-
Notifications
You must be signed in to change notification settings - Fork 7
160 lines (126 loc) · 4.27 KB
/
pr-checks.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: PR Checks
on:
pull_request:
branches: [ main ]
env:
REQUIRED_COVERAGE: 30
PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring
jobs:
python:
name: python checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v2
with:
python-version: '3.10'
- name: Install Poetry
run: pip install poetry
- name: Install requirements
run: poetry install
- name: Check formatting
run: poetry run black --check .
- name: Check pylint
run: poetry run pylint --rcfile pyproject.toml vault_monitor
- name: Check typing
run: poetry run mypy --config-file pyproject.toml .
- name: Execute tests
run: poetry run pytest --cov-fail-under $REQUIRED_COVERAGE
docker:
name: docker checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hadolint/[email protected]
with:
dockerfile: Dockerfile
- name: Build PR Check
id: containers
run: |
if [[ "${{ secrets.BUILD_PR }}" != "" && \
"${{ secrets.PR_CONTAINERS_USER }}" != "" && \
"${{ secrets.PR_CONTAINERS }}" != "" ]]
then
echo "PR Builds configured"
echo "::set-output name=BUILD_PR::true"
else
echo "PR Builds not configured"
echo "::set-output name=BUILD_PR::false"
fi
- name: Get PR ID
id: pr
run: echo "::set-output name=id::$(echo ${{ github.ref_name }} | cut -d"/" -f1)"
if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to ghcr.io
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ secrets.PR_CONTAINERS_USER }}
password: ${{ secrets.PR_CONTAINERS }}
if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }}
- name: PR Cross Platform Build and Push
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: ghcr.io/${{ github.repository }}:pr-${{ steps.pr.outputs.id }}
platforms: linux/amd64,linux/arm64,linux/arm/v7
if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }}
- name: PR Cross Platform Build
uses: docker/build-push-action@v2
with:
context: .
tags: ghcr.io/${{ github.repository }}:pr-${{ steps.pr.outputs.id }}
platforms: linux/amd64,linux/arm64,linux/arm/v7
if: ${{ !fromJSON(steps.containers.outputs.BUILD_PR) }}
security:
name: security checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: '0'
- uses: actions/setup-python@v2
with:
python-version: '3.11'
- name: Install Poetry
run: pip install poetry
- name: Install requirements
run: poetry install
- name: Execute Bandit Security Checks
run: poetry run bandit -r vault_monitor
- name: Test Image Build
run: docker build . -t build-exporter:test
- name: Scan Image
uses: Azure/[email protected]
with:
image-name: build-exporter:test
run-quality-checks: false # Disabled for now due to bug https://github.com/Azure/container-scan/issues/133 (and partially duplicating linting anyway)
version:
name: version check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Poetry
run: pip install poetry
- name: Install requirements
run: poetry install
- name: Get current version
id: current_version
run: echo "::set-output name=version::$(poetry version | cut -d" " -f2)"
- name: Checkout ${{ github.base_ref }}
uses: actions/checkout@v3
with:
ref: ${{ github.base_ref }}
- name: Get ${{ github.base_ref }} version
id: old_version
run: |
echo "::set-output name=version::$(poetry version | cut -d" " -f2)"
- name: Checkout current branch
uses: actions/checkout@v3
- name: Check version has been bumped
run: "python .github/workflows/version_check.py --current-branch ${{ steps.current_version.outputs.version }} --target-branch ${{ steps.old_version.outputs.version }}"