-
Notifications
You must be signed in to change notification settings - Fork 2
143 lines (123 loc) · 4.29 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: CI
on:
push:
release:
types: [published]
jobs:
build_test:
runs-on: ubuntu-latest
name: Build and Test
container: gcr.io/besec-project/build
steps:
- uses: actions/checkout@v3
- name: cache go
uses: actions/cache@v2
env:
cache-name: build-go
with:
path: |
~/.cache/go-build
~/go/pkg/mod
~/.cache/golangci-lint
key: ${{ env.cache-name }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ env.cache-name }}-
- name: cache npm
uses: actions/cache@v2
env:
cache-name: build-npm
with:
path: |
~/.npm
key: ${{ env.cache-name }}-${{ hashFiles('ui/package-lock.json') }}
restore-keys: |
${{ env.cache-name }}-
- name: npm install
run: cd ui && npm ci --audit=false # no audit as we have dependabot
- name: build
run: |
./set_modification_time.sh
SCRATCH=true make release --assume-new=config.yaml # ensure we regenerate any build time config, overriding anything accidentally committed based on local config
- name: lint
run: make golangci-lint lint
- name: test # ideally this would be a separate job, but then we'd end up building twice
run: |
# setup services for integration tests
gcloud beta emulators firestore start --host-port localhost:8088 > firestore.out &
export FIRESTORE_EMULATOR_HOST=localhost:8088
./besec serve --alert-first-login=false --alert-access-request=false --port=8081 --disable-auth > besec.out &
# run tests, in parallel
echo make testgo >> jobs
echo make testui >> jobs
echo ./besec practices check >> jobs
mkdir examplePractice && mv docs/examplePractice.yaml examplePractice/
echo './besec practices check --practices-dir=examplePractice --schema-file=practices/schema.json' >> jobs
parallel --verbose --keep-order < jobs
- uses: actions/upload-artifact@v2
with:
name: besec
path: ./besec
publish:
needs: [build_test]
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v3
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v3
with:
images: gcr.io/besec-project/besec
tags: |
type=raw,value=run-${{github.run_id}}-${{github.run_attempt}}
type=edge,branch=main
type=semver,pattern={{version}}
- name: Docker meta debug
# identical to docker_meta, but with global prefix=debug
id: docker_meta_debug
uses: docker/metadata-action@v3
with:
images: gcr.io/besec-project/besec
flavor: |
latest=false
prefix=debug-
tags: |
type=raw,value=run-${{github.run_id}}-${{github.run_attempt}}
type=edge,branch=main
type=semver,pattern={{version}}
- uses: actions/download-artifact@v2
with:
name: besec
- run: chmod +x besec
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v0
with:
token_format: access_token
workload_identity_provider: "projects/387575162441/locations/global/workloadIdentityPools/github/providers/github"
service_account: "[email protected]"
access_token_lifetime: "300s"
- name: Login to Container Registry
uses: docker/login-action@v1
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- id: build_push
name: Build and push
uses: docker/build-push-action@v2
with:
file: Dockerfile
context: . # so we can grab the binary
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
- id: build_push_debug
name: Build and push debug
uses: docker/build-push-action@v2
with:
file: debug.Dockerfile
context: .
push: true
tags: ${{ steps.docker_meta_debug.outputs.tags }}