From 4f8fb881e4c10b369146c5535fb173c99b578f16 Mon Sep 17 00:00:00 2001 From: Patrick Hachicho Date: Thu, 11 Apr 2024 17:24:07 -0400 Subject: [PATCH] added new actions --- .github/workflows/build-push-dev-image.yml | 106 +++----------------- .github/workflows/build-push-release.yml | 111 +-------------------- .github/workflows/code-checks.yml | 109 ++++---------------- .github/workflows/trivy-pr-scan.yml | 57 ++--------- 4 files changed, 43 insertions(+), 340 deletions(-) diff --git a/.github/workflows/build-push-dev-image.yml b/.github/workflows/build-push-dev-image.yml index 64d182e6..48b9b913 100644 --- a/.github/workflows/build-push-dev-image.yml +++ b/.github/workflows/build-push-dev-image.yml @@ -1,105 +1,27 @@ # Workflow responsible for the # development release processes. -# name: Build-Push-Dev-Image on: - push: - branches: - - develop + push: + # branches: + # - develop paths-ignore: - README.md - - .old_cicd/* - - .github/* - - .github/workflows/* + # - .old_cicd/* + # - .github/* + # - .github/workflows/* - LICENSE - .gitignore - .dockerignore - .githooks - # Do not build another image on a pull request. - # Any push to develop will trigger a new build however. - pull_request: - branches-ignore: - - '*' + # Do not build another image on a pull request. + # Any push to develop will trigger a new build however. + pull_request: + branches-ignore: + - '*' jobs: - build-push-dev-image: - runs-on: ubuntu-latest - steps: - - - name: Checkout Code - uses: actions/checkout@v3 - with: - ref: ${{ github.head_ref }} - # fetch-depth: 0 means, get all branches and commits - fetch-depth: 0 - - - name: Set short git commit SHA - id: vars - run: | - echo "short_sha=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_OUTPUT - # https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ - - - name: Confirm git commit SHA output - run: echo ${{ steps.vars.outputs.short_sha }} - - # https://github.com/marketplace/actions/git-semantic-version - # - name: Semver Check - # uses: paulhatch/semantic-version@v5.0.3 - # id: version - # with: - # # The prefix to use to identify tags - # tag_prefix: "v" - # # A string which, if present in a git commit, indicates that a change represents a - # # major (breaking) change, supports regular expressions wrapped with '/' - # major_pattern: "/(breaking)|(major)/" - # # A string which indicates the flags used by the `major_pattern` regular expression. Supported flags: idgs - # major_regexp_flags: "ig" - # # Same as above except indicating a minor change, supports regular expressions wrapped with '/' - # minor_pattern: "/(feat)|(feature)|(minor)/" - # # A string which indicates the flags used by the `minor_pattern` regular expression. Supported flags: idgs - # minor_regexp_flags: "ig" - # # A string to determine the format of the version output - # # version_format: "${major}.${minor}.${patch}-prerelease${increment}" - # version_format: "${major}.${minor}.${patch}-prerelease${increment}" - # search_commit_body: false - - # Docker Buildx is important to caching in the Build And Push Container - # step - # https://github.com/marketplace/actions/build-and-push-docker-images - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - logout: true - - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - registry: containers.renci.org - username: ${{ secrets.CONTAINERHUB_USERNAME }} - password: ${{ secrets.CONTAINERHUB_TOKEN }} - logout: true - - - # Notes on Cache: - # https://docs.docker.com/build/ci/github-actions/examples/#inline-cache - - name: Build Push Container - uses: docker/build-push-action@v5 - with: - context: . - push: true - # Push to renci-registry and dockerhub here. - # cache comes from dockerhub. - tags: | - ${{ github.repository }}:develop - ${{ github.repository }}:${{ steps.vars.outputs.short_sha }} - containers.renci.org/${{ github.repository }}:develop - containers.renci.org/${{ github.repository }}:${{ steps.vars.outputs.short_sha }} - cache-from: type=registry,ref=${{ github.repository }}:buildcache-dev - cache-to: type=registry,ref=${{ github.repository }}:buildcache-dev,mode=max + build-push-dev-image: + uses: helxplatform/helx-github-actions/.github/workflows/build-push-dev-image.yml@develop + secrets: inherit diff --git a/.github/workflows/build-push-release.yml b/.github/workflows/build-push-release.yml index 71fbc48f..f76fec26 100644 --- a/.github/workflows/build-push-release.yml +++ b/.github/workflows/build-push-release.yml @@ -11,8 +11,8 @@ on: paths-ignore: - README.md - .old_cicd/* - - .github/* - - .github/workflows/* + # - .github/* + # - .github/workflows/* - LICENSE - .gitignore - .dockerignore @@ -20,107 +20,6 @@ on: tags-ignore: - 'v[0-9]+.[0-9]+.*' jobs: - build-push-release: - runs-on: ubuntu-latest - steps: - - name: Checkout Code - uses: actions/checkout@v3 - with: - ref: ${{ github.head_ref }} - fetch-depth: 0 - - - name: Set short git commit SHA - id: vars - run: | - echo "short_sha=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_OUTPUT - # https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ - - - name: Confirm git commit SHA output - run: echo ${{ steps.vars.outputs.short_sha }} - - # https://github.com/marketplace/actions/git-semantic-version - - name: Semver Check - uses: paulhatch/semantic-version@v5.0.3 - id: version - with: - # The prefix to use to identify tags - tag_prefix: "v" - # A string which, if present in a git commit, indicates that a change represents a - # major (breaking) change, supports regular expressions wrapped with '/' - major_pattern: "/breaking|major/" - # A string which indicates the flags used by the `major_pattern` regular expression. Supported flags: idgs - major_regexp_flags: "ig" - # Same as above except indicating a minor change, supports regular expressions wrapped with '/' - minor_pattern: "/feat|feature|minor/" - # A string which indicates the flags used by the `minor_pattern` regular expression. Supported flags: idgs - minor_regexp_flags: "ig" - # A string to determine the format of the version output - # version_format: "${major}.${minor}.${patch}-prerelease${increment}" - version_format: "${major}.${minor}.${patch}" - search_commit_body: false - - # Docker Buildx is important to caching in the Build And Push Container - # step - # https://github.com/marketplace/actions/build-and-push-docker-images - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - logout: true - - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - registry: containers.renci.org - username: ${{ secrets.CONTAINERHUB_USERNAME }} - password: ${{ secrets.CONTAINERHUB_TOKEN }} - logout: true - - # Notes on Cache: - # https://docs.docker.com/build/ci/github-actions/examples/#inline-cache - - name: Build Push Container - uses: docker/build-push-action@v5 - with: - push: true - # Push to renci-registry and dockerhub here. - # cache comes from dockerhub. - tags: | - containers.renci.org/${{ github.repository }}:v${{ steps.version.outputs.version }} - containers.renci.org/${{ github.repository }}:latest - containers.renci.org/${{ github.repository }}:${{ steps.vars.outputs.short_sha }} - ${{ github.repository }}:v${{ steps.version.outputs.version }} - ${{ github.repository }}:latest - ${{ github.repository }}:${{ steps.vars.outputs.short_sha }} - cache-from: type=registry,ref=${{ github.repository }}:buildcache-release - cache-to: type=registry,ref=${{ github.repository }}:buildcache-release,mode=max - -#==========================TAG & RELEASE W/ NOTES ========================= - - # Note: GITHUB_TOKEN is autogenerated feature of github app - # which is auto-enabled when using github actions. - # https://docs.github.com/en/actions/security-guides/automatic-token-authentication - # https://docs.github.com/en/rest/git/tags?apiVersion=2022-11-28#create-a-tag-object - # https://docs.github.com/en/rest/git/refs?apiVersion=2022-11-28#create-a-reference - # This creates a "lightweight" ref tag. - - name: Create Tag for Release - run: | - curl \ - -s --fail -X POST \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - https://api.github.com/repos/${{ github.repository }}/git/refs \ - -d '{"ref":"refs/tags/v${{ steps.version.outputs.version }}","sha":"${{ github.sha }}"}' - -# https://cli.github.com/manual/gh_release_create - - name: Create Release - env: - RELEASE_VERSION: ${{ steps.version.outputs.version }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh release create ${{ env.RELEASE_VERSION }} \ - -t "${{ env.RELEASE_VERSION }}" \ - --generate-notes \ - --latest + build-push-release: + uses: helxplatform/helx-github-actions/.github/workflows/build-push-release.yml@develop + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/code-checks.yml b/.github/workflows/code-checks.yml index ff128a9c..b78232b8 100644 --- a/.github/workflows/code-checks.yml +++ b/.github/workflows/code-checks.yml @@ -11,106 +11,31 @@ # # -name: Code-Checks +name: Code-Checks-Remote on: - push: - branches-ignore: - - master - - main - - develop - paths-ignore: + push: + # branches-ignore: + # - master + # - main + # - develop + paths-ignore: - README.md - .old_cicd/* - - .github/* - - .github/workflows/* + # - .github/* + # - .github/workflows/* - LICENSE - .gitignore - .dockerignore - .githooks - pull_request: - branches: + pull_request: + branches: - develop - master - main - types: [ opened, synchronize ] - - + types: [ opened, synchronize ] + jobs: -############################## flake8-linter ############################## - flake8-linter: - runs-on: ubuntu-latest - # if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - uses: actions/checkout@v3 - - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.9' - - # Currently actions/setup-python supports caching - # but the cache is not as robust as cache action. - # Here we cache the entire python env which speeds subsequent builds up alot. (alot being scientific term) - # Ref: https://blog.allenai.org/python-caching-in-github-actions-e9452698e98d - - uses: actions/cache@v3 - name: Cache Python - with: - path: ${{ env.pythonLocation }} - key: ${{ env.pythonLocation }}-${{ hashFiles('setup.py') }}-${{ hashFiles('requirements.txt') }} - - - name: Install Requirements - run: | - pip install -r requirements.txt - - - name: Lint with flake8 - run: | - pip install flake8 - flake8 --ignore=E,W . - # We continue on error here until the code is clean - # flake8 --ignore=E,W --exit-zero . - continue-on-error: true - -############################## test-image-build ############################## - test-image-build: - runs-on: ubuntu-latest - # if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - uses: actions/checkout@v3 - - - name: Set short git commit SHA - id: vars - run: | - echo "short_sha=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_OUTPUT - # https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ - - - name: Confirm git commit SHA output - run: echo ${{ steps.vars.outputs.short_sha }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - logout: true - - - name: Parse Github Reference Name - id: branch - run: | - REF=${{ github.ref_name }} - echo "GHR=${REF%/*}" >> $GITHUB_OUTPUT - - - # Notes on Cache: - # https://docs.docker.com/build/ci/github-actions/examples/#inline-cache - - name: Build Container - uses: docker/build-push-action@v5 - with: - context: . - push: true - tags: | - ${{ github.repository }}:test_${{ steps.branch.outputs.GHR }} - cache-from: type=registry,ref=${{ github.repository }}:buildcache - cache-to: type=registry,ref=${{ github.repository }}:buildcache,mode=max + + code-checks: + uses: helxplatform/helx-github-actions/.github/workflows/code-checks.yml@develop + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/trivy-pr-scan.yml b/.github/workflows/trivy-pr-scan.yml index 142572da..a90e7aea 100644 --- a/.github/workflows/trivy-pr-scan.yml +++ b/.github/workflows/trivy-pr-scan.yml @@ -1,6 +1,7 @@ name: trivy-pr-scan on: + push: #remove this after testing pull_request: branches: - develop @@ -9,59 +10,15 @@ on: types: [ opened, synchronize ] paths-ignore: - README.md - - .old_cicd/* - - .github/* - - .github/workflows/* + # - .old_cicd/* + # - .github/* + # - .github/workflows/* - LICENSE - .gitignore - .dockerignore - .githooks jobs: - trivy-pr-scan: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: | - network=host - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - logout: true - - # Notes on Cache: - # https://docs.docker.com/build/ci/github-actions/examples/#inline-cache - - name: Build Container - uses: docker/build-push-action@v5 - with: - context: . - push: false - load: true - tags: ${{ github.repository }}:vuln-test - cache-from: type=registry,ref=${{ github.repository }}:buildcache - cache-to: type=registry,ref=${{ github.repository }}:buildcache,mode=max - - # We will not be concerned with Medium and Low vulnerabilities - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: '${{ github.repository }}:vuln-test' - format: 'sarif' - severity: 'CRITICAL,HIGH' - output: 'trivy-results.sarif' - exit-code: '1' - # Scan results should be viewable in GitHub Security Dashboard - # We still fail the job if results are found, so below will always run - # unless manually canceled. - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: '!cancelled()' - with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file + trivy-pr-scan: + uses: helxplatform/helx-github-actions/.github/workflows/trivy-pr-scan.yml@develop + secrets: inherit \ No newline at end of file