-
Notifications
You must be signed in to change notification settings - Fork 121
175 lines (169 loc) · 6.07 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
name: build
on:
push:
branches:
- main
paths-ignore:
- 'docs/**'
- 'INTHEWILD.md'
- 'README.md'
- '.github/**'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
concurrency:
group: 'build'
cancel-in-progress: true
jobs:
test:
runs-on: [self-hosted, public, linux, x64]
steps:
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: 1.19
- name: Checkout code
uses: actions/checkout@v2
with:
token: ${{ secrets.PAT }}
- name: "Terraform Init"
uses: hashicorp/terraform-github-actions@master
with:
tf_actions_version: 0.14.5
tf_actions_subcommand: "init"
tf_actions_working_dir: "tests/terraform/resources"
- name: Prepare external plugin tests
run: |
go build -buildmode=plugin -o tests/yor_plugins/example/extra_tags.so tests/yor_plugins/example/*.go
go build -buildmode=plugin -o tests/yor_plugins/tag_group_example/extra_tag_groups.so tests/yor_plugins/tag_group_example/*.go
- name: Test
run: |
go build -v && go test ./src/... -covermode=count -coverprofile=coverage.out
go tool cover -func=coverage.out -o=coverage.out
- name: Go Coverage Badge # Pass the `coverage.out` output to this action
uses: tj-actions/coverage-badge-go@v2
with:
filename: coverage.out
- name: Verify Changed files
uses: tj-actions/verify-changed-files@v12
id: verify-changed-files
with:
files: README.md
- name: Commit changes
if: steps.verify-changed-files.outputs.files_changed == 'true'
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add README.md
git commit -m "chore: Updated coverage badge."
- name: Push changes
if: steps.verify-changed-files.outputs.files_changed == 'true'
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.PAT }}
branch: ${{ github.head_ref }}
linter:
name: golangci-lint
runs-on: [self-hosted, public, linux, x64]
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v2
- name: golangci-lint
uses: reviewdog/action-golangci-lint@v1
with:
tool_name: golangci-lint
fail_on_error: true
integration-tests:
runs-on: [self-hosted, public, linux, x64]
steps:
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: 1.19
- name: Checkout code
uses: actions/checkout@v2
- name: build
run: go build
- name: Clone Terragoat - vulnerable terraform
uses: actions/checkout@v2
with:
repository: bridgecrewio/terragoat # clone https://github.com/bridgecrewio/terragoat/
fetch-depth: 0
clean: false
path: 'terragoat'
ref: 063dc2db3bb036160ed39d3705508ee8293a27c8
- name: Run yor
run: |
git config --local user.email "action@github.com"
./yor list-tags -g code2cloud,git > list-tags-result.txt
./yor tag -d terragoat -o json --output-json-file result.json
go test -race ./tests/integration/...
create-release:
runs-on: [self-hosted, public, linux, x64]
needs:
- integration-tests
- test
- linter
outputs:
version: ${{ steps.version.outputs.new_tag }}
steps:
- name: Wait for coverage to update
run: sleep 10s
- name: Checkout code
uses: actions/checkout@v2
with:
ref: main
- name: version
uses: anothrNick/github-tag-action@1.26.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
WITH_V: false
RELEASE_BRANCHES: main
DEFAULT_BUMP: patch
id: version
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: 1.19
- name: Git Fetch Repo
run: |
git fetch
- uses: goreleaser/goreleaser-action@v2
name: goreleaser
with:
version: latest
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.PAT }}
GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.new_tag }}
# - name: Update go reportcard
# uses: creekorful/goreportcard-action@v1.0
publish-dockerhub:
runs-on: [self-hosted, public, linux, x64]
needs:
- create-release
steps:
- uses: actions/checkout@master
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@master
with:
name: bridgecrew/yor
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
buildoptions: "--no-cache"
tags: "latest,${{ needs.create-release.outputs.version }}"
- name: Update Docker Hub README
uses: peter-evans/dockerhub-description@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: bridgecrew/yor
short-description: ${{ github.event.repository.description }}
update-bridgecrew-projects:
needs: publish-dockerhub
runs-on: [self-hosted, public, linux, x64]
steps:
- name: update on yor release
run: |
curl -XPOST -H "Authorization: token ${{ secrets.PAT }}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/yor-action/dispatches --data '{"event_type": "build"}'
curl -XPOST -H "Authorization: token ${{ secrets.PAT }}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/yor-choco/dispatches --data '{"event_type": "build"}'
curl -X POST "https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-yor&token=${{ secrets.BC_JENKINS_TOKEN }}"