Add linting to CI #28
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CI" | |
| on: | |
| push: | |
| tags: | |
| - "[0-9]+.[0-9]+.[0-9]+" | |
| - "[0-9]+.[0-9]+.[0-9]+-rc[0-9]+" | |
| branches: [main] | |
| pull_request: | |
| workflow_dispatch: # Manually | |
| env: | |
| REGISTRY: ghcr.io/noaa-gsl/vxingest | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install poetry | |
| run: pipx install poetry | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.11" | |
| - name: Install dependencies | |
| run: | | |
| poetry env use 3.11 | |
| poetry install | |
| - name: Format with Ruff | |
| run: poetry run ruff format --check src tests | |
| - name: Lint with Ruff | |
| run: poetry run ruff check --output-format=github src tests | |
| build-ingest: | |
| name: Build Ingest image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Generate image metadata | |
| uses: docker/metadata-action@v4 | |
| id: meta | |
| with: | |
| images: | | |
| ghcr.io/noaa-gsl/vxingest/ingest | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=sha | |
| # set latest tag for default branch | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| labels: | | |
| org.opencontainers.image.vendor=NOAA's Global Systems Laboratory | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build image and push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| file: docker/ingest/Dockerfile | |
| context: . | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| # Use a cache to speed up builds | |
| # Note: this may cause security issues if the apt updates are cached | |
| # It may make more sense to build eccodes as its own image instead. | |
| cache-from: type=registry,ref=ghcr.io/noaa-gsl/vxingest/cache/ingest:buildcache | |
| cache-to: type=registry,ref=ghcr.io/noaa-gsl/vxingest/cache/ingest:buildcache,mode=max | |
| build-import: | |
| name: Build Import image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Generate image metadata | |
| uses: docker/metadata-action@v4 | |
| id: meta | |
| with: | |
| images: | | |
| ghcr.io/noaa-gsl/vxingest/import | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=sha | |
| # set latest tag for default branch | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| labels: | | |
| org.opencontainers.image.vendor=NOAA's Global Systems Laboratory | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build image and push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| file: docker/import/Dockerfile | |
| context: . | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| scan-ingest: | |
| runs-on: ubuntu-latest | |
| needs: build-ingest | |
| steps: | |
| - name: Extract SHORT_SHA | |
| run: echo "SHORT_SHA=${GITHUB_SHA::7}" >> "$GITHUB_ENV" | |
| - name: Scan image with Trivy | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: "ghcr.io/noaa-gsl/vxingest/ingest:sha-${{ env.SHORT_SHA }}" | |
| format: "sarif" | |
| output: "trivy-ingest-results.sarif" | |
| ignore-unfixed: true | |
| severity: "CRITICAL,HIGH" | |
| limit-severities-for-sarif: true | |
| exit-code: "1" | |
| env: | |
| TRIVY_USERNAME: ${{ github.actor }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: "trivy-ingest-results.sarif" | |
| scan-import: | |
| runs-on: ubuntu-latest | |
| needs: build-import | |
| steps: | |
| - name: Extract SHORT_SHA | |
| run: echo "SHORT_SHA=${GITHUB_SHA::7}" >> "$GITHUB_ENV" | |
| - name: Scan image with Trivy | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: "ghcr.io/noaa-gsl/vxingest/import:sha-${{ env.SHORT_SHA }}" | |
| format: "sarif" | |
| output: "trivy-import-results.sarif" | |
| ignore-unfixed: true | |
| severity: "CRITICAL,HIGH" | |
| limit-severities-for-sarif: true | |
| # exit-code: "1" # FIXME: allow failures for now. Couchbase needs to update cbtools | |
| env: | |
| TRIVY_USERNAME: ${{ github.actor }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: "trivy-import-results.sarif" |