forked from bridgecrewio/checkov
-
Notifications
You must be signed in to change notification settings - Fork 0
168 lines (163 loc) · 6.2 KB
/
nightly.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: Nightly Run
on:
schedule:
# daily at 23:00 UTC
- cron: "0 23 * * *"
workflow_dispatch:
permissions:
contents: read
jobs:
github-release:
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
fetch-depth: 0
token: ${{ secrets.GH_PAT_SECRET }}
- name: Prepare Release
id: prepare_release
run: |
# grab latest release and tag to compare and decide to create a new one
create_release=true
latest_gh_release=$(curl -s "https://api.github.com/repos/${{ github.repository }}/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")')
latest_tag=$(git describe --abbrev=0 --tags)
if [ "$latest_gh_release" = "$latest_tag" ]
then
create_release=false
fi
echo "create_release=$create_release" >> "$GITHUB_OUTPUT"
echo "latest_release_version=$latest_gh_release" >> "$GITHUB_OUTPUT"
echo "version=$latest_tag" >> "$GITHUB_OUTPUT"
- name: Build GitHub Release changelog
if: steps.prepare_release.outputs.create_release == 'true'
id: build_github_release
uses: mikepenz/release-changelog-builder-action@5f3409748e2230350e149a7f7b5b8e9bcd785d44 # v3
env:
GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRET }}
with:
configuration: ".github/release-changelog-config.json"
fromTag: ${{ steps.prepare_release.outputs.latest_release_version }}
toTag: ${{ steps.prepare_release.outputs.version }}
- name: Create GitHub Release
if: steps.build_github_release.outputs.changelog != ''
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
id: create_github_release
with:
tag_name: ${{ steps.prepare_release.outputs.version }}
name: ${{ steps.prepare_release.outputs.version }}
body: ${{ steps.build_github_release.outputs.changelog }}
- name: Update CHANGELOG.md
if: steps.build_github_release.outputs.changelog != ''
uses: stefanzweifel/changelog-updater-action@622311becab6b400fd95efaf29719f401ffa4691 # v1
with:
latest-version: ${{ steps.prepare_release.outputs.version }}
release-notes: ${{ steps.build_github_release.outputs.changelog }}
- name: Commit updated CHANGELOG.md
if: steps.build_github_release.outputs.changelog != ''
uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5
with:
commit_message: "chore: update release notes"
file_pattern: CHANGELOG.md
outputs:
upload_url: ${{ steps.create_github_release.outputs.upload_url }}
version: ${{ steps.prepare_release.outputs.version }}
build-release-artifacts:
strategy:
matrix:
include:
- os: macos-latest
name: darwin
suffix: ''
- os: ubuntu-latest
name: linux
suffix: ''
- os: windows-latest
name: windows
suffix: '.exe'
needs: [github-release]
if: needs.github-release.outputs.upload_url != ''
runs-on: ${{ matrix.os }}
permissions:
contents: write
env:
PYTHON_VERSION: "3.8"
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install deps and run pyinstaller
run: |
pipenv sync
pipenv run pip install pyinstaller
- name: Build executable
run: pipenv run pyinstaller checkov.spec
- name: Windows - Test executable
if: matrix.os == 'windows-latest'
shell: bash
# make sure it doesn't crash
run: ./dist/checkov.exe -s -d tests/terraform/checks/resource/alicloud
- name: Windows - zip artifact
if: matrix.os == 'windows-latest'
run: tar.exe -a -c -f checkov.zip dist\\checkov.exe
- name: Linux/Mac - Test executable
if: matrix.os != 'windows-latest'
# make sure it doesn't crash
run: ./dist/checkov -s -d tests/terraform/checks/resource/alicloud
- name: Linux/Mac - zip artifact
if: matrix.os != 'windows-latest'
run: zip checkov.zip dist/checkov
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.github-release.outputs.upload_url }}
asset_path: checkov.zip
asset_name: checkov_${{ matrix.name }}_X86_64.zip
asset_content_type: application/zip
build-release-artifact-linux-arm:
needs: [ github-release ]
if: needs.github-release.outputs.upload_url != ''
runs-on: [self-hosted, public, linux, arm64]
container:
image: arm64v8/python:3.8
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install deps and run pyinstaller
run: |
pipenv sync
pipenv run pip install pyinstaller
- name: Build executable
run: pipenv run pyinstaller checkov.spec
- name: zip artifact
run: |
apt-get update
apt install zip
zip checkov.zip dist/checkov
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.github-release.outputs.upload_url }}
asset_path: checkov.zip
asset_name: checkov_linux_arm64.zip
asset_content_type: application/zip