First build

camptocamp · Nov 6, 2024 · b5d8fb5 · b5d8fb5
1 parent 41ac205
commit b5d8fb5
Show file tree

Hide file tree

Showing 17 changed files with 1,198 additions and 890 deletions.
diff --git a/.bandit.yaml b/.bandit.yaml
@@ -1,2 +1,4 @@
 skips:
   - B101 # Use of assert detected.
+  - B603 # subprocess call - check for execution of untrusted input.
+  - B607 # Starting a process with a partial executable path.
diff --git a/.github/requirements.txt b/.github/requirements.txt
@@ -0,0 +1 @@
+c2cciutils==1.7.1
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -16,8 +16,8 @@ env:
   HAS_SECRETS: ${{ secrets.HAS_SECRETS }}
 
 jobs:
-  main:
-    name: Continuous integration
+  pre-commit:
+    name: Pre commit checks
     runs-on: ubuntu-24.04
     timeout-minutes: 20
     if: "!startsWith(github.event.head_commit.message, '[skip ci] ')"
@@ -27,17 +27,10 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: camptocamp/initialise-gopass-summon-action@v2
-        with:
-          ci-gpg-private-key: ${{secrets.CI_GPG_PRIVATE_KEY}}
-          github-gopass-ci-token: ${{secrets.GOPASS_CI_GITHUB_TOKEN}}
-          patterns: pypi
-        if: env.HAS_SECRETS == 'HAS_SECRETS'
-
       - uses: actions/setup-python@v5
         with:
           python-version: '3.13'
-      - run: python3 -m pip install --requirement=requirements.txt
+      - run: python3 -m pip install $(grep pre-commit== requirements.txt)
 
       - uses: actions/cache@v4
         with:
@@ -54,11 +47,34 @@ jobs:
           retention-days: 1
         if: failure()
 
+  main:
+    name: Continuous integration
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
+    needs: pre-commit
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: camptocamp/initialise-gopass-summon-action@v2
+        with:
+          ci-gpg-private-key: ${{secrets.CI_GPG_PRIVATE_KEY}}
+          github-gopass-ci-token: ${{secrets.GOPASS_CI_GITHUB_TOKEN}}
+          patterns: pypi
+        if: env.HAS_SECRETS == 'HAS_SECRETS'
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+      - run: python3 -m pip install --requirement=.github/requirements.txt
+      - run: python3 -m pip install --requirement=requirements.txt
+
       - name: Print the environment
         run: c2cciutils-env
         env:
           GITHUB_EVENT: ${{ toJson(github) }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - run: poetry install
       - name: Prospector

diff --git a/config.md b/config.md
@@ -10,60 +10,52 @@ _Tag Publish configuration file_
 - **`docker`**: Refer to _[#/definitions/publish_docker](#definitions/publish_docker)_.
 - **`pypi`**: Refer to _[#/definitions/publish_pypi](#definitions/publish_pypi)_.
 - **`helm`**: Refer to _[#/definitions/publish_helm](#definitions/publish_helm)_.
+- **`dispatch`** _(array)_: Default: `[{}]`.
+  - **Items** _(object)_: Send a dispatch event to an other repository. Default: `{}`.
+    - **`repository`** _(string)_: The repository name to be triggered. Default: `"camptocamp/argocd-gs-gmf-apps"`.
+    - **`event-type`** _(string)_: The event type to be triggered. Default: `"image-update"`.
 
 ## Definitions
 
-- <a id="definitions/publish_docker"></a>**`publish_docker`**: The configuration used to publish on Docker.
-  - **One of**
-    - _object_: The configuration used to publish on Docker.
-      - **`latest`** _(boolean)_: Publish the latest version on tag latest. Default: `true`.
-      - **`images`** _(array)_: List of images to be published.
-        - **Items** _(object)_
-          - **`group`** _(string)_: The image is in the group, should be used with the --group option of tag-publish script. Default: `"default"`.
-          - **`name`** _(string)_: The image name.
-          - **`tags`** _(array)_: The tag name, will be formatted with the version=<the version>, the image with version=latest should be present when we call the tag-publish script. Default: `["{version}"]`.
-            - **Items** _(string)_
-      - **`repository`** _(object)_: The repository where we should publish the images. Can contain additional properties. Default: `{"github": {"server": "ghcr.io", "versions": ["version_tag", "version_branch", "rebuild"]}, "dockerhub": {}}`.
-        - **Additional properties** _(object)_
-          - **`server`** _(string)_: The server URL.
-          - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag", "version_branch", "rebuild", "feature_branch"]`.
-            - **Items** _(string)_
-      - **`dispatch`**: Send a dispatch event to an other repository. Default: `{}`.
-        - **One of**
-          - _object_: Send a dispatch event to an other repository.
-            - **`repository`** _(string)_: The repository name to be triggered. Default: `"camptocamp/argocd-gs-gmf-apps"`.
-            - **`event-type`** _(string)_: The event type to be triggered. Default: `"image-update"`.
-          - : Must be: `false`.
-      - **`snyk`** _(object)_: Checks the published images with Snyk.
-        - **`monitor_args`**: The arguments to pass to the Snyk container monitor command. Default: `["--app-vulns"]`.
-          - **One of**
-            - _array_
-              - **Items** _(string)_
-            - : Must be: `false`.
-        - **`test_args`**: The arguments to pass to the Snyk container test command. Default: `["--app-vulns", "--severity-threshold=critical"]`.
-          - **One of**
-            - _array_
-              - **Items** _(string)_
-            - : Must be: `false`.
-    - : Must be: `false`.
-- <a id="definitions/publish_pypi"></a>**`publish_pypi`**: Configuration to publish on pypi. Default: `{}`.
-  - **One of**
-    - _object_: Configuration to publish on pypi.
-      - **`packages`** _(array)_: The configuration of packages that will be published.
-        - **Items** _(object)_: The configuration of package that will be published.
-          - **`group`** _(string)_: The image is in the group, should be used with the --group option of tag-publish script. Default: `"default"`.
-          - **`path`** _(string)_: The path of the pypi package.
-          - **`build_command`** _(array)_: The command used to do the build.
-            - **Items** _(string)_
-      - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script.
+- <a id="definitions/publish_docker"></a>**`publish_docker`** _(object)_: The configuration used to publish on Docker.
+  - **`latest`** _(boolean)_: Publish the latest version on tag latest. Default: `true`.
+  - **`images`** _(array)_: List of images to be published.
+    - **Items** _(object)_
+      - **`group`** _(string)_: The image is in the group, should be used with the --group option of tag-publish script. Default: `"default"`.
+      - **`name`** _(string)_: The image name.
+      - **`tags`** _(array)_: The tag name, will be formatted with the version=<the version>, the image with version=latest should be present when we call the tag-publish script. Default: `["{version}"]`.
         - **Items** _(string)_
-    - : Must be: `false`.
+  - **`repository`** _(object)_: The repository where we should publish the images. Can contain additional properties. Default: `{"github": {"server": "ghcr.io", "versions": ["version_tag", "version_branch", "rebuild"]}, "dockerhub": {}}`.
+    - **Additional properties** _(object)_
+      - **`server`** _(string)_: The server URL.
+      - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag", "version_branch", "rebuild", "feature_branch"]`.
+        - **Items** _(string)_
+  - **`snyk`** _(object)_: Checks the published images with Snyk.
+    - **`monitor_args`**: The arguments to pass to the Snyk container monitor command. Default: `["--app-vulns"]`.
+      - **One of**
+        - _array_
+          - **Items** _(string)_
+        - : Must be: `false`.
+    - **`test_args`**: The arguments to pass to the Snyk container test command. Default: `["--app-vulns", "--severity-threshold=critical"]`.
+      - **One of**
+        - _array_
+          - **Items** _(string)_
+        - : Must be: `false`.
+- <a id="definitions/publish_pypi"></a>**`publish_pypi`** _(object)_: Configuration to publish on pypi.
+  - **`packages`** _(array)_: The configuration of packages that will be published.
+    - **Items** _(object)_: The configuration of package that will be published.
+      - **`group`** _(string)_: The image is in the group, should be used with the --group option of tag-publish script. Default: `"default"`.
+      - **`path`** _(string)_: The path of the pypi package.
+      - **`build_command`** _(array)_: The command used to do the build.
+        - **Items** _(string)_
+  - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag"]`.
+    - **Items** _(string)_
 - <a id="definitions/publish_helm"></a>**`publish_helm`**: Configuration to publish Helm charts on GitHub release.
   - **One of**
     - _object_: Configuration to publish on Helm charts on GitHub release.
       - **`folders`** _(array)_: The folders that will be published.
         - **Items** _(string)_
-      - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script.
+      - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag"]`.
         - **Items** _(string)_
     - : Must be: `false`.
 - <a id="definitions/version_transform"></a>**`version_transform`** _(array)_: A version transformer definition.