fix: Dockerfile to reduce vulnerabilities #249
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test | |
| on: | |
| push: | |
| pull_request: | |
| schedule: [{cron: '3 2 1 * *'}] # M H d m w (monthly at 2:03) | |
| jobs: | |
| check: | |
| if: github.event_name != 'pull_request' || !contains('OWNER,MEMBER,COLLABORATOR', github.event.pull_request.author_association) | |
| name: Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.x' | |
| - name: Prepare cache | |
| run: echo "PYSHA=$(python -VV | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV | |
| - uses: actions/cache@v3 | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: pre-commit|${{ env.PYSHA }}|${{ hashFiles('.pre-commit-config.yaml') }} | |
| - name: Dependencies | |
| run: pip install -U pre-commit | |
| - uses: reviewdog/action-setup@v1 | |
| - if: github.event_name == 'push' || github.event_name == 'pull_request' | |
| name: Comment | |
| run: | | |
| if [[ $EVENT == pull_request ]]; then | |
| REPORTER=github-pr-review | |
| else | |
| REPORTER=github-check | |
| fi | |
| pre-commit run -a todo | reviewdog -efm="%f:%l: %m" -name=TODO -tee -reporter=$REPORTER -filter-mode nofilter | |
| pre-commit run -a flake8 | reviewdog -f=pep8 -name=flake8 -tee -reporter=$REPORTER -filter-mode nofilter | |
| env: | |
| REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| EVENT: ${{ github.event_name }} | |
| - name: Lint | |
| run: pre-commit run -a --show-diff-on-failure | |
| test: | |
| if: github.event_name != 'pull_request' || !contains('OWNER,MEMBER,COLLABORATOR', github.event.pull_request.author_association) | |
| name: py${{ matrix.python }}-${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu] | |
| python: [3.7, 3.8, 3.9, '3.10', 3.11] | |
| include: | |
| - os: macos | |
| python: 3.11 | |
| - os: windows | |
| python: 3.11 | |
| runs-on: ${{ matrix.os }}-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python }} | |
| - name: Install | |
| run: pip install -U tox tox-gh-actions | |
| - name: Test | |
| run: tox -e py${PYVER/./} | |
| env: | |
| PYVER: ${{ matrix.python }} | |
| PLATFORM: ${{ matrix.os }} | |
| COVERALLS_FLAG_NAME: py${{ matrix.python }}-${{ matrix.os }} | |
| COVERALLS_PARALLEL: true | |
| COVERALLS_SERVICE_NAME: github | |
| # coveralls needs explicit token | |
| COVERALLS_REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| finish: | |
| name: Coverage | |
| continue-on-error: ${{ github.event_name != 'push' }} | |
| needs: test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.x' | |
| - name: Coveralls Finished | |
| run: | | |
| pip install -U coveralls | |
| coveralls --finish || : | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| deploy: | |
| name: Deploy | |
| needs: [check, test] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.x' | |
| - name: Install | |
| run: | | |
| sudo apt-get install -yqq pandoc | |
| pip install -r .meta/requirements-build.txt | |
| make build .dockerignore | |
| - id: dist | |
| uses: casperdcl/deploy-pypi@v2 | |
| with: | |
| password: ${{ secrets.TWINE_PASSWORD }} | |
| gpg_key: ${{ secrets.GPG_KEY }} | |
| upload: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }} | |
| - id: collect_assets | |
| name: Collect assets | |
| run: | | |
| if [[ $GITHUB_REF == refs/tags/v* ]]; then | |
| echo docker_tags=latest,${GITHUB_REF/refs\/tags\/v/} >> $GITHUB_OUTPUT | |
| echo snap_channel=stable,candidate,edge >> $GITHUB_OUTPUT | |
| elif [[ $GITHUB_REF == refs/heads/main ]]; then | |
| echo docker_tags=main >> $GITHUB_OUTPUT | |
| echo snap_channel=candidate,edge >> $GITHUB_OUTPUT | |
| elif [[ $GITHUB_REF == refs/heads/devel ]]; then | |
| echo docker_tags=devel >> $GITHUB_OUTPUT | |
| echo snap_channel=edge >> $GITHUB_OUTPUT | |
| fi | |
| - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
| name: Release | |
| run: | | |
| changelog=$(git log --pretty='format:%d%n- %s%n%b---' $(git tag --sort=v:refname | tail -n2 | head -n1)..HEAD) | |
| tag="${GITHUB_REF#refs/tags/}" | |
| gh release create --title "git-fame $tag stable" --draft --notes "$changelog" "$tag" dist/${{ steps.dist.outputs.whl }} dist/${{ steps.dist.outputs.whl_asc }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| - uses: snapcore/action-build@v1 | |
| id: snap_build | |
| - if: github.event_name == 'push' && steps.collect_assets.outputs.snap_channel | |
| uses: snapcore/action-publish@v1 | |
| with: | |
| snap: ${{ steps.snap_build.outputs.snap }} | |
| release: ${{ steps.collect_assets.outputs.snap_channel }} | |
| env: | |
| SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAP_TOKEN }} | |
| - name: Docker build push | |
| uses: elgohr/Publish-Docker-Github-Action@master | |
| with: | |
| name: ${{ github.repository }} | |
| tags: ${{ steps.collect_assets.outputs.docker_tags }} | |
| password: ${{ secrets.DOCKER_PWD }} | |
| username: ${{ secrets.DOCKER_USR }} | |
| no_push: ${{ steps.collect_assets.outputs.docker_tags == '' }} | |
| - name: Docker push GitHub | |
| uses: elgohr/Publish-Docker-Github-Action@master | |
| with: | |
| name: ${{ github.repository }}/git-fame | |
| tags: ${{ steps.collect_assets.outputs.docker_tags }} | |
| password: ${{ github.token }} | |
| username: ${{ github.actor }} | |
| registry: docker.pkg.github.com | |
| no_push: ${{ steps.collect_assets.outputs.docker_tags == '' }} |