-
Notifications
You must be signed in to change notification settings - Fork 44
133 lines (131 loc) · 4.9 KB
/
chain-docs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: chain-docs
on:
push:
branches: [master]
issue_comment:
types: [created]
jobs:
member:
name: Check whether it is triggered by team members or pushed
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event.comment.body == '/staging'
outputs:
valid: ${{ steps.setValid.outputs.valid }}
steps:
- uses: tspascoal/[email protected]
id: checkUserMember
if: github.event_name == 'issue_comment'
with:
username: ${{ github.actor }}
team: 'docs-maintainers'
GITHUB_TOKEN: ${{ secrets.ORG_READ_BOT_PAT }}
- name: set valid if it is push event or it is triggered by team members
id: setValid
run: |
if [[ "${{ steps.checkUserMember.outputs.isTeamMember }}" == "true" ]]; then
echo "::set-output name=valid::true"
elif [[ "${{ github.event_name }}" == "push" ]]; then
echo "::set-output name=valid::true"
else
echo "::set-output name=valid::false"
fi
scan:
name: Scan
runs-on: ubuntu-22.04
needs: [member]
permissions:
pull-requests: read
actions: read
contents: read
security-events: write
if: ${{ needs.member.outputs.valid == 'true' }}
steps:
- name: Github API Request
id: request
uses: octokit/[email protected]
if: github.event_name == 'issue_comment'
with:
route: ${{ github.event.issue.pull_request.url }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Get PR informations
id: pr_data
if: github.event_name == 'issue_comment'
run: |
echo "::set-output name=branch::${{ fromJson(steps.request.outputs.data).head.ref }}"
echo "::set-output name=repo_name::${{ fromJson(steps.request.outputs.data).head.repo.full_name }}"
- name: Checkout PR Branch
uses: actions/checkout@v2
if: github.event_name == 'issue_comment'
with:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ steps.pr_data.outputs.repo_name }}
ref: ${{ steps.pr_data.outputs.branch }}
- name: Check MASTER code
uses: actions/checkout@v2
if: github.event_name == 'push'
- name: Perform ShiftLeft Scan
uses: ShiftLeftSecurity/scan-action@master
env:
WORKSPACE: ""
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SCAN_AUTO_BUILD: true
with:
output: reports
# Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
# type: credscan,java
# type: python
- name: Upload report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: reports
build:
name: Build
runs-on: ubuntu-22.04
needs: [member, scan]
if: ${{ needs.member.outputs.valid == 'true' }}
steps:
- name: Github API Request
id: request
uses: octokit/[email protected]
if: github.event_name == 'issue_comment'
with:
route: ${{ github.event.issue.pull_request.url }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Get PR informations
id: pr_data
if: github.event_name == 'issue_comment'
run: |
echo "::set-output name=branch::${{ fromJson(steps.request.outputs.data).head.ref }}"
echo "::set-output name=repo_name::${{ fromJson(steps.request.outputs.data).head.repo.full_name }}"
- name: Checkout PR Branch
uses: actions/checkout@v2
if: github.event_name == 'issue_comment'
with:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ steps.pr_data.outputs.repo_name }}
ref: ${{ steps.pr_data.outputs.branch }}
- name: Check MASTER code
uses: actions/checkout@v2
if: github.event_name == 'push'
- uses: actions/setup-node@v1
with:
node-version: "12"
- name: ci
env:
MASTER_AWS_ACCESS_KEY_ID: ${{ secrets.MASTER_AWS_ACCESS_KEY_ID }}
MASTER_AWS_SECRET_ACCESS_KEY: ${{ secrets.MASTER_AWS_SECRET_ACCESS_KEY }}
MASTER_BUCKET_NAME: ${{ secrets.MASTER_BUCKET_NAME }}
MASTER_CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.MASTER_CLOUDFRONT_DISTRIBUTION_ID }}
MASTER_REGION: ${{ secrets.MASTER_REGION }}
EVENT: ${{ github.event_name }}
STAGING_AWS_ACCESS_KEY_ID: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }}
STAGING_AWS_SECRET_ACCESS_KEY: ${{ secrets.STAGING_AWS_SECRET_ACCESS_KEY }}
STAGING_BUCKET_NAME: ${{ secrets.STAGING_BUCKET_NAME }}
STAGING_CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.STAGING_CLOUDFRONT_DISTRIBUTION_ID }}
STAGING_REGION: ${{ secrets.STAGING_REGION }}
run: |
. ci/scripts/prepare
ci/scripts/build
ci/scripts/deploy