-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: sync workflows from central-workflows Signed-off-by: Kyle Vorster…
- Loading branch information
github-actions
committed
Jul 11, 2024
1 parent
7eac319
commit 43a0de8
Showing
14 changed files
with
439 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
Check notice Code scanning / Checkov (reported by Codacy) Ensure top-level permissions are not set to write-all Note
Ensure top-level permissions are not set to write-all
|
||
|
|
||
| name: Benchmark CI | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GH_WRITE_TOKEN }} | ||
| REPO_NAME: 'performance-benchmark' | ||
| PROCCESSOR_REPO_NAME: ${{ github.event.repository.name }} | ||
| on: | ||
| push: | ||
| branches: | ||
| - 'main' | ||
| jobs: | ||
| bench: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Clone repo | ||
| run: | | ||
| git clone https://user:[email protected]/${{ github.repository_owner }}/${{ env.REPO_NAME }} | ||
| cd ${{ env.REPO_NAME }} | ||
| git config --local user.email "[email protected]" | ||
| git config --local user.name "GitHub Action" | ||
| - name: Switch to temp branch | ||
| run: | | ||
| cd ${{ env.REPO_NAME }} | ||
| git checkout temp-holder | ||
| git pull | ||
| cat "${{ env.PROCCESSOR_REPO_NAME }}".csv >> "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp | ||
| git add "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp | ||
| git stash | ||
| git checkout main | ||
| git stash apply | ||
| - name: Write data | ||
| run: | | ||
| cd ${{ env.REPO_NAME }} | ||
| echo -n $'\n' >> "${{ env.PROCCESSOR_REPO_NAME }}".csv | ||
| cat "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp >> "${{ env.PROCCESSOR_REPO_NAME }}".csv | ||
| git reset "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp | ||
| git add "${{ env.PROCCESSOR_REPO_NAME }}".csv | ||
| git commit -m "#${{ github.event.number }} Pushed update of ${{ env.PROCCESSOR_REPO_NAME }}" | ||
| - name: push data | ||
| run: | | ||
| cd ${{ env.REPO_NAME }} | ||
| git push origin main | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
Check notice Code scanning / Checkov (reported by Codacy) Ensure top-level permissions are not set to write-all Note
Ensure top-level permissions are not set to write-all
|
||
|
|
||
| # This workflow uses actions that are not certified by GitHub. | ||
| # They are provided by a third-party and are governed by | ||
| # separate terms of service, privacy policy, and support | ||
| # documentation. | ||
|
|
||
| # This GitHub Actions workflow validates the title of pull requests (PRs) to ensure they follow conventional commit standards. | ||
|
|
||
| name: PR Conventional Commit Validation | ||
|
|
||
| on: | ||
| # Trigger this workflow on specific events related to pull requests | ||
| pull_request: | ||
| types: [opened, synchronize, reopened, edited] | ||
|
|
||
| jobs: | ||
| validate-pr-title: | ||
| runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action | ||
|
|
||
| - name: PR Conventional Commit Validation | ||
| uses: ytanikin/[email protected] # Use the PRConventionalCommits action to validate PR titles | ||
|
Check warning Code scanning / Semgrep (reported by Codacy) An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Warning
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
|
||
| with: | ||
| # Define the task types that are valid for conventional commits | ||
| task_types: '["build","ci","docs","feat","fix","perf","refactor","style","test","feat!"]' | ||
| # Map the conventional commit types to corresponding GitHub labels | ||
| custom_labels: '{"build": "build", "ci": "CI/CD", "docs": "documentation", "feat": "enhancement", "fix": "bug", "perf": "performance", "refactor": "refactor", "style": "style", "test": "test", "feat!": "enhancement breaking change"}' | ||
| # Use a personal access token (GITHUB_TOKEN) stored in GitHub secrets for authentication | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| add_label: 'true' | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
Check notice Code scanning / Checkov (reported by Codacy) Ensure top-level permissions are not set to write-all Note
Ensure top-level permissions are not set to write-all
|
||
|
|
||
| # This GitHub Actions workflow checks that all commits in a pull request (PR) have a "Signed-off-by" line to ensure Developer Certificate of Origin (DCO) compliance. | ||
|
|
||
| name: DCO | ||
|
|
||
| # Trigger the workflow on pull request events | ||
| on: [pull_request] | ||
|
|
||
| jobs: | ||
| dco: | ||
| # Define the runner environment | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| # Step to check out the repository | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 # Fetch all history for all branches to ensure complete commit history is available | ||
|
|
||
| - name: Set up environment variables | ||
|
Check notice Code scanning / Checkov (reported by Codacy) Ensure run commands are not vulnerable to shell injection Note
Ensure run commands are not vulnerable to shell injection
|
||
| run: | | ||
|
Check failure Code scanning / Semgrep (reported by Codacy) Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. Error
Using variable interpolation ${...} with github context data in a run: step could allow an attacker to inject their own code into the runner.
|
||
| echo "BASE_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV | ||
| echo "HEAD_BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV | ||
| # Step to check each commit in the pull request for a Signed-off-by line | ||
| - name: Check for DCO Sign-off | ||
| run: | | ||
| # Get the base branch and head branch of the pull request | ||
| base_branch=$BASE_BRANCH | ||
| head_branch=$HEAD_BRANCH | ||
| # Get the list of commit hashes between the head branch and base branch | ||
| commits=$(git log --pretty=format:%H origin/${head_branch}..origin/${base_branch}) | ||
| non_compliant_commits="" | ||
| # Loop through each commit and check for the Signed-off-by line | ||
| for commit in $commits; do | ||
| # Check if the commit message contains the Signed-off-by line | ||
| if ! git show --quiet --format=%B $commit | grep -q "^Signed-off-by: "; then | ||
| # If not, add the commit hash to the list of non-compliant commits | ||
| non_compliant_commits="$non_compliant_commits $commit" | ||
| fi | ||
| done | ||
| # If there are any non-compliant commits, output their hashes and fail the job | ||
| if [ -n "$non_compliant_commits" ]; then | ||
| echo "The following commits do not have a Signed-off-by line:" | ||
| for commit in $non_compliant_commits; do | ||
| echo "- $commit" | ||
| done | ||
| exit 1 | ||
| fi | ||
| shell: bash | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| # This workflow uses actions that are not certified by GitHub. | ||
| # They are provided by a third-party and are governed by | ||
| # separate terms of service, privacy policy, and support | ||
| # documentation. | ||
| # hadoint is a Dockerfile linter written in Haskell | ||
| # that helps you build best practice Docker images. | ||
| # More details at https://github.com/hadolint/hadolint | ||
|
|
||
| name: Hadolint | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ "dev", "main" ] | ||
| pull_request: | ||
| # The branches below must be a subset of the branches above | ||
| branches: [ "dev" ] | ||
| schedule: | ||
| - cron: '17 13 * * 0' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| hadolint: | ||
| name: Run hadolint scanning | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read # for actions/checkout to fetch code | ||
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | ||
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Run hadolint | ||
| uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 | ||
| with: | ||
| dockerfile: ./Dockerfile | ||
| format: sarif | ||
| output-file: hadolint-results.sarif | ||
| no-fail: true | ||
|
|
||
| - name: Upload analysis results to GitHub | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| with: | ||
| sarif_file: hadolint-results.sarif | ||
| wait-for-processing: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| # This workflow uses actions that are not certified by GitHub. | ||
| # They are provided by a third-party and are governed by | ||
| # separate terms of service, privacy policy, and support | ||
| # documentation. | ||
|
|
||
| # GitHub recommends pinning actions to a commit SHA. | ||
| # To get a newer version, you will need to update the SHA. | ||
| # You can also reference a tag or branch, but the action may change without warning. | ||
|
|
||
| name: Publish Docker image | ||
|
|
||
| on: | ||
| release: | ||
| types: [published] | ||
|
|
||
| jobs: | ||
| push_to_registry: | ||
| name: Push Docker image to Docker Hub | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| packages: write | ||
| contents: read | ||
| attestations: write | ||
| id-token: write | ||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Log in to Docker Hub | ||
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a | ||
| with: | ||
| username: ${{ secrets.DOCKER_USERNAME }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
|
|
||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: meta | ||
| uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | ||
| with: | ||
| images: my-docker-hub-namespace/my-docker-hub-repository | ||
|
|
||
| - name: Build and push Docker image | ||
| id: push | ||
| uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 | ||
| with: | ||
| context: . | ||
| file: ./Dockerfile | ||
| push: true | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
|
|
||
|
|
||
| * name: Generate artifact attestation | ||
| uses: actions/attest-build-provenance@v1 | ||
| with: | ||
| subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} | ||
| subject-digest: ${{ steps.push.outputs.digest }} | ||
| push-to-registry: true | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
Check notice Code scanning / Checkov (reported by Codacy) Ensure top-level permissions are not set to write-all Note
Ensure top-level permissions are not set to write-all
|
||
|
|
||
| # This GitHub Actions workflow checks that all commits in a pull request (PR) have been verified with GPG signatures. | ||
|
|
||
| name: GPG Verify | ||
|
|
||
| on: [pull_request] # Trigger this workflow on pull request events | ||
|
|
||
| jobs: | ||
| gpg-verify: | ||
| runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job | ||
| steps: | ||
| - uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action | ||
| with: | ||
| fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history | ||
|
|
||
| - name: Set up environment variables | ||
|
Check notice Code scanning / Checkov (reported by Codacy) Ensure run commands are not vulnerable to shell injection Note
Ensure run commands are not vulnerable to shell injection
|
||
| run: | | ||
| echo "PR_HEAD_REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV | ||
| echo "PR_BASE_REF=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV | ||
| echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV | ||
| echo "GITHUB_REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV | ||
| - name: Check GPG verification status # Step to check each commit for GPG signature verification | ||
| run: | | ||
| # Get the list of commits in the pull request | ||
| commits=$(git log --pretty=format:%H origin/${PR_HEAD_REF}..origin/${PR_BASE_REF}) | ||
| # Check the GPG verification status of each commit | ||
| for commit in $commits; do | ||
| status=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ | ||
| https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$commit/check-runs \ | ||
| | jq -r '.check_runs[] | select(.name == "GPG verify") | .conclusion') | ||
| # If the GPG verification status is not successful, list the commit and exit with a non-zero status | ||
| if [[ "$status" != "success" ]]; then | ||
| echo "GPG signature verification failed for commit $commit." | ||
| exit 1 | ||
| fi | ||
| done | ||
Oops, something went wrong.