgrade pipenv
pipenv install --python ${{ env.python_version }} --deploy --ignore-pipfile --dev
- name: Build the image
run: pipenv run invoke build --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
- name: Log in to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Publish the image to Docker Hub
run: pipenv run invoke publish --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
- name: Install cosign
uses: sigstore/cosign-installer@main
- name: Sign the image
run: |
image_and_versioned_tag=$(pipenv run python -c \
"from easy_infra.utils import get_image_and_tag; \
print(get_image_and_tag(tool='${TOOL}', environment='${ENVIRONMENT}'))")
versioned_tag="${image_and_versioned_tag#*:}"
# Requires that the image is available in the local daemon and was pushed to the remote repo
image_and_digest=$(docker inspect --format='{{index .RepoDigests 0}}' \
"${image_and_versioned_tag}" )
echo -n "${COSIGN_PASSWORD}" |
cosign sign --yes --key cosign.key \
-a git_sha="${GITHUB_SHA}" \
-a tag="${versioned_tag}" \
"${image_and_digest}"
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
TOOL: ${{ matrix.tool }}
ENVIRONMENT: ${{ matrix.environment }}