Skip to content

Add codeql

Add codeql #540

Workflow file for this run

name: Build
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the main branch
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
IMAGE: secure-message
REGISTRY_HOSTNAME: eu.gcr.io
HOST: ${{ secrets.GOOGLE_PROJECT_ID }}
RELEASE_HOST: ${{ secrets.RELEASE_PROJECT_ID }}
CHART_DIRECTORY: _infra/helm/secure-message
SPINNAKER_TOPIC: ${{ secrets.SPINNAKER_TOPIC }}
ARTIFACT_BUCKET: ${{ secrets.ARTIFACT_BUCKET }}
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build & package"
build:
name: Build & Package
runs-on: ubuntu-latest
services:
# Label used to access the service container
postgres:
# Docker Hub image
image: postgres:9.4
env:
POSTGRES_PASSWORD: postgres
POSTGRES_USER: postgres
POSTGRES_DB: postgres
ports:
# Maps port 6379 on service container to the host
- 5432:5432
# needed because the postgres container does not provide a healthcheck
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
steps:
- uses: actions/checkout@v3
with:
fetch-depth: '0'
token: ${{ secrets.BOT_TOKEN }}
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Get Dependencies
run: |
pip install pipenv
pipenv install --dev --deploy
- name: Run Tests
run: |
make test
- name: Authenticate with Google Cloud
id: auth
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCR_KEY }}
- name: Setup Google Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- run: |
gcloud auth configure-docker
- name: pr docker tag
if: github.ref != 'refs/heads/main'
id: tag
run: |
PR=$(echo "$GITHUB_REF" | awk -F / '{print $3}')
echo "$PR"
echo "pr_number=pr-$PR" >> $GITHUB_ENV
# Build the Docker image
- name: Build Docker Image
if: github.ref != 'refs/heads/main'
run: |
docker build -t "$REGISTRY_HOSTNAME"/"$HOST"/"$IMAGE":${{ env.pr_number }} -f _infra/docker/Dockerfile .
- name: Push dev image
if: github.ref != 'refs/heads/main'
run: |
docker push "$REGISTRY_HOSTNAME"/"$HOST"/"$IMAGE":${{ env.pr_number }}
- name: template helm
run: |
helm template $CHART_DIRECTORY
- name: Set current tag
if: github.ref != 'refs/heads/main'
id: vars
run: |
git fetch --tags
echo "tag=$(git describe --tags --abbrev=0)" >> $GITHUB_ENV
- name: Import BOT GPG key
run: echo $BOT_GPG_KEY | base64 --decode | gpg --batch --import
env:
BOT_GPG_KEY: ${{ secrets.BOT_GPG_KEY }}
- name: Prepare gpg CLI signing step
run: |
rm -rf /tmp/gpg.sh
echo '#!/bin/bash' >> /tmp/gpg.sh
echo 'gpg --batch --pinentry-mode=loopback --passphrase $BOT_GPG_KEY_PASSPHRASE $@' >> /tmp/gpg.sh
chmod +x /tmp/gpg.sh
- name: Setup git
run: |
git config commit.gpgsign true
git config user.signingkey "${{ secrets.BOT_GPG_KEY_ID }}"
git config gpg.program /tmp/gpg.sh
git config user.name "${{ secrets.BOT_USERNAME }}"
git config user.email "${{ secrets.BOT_EMAIL }}"
- name: update versions
if: github.ref != 'refs/heads/main'
env:
GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
BOT_GPG_KEY_PASSPHRASE: ${{ secrets.BOT_GPG_KEY_PASSPHRASE }}
COMMIT_MSG: |
auto patch increment
shell: bash
run: |
echo "Current git version: ${{ env.tag }}"
export APP_VERSION=$(grep -E "appVersion:\s+" $CHART_DIRECTORY/Chart.yaml | cut -d" " -f2 | sed -r 's/"//g')
export CHART_VERSION=$(grep -E "version:\s+" $CHART_DIRECTORY/Chart.yaml | cut -d" " -f2 | sed -r 's/"//g')
echo "appVersion: $APP_VERSION"
echo "chartVersion: $CHART_VERSION"
if [ ${{ env.tag }} = $APP_VERSION ]; then
echo "versions match, incrementing patch"
OLD_PATCH=$(echo ${{ env.tag }} | cut -d '.' -f3)
echo "OLD patch: $OLD_PATCH"
NEW_PATCH=$(($OLD_PATCH + 1))
echo "New patch version: $NEW_PATCH"
NEW_APP_VERSION="appVersion: $(echo ${{ env.tag }} | sed -e "s/[0-9]\{1,3\}/$NEW_PATCH/3")"
NEW_CHART_VERSION="version: $(echo ${{ env.tag }} | sed -e "s/[0-9]\{1,3\}/$NEW_PATCH/3")"
sed -i -e "s/appVersion: .*/$NEW_APP_VERSION/g" $CHART_DIRECTORY/Chart.yaml
sed -i -e "s/version: .*/$NEW_CHART_VERSION/g" $CHART_DIRECTORY/Chart.yaml
git config user.name "ras-rm-pr-bot"
git config user.email "${{ secrets.BOT_EMAIL }}"
git remote set-url origin https://ras-rm-pr-bot:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git
git remote update
git fetch
git checkout ${{ github.head_ref }}
git add $CHART_DIRECTORY/Chart.yaml
git commit -m "$COMMIT_MSG"
git push
else
if [ $APP_VERSION != $CHART_VERSION ]; then
echo "app version manually updated without updating chart version"
NEW_CHART_VERSION="version: $APP_VERSION"
echo "replacing version with $NEW_CHART_VERSION"
sed -i -e "s/version: .*/$NEW_CHART_VERSION/g" $CHART_DIRECTORY/Chart.yaml
git config user.name "ras-rm-pr-bot"
git config user.email "${{ secrets.BOT_EMAIL }}"
git remote set-url origin https://ras-rm-pr-bot:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git
git remote update
git fetch
git checkout ${{ github.head_ref }}
git add $CHART_DIRECTORY/Chart.yaml
git commit -m "$COMMIT_MSG"
git push
else
echo "git version different to chart/app versions and chart/app versions match"
echo "Using current version: $APP_VERSION"
fi
fi
- name: output new version
if: github.ref == 'refs/heads/main'
id: release
shell: bash
run: |
echo "version=$(grep -E "appVersion:\s+" $CHART_DIRECTORY/Chart.yaml | cut -d" " -f2 | sed -r 's/"//g')" >> $GITHUB_ENV
- name: package helm
run: |
echo HELM_VERSION=$(grep -E "version:\s+" $CHART_DIRECTORY/Chart.yaml | cut -d" " -f2 | sed -r 's/"//g') >> $GITHUB_ENV
helm dep up $CHART_DIRECTORY
helm package $CHART_DIRECTORY
- name: Publish dev Chart
if: github.ref != 'refs/heads/main'
run: |
mv $IMAGE-${{ env.HELM_VERSION }}.tgz $IMAGE-${{ env.pr_number }}.tgz
gsutil cp $IMAGE-*.tgz gs://$ARTIFACT_BUCKET/$IMAGE/
- name: Build Release Image
if: github.ref == 'refs/heads/main'
run: |
docker build -f _infra/docker/Dockerfile -t "$REGISTRY_HOSTNAME"/"$RELEASE_HOST"/"$IMAGE":latest -t "$REGISTRY_HOSTNAME"/"$RELEASE_HOST"/"$IMAGE":${{ env.version }} .
- name: Push Release image
if: github.ref == 'refs/heads/main'
run: |
docker push "$REGISTRY_HOSTNAME"/"$RELEASE_HOST"/"$IMAGE":${{ env.version }}
docker push "$REGISTRY_HOSTNAME"/"$RELEASE_HOST"/"$IMAGE":latest
- name: Publish Charts
if: github.ref == 'refs/heads/main'
run: |
cp $IMAGE-${{ env.HELM_VERSION }}.tgz $IMAGE-latest.tgz
gsutil cp $IMAGE-*.tgz gs://$ARTIFACT_BUCKET/$IMAGE/
- name: Publish Release
if: github.ref == 'refs/heads/main'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release create ${{ env.version }} --title ${{ env.version }} --notes ${{ env.version }}
- name: CD hook
if: github.ref == 'refs/heads/main'
run: |
gcloud pubsub topics publish $SPINNAKER_TOPIC --project $HOST \
--message "{ \"kind\": \"storage#object\", \"name\": \"$IMAGE/$IMAGE-${{ env.HELM_VERSION }}.tgz\", \"bucket\": \"$ARTIFACT_BUCKET\" }" \
--attribute cd="actions"