Chore(deps): Bump github/codeql-action from 2.22.8 to 3.24.5 #780
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: pipeline | |
| on: | |
| push: | |
| branches: | |
| - develop | |
| - feat/* | |
| - hotfix/* | |
| - main | |
| pull_request: | |
| branches: | |
| - develop | |
| - feat/* | |
| - hotfix/* | |
| - main | |
| env: | |
| CONTAINER_NAME: ${{ github.repository }} | |
| CONTAINER_REGISTRY_GHCR: ghcr.io | |
| CONTAINER_REGISTRY_DOCKER_HUB: docker.io | |
| CONTAINER_PLATFORMS: linux/amd64,linux/arm64/v8 | |
| # https://github.com/docker/buildx/releases | |
| BUILDX_VERSION: 0.11.2 | |
| # https://nodejs.org/en/download/releases | |
| NODE_VERSION: 18.17.1 | |
| # https://github.com/helm/helm/releases | |
| HELM_VERSION: 3.12.3 | |
| # https://npmjs.com/package/snyk?activeTab=versions | |
| SNYK_VERSION: 1.1221.0 | |
| # https://github.com/oras-project/oras/releases | |
| ORAS_VERSION: 1.1.0 | |
| # https://github.com/rust-lang/rust/tags | |
| RUST_VERSION: 1.72.0 | |
| jobs: | |
| init: | |
| name: Init | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| VERSION: ${{ steps.version.outputs.version }} | |
| VERSION_FULL: ${{ steps.version.outputs.version_full }} | |
| VERSION_WIN: ${{ steps.version.outputs.version_win }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.1 | |
| with: | |
| # We need all Git history for "version.sh" | |
| fetch-depth: 0 | |
| # Ensure "version.sh" submodule are up-to-date | |
| submodules: recursive | |
| - name: Version | |
| id: version | |
| run: | | |
| echo "version=$(bash cicd/version/version.sh -g . -c)" >> $GITHUB_OUTPUT | |
| echo "version_full=$(bash cicd/version/version.sh -g . -c -m)" >> $GITHUB_OUTPUT | |
| echo "version_win=$(bash cicd/version/version.sh -g . -c -w)" >> $GITHUB_OUTPUT | |
| sast-creds: | |
| name: SAST - Credentials | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.1 | |
| with: | |
| # We need all Git history for testing credentials | |
| fetch-depth: 0 | |
| # Ensure all submodules up-to-date | |
| submodules: recursive | |
| - name: SAST - Credentials | |
| uses: trufflesecurity/trufflehog@v3.63.1 | |
| with: | |
| base: ${{ github.event.repository.default_branch }} | |
| extra_args: --only-verified | |
| head: HEAD | |
| path: . | |
| build-helm: | |
| name: Build Helm chart | |
| needs: | |
| - init | |
| - sast-creds | |
| - sast-semgrep | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.1 | |
| - name: Setup Helm | |
| uses: azure/setup-helm@v3.5 | |
| with: | |
| version: v${{ env.HELM_VERSION }} | |
| # Required for running "npx" CLI | |
| - name: Setup Node | |
| uses: actions/setup-node@v4.0.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Package Helm chart | |
| run: | | |
| cp README.md cicd/helm/private-gpt | |
| helm package \ | |
| --app-version ${{ needs.init.outputs.VERSION }} \ | |
| --dependency-update \ | |
| --destination helm-binaries \ | |
| --version ${{ needs.init.outputs.VERSION }} \ | |
| cicd/helm/private-gpt | |
| - name: Cache Helm chart | |
| uses: actions/upload-artifact@v3.1.3 | |
| with: | |
| name: helm-chart | |
| path: helm-binaries | |
| - name: Render Helm chart locally | |
| run: | | |
| helm template \ | |
| --output-dir .helm-template \ | |
| --values test/helm/values.yaml \ | |
| helm-binaries/private-gpt-${{ needs.init.outputs.VERSION }}.tgz | |
| - name: Run SAST Snyk for Helm | |
| # Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| npx --yes snyk@${{ env.SNYK_VERSION }} iac test \ | |
| --sarif-file-output=snyk.sarif \ | |
| --severity-threshold=medium \ | |
| .helm-template | |
| - name: Upload results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3.24.5 | |
| with: | |
| sarif_file: snyk.sarif | |
| publish-helm: | |
| name: Publish Helm chart | |
| needs: | |
| - build-helm | |
| - build-images | |
| - create-release | |
| - init | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.1 | |
| - name: Download Helm chart | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| name: helm-chart | |
| path: helm-binaries | |
| - name: Setup node | |
| uses: actions/setup-node@v4.0.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Upload Helm chart to release | |
| uses: actions/github-script@v7.0.1 | |
| with: | |
| script: | | |
| github.rest.repos.uploadReleaseAsset({ | |
| data: require("fs").readFileSync("helm-binaries/private-gpt-${{ needs.init.outputs.VERSION }}.tgz"), | |
| name: "private-gpt-${{ needs.init.outputs.VERSION }}.tgz", | |
| owner: context.repo.owner, | |
| release_id: ${{ needs.create-release.outputs.RELEASE_ID }}, | |
| repo: context.repo.repo, | |
| }); | |
| build-images: | |
| name: Build & publish image "${{ matrix.src }}" | |
| needs: | |
| - init | |
| - sast-creds | |
| - sast-semgrep | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| # Allow to write to GitHub Security | |
| security-events: write | |
| # Allow to write to GitHub Packages | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| src: [conversation-api, conversation-ui] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.1 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "${{ github.actor }}" | |
| git config user.email "${{ github.actor }}@users.noreply.github.com" | |
| - name: Setup QEMU | |
| id: setup-qemu | |
| uses: docker/setup-qemu-action@v3.0.0 | |
| with: | |
| platforms: ${{ env.CONTAINER_PLATFORMS }} | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@v3.0.0 | |
| with: | |
| version: v${{ env.BUILDX_VERSION }} | |
| # Required for running "npx" CLI | |
| - name: Setup Node | |
| uses: actions/setup-node@v4.0.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Login to registry - GitHub | |
| uses: docker/login-action@v3.0.0 | |
| with: | |
| registry: ${{ env.CONTAINER_REGISTRY_GHCR }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to registry - Docker Hub | |
| uses: docker/login-action@v3.0.0 | |
| with: | |
| registry: ${{ env.CONTAINER_REGISTRY_DOCKER_HUB }} | |
| username: clemlesne | |
| password: ${{ secrets.DOCKER_HUB_PAT }} | |
| - name: Container meta | |
| id: meta | |
| uses: docker/metadata-action@v5.0.0 | |
| with: | |
| images: | | |
| ${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }} | |
| ${{ env.CONTAINER_REGISTRY_DOCKER_HUB }}/${{ env.CONTAINER_NAME }} | |
| flavor: | | |
| prefix=${{ matrix.src }}- | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=schedule | |
| type=schedule,pattern={{date 'YYYYMMDD'}} | |
| type=semver,pattern={{version}},value=${{ needs.init.outputs.VERSION_FULL }} | |
| type=sha | |
| labels: | | |
| org.opencontainers.image.documentation=https://github.com/${{ env.CONTAINER_NAME }} | |
| org.opencontainers.image.vendor=${{ github.actor }} | |
| - name: Store tag | |
| id: tag | |
| run: | | |
| ref="${{ github.ref }}" | |
| branch=$(echo "${ref#refs/heads/}" | sed 's/\//-/g') | |
| tag=$(echo "${{ steps.meta.outputs.tags }}" | grep -m1 $branch) | |
| echo "tag=$tag" >> $GITHUB_OUTPUT | |
| - name: Build/push container | |
| uses: docker/build-push-action@v5.0.0 | |
| with: | |
| build-args: | | |
| VERSION=${{ needs.init.outputs.VERSION_FULL }} | |
| cache-from: type=gha | |
| cache-to: type=gha | |
| context: src/${{ matrix.src }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: ${{ env.CONTAINER_PLATFORMS }} | |
| provenance: true | |
| push: true | |
| sbom: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| - name: Run SAST Snyk on container image | |
| # Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| npx --yes snyk@${{ env.SNYK_VERSION }} container test \ | |
| --fail-on=upgradable \ | |
| --file=src/${{ matrix.src }}/Dockerfile \ | |
| --sarif-file-output=snyk.sarif \ | |
| --severity-threshold=medium \ | |
| ${{ steps.tag.outputs.tag }} | |
| - name: Upload results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3.24.5 | |
| with: | |
| sarif_file: snyk.sarif | |
| sast-semgrep: | |
| name: SAST - Semgrep | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| # Allow to write to GitHub Security | |
| security-events: write | |
| container: | |
| image: returntocorp/semgrep | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.1 | |
| - name: Run tests | |
| # Semgrep can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | |
| continue-on-error: true | |
| env: | |
| SEMGREP_RULES: p/cwe-top-25 p/owasp-top-ten p/dockerfile | |
| run: semgrep ci --sarif --output=semgrep.sarif | |
| - name: Upload results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3.24.5 | |
| with: | |
| sarif_file: semgrep.sarif | |
| publish-artifacthub-metadata: | |
| name: Publish ArtifactHub metadata | |
| # Only publish on non-scheduled default branch | |
| if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.1 | |
| - name: Setup ORAS | |
| uses: oras-project/setup-oras@v1.1.0 | |
| with: | |
| version: ${{ env.ORAS_VERSION }} | |
| - name: Login to registry - GitHub | |
| uses: docker/login-action@v3.0.0 | |
| with: | |
| registry: ${{ env.CONTAINER_REGISTRY_GHCR }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to registry - Docker Hub | |
| uses: docker/login-action@v3.0.0 | |
| with: | |
| registry: ${{ env.CONTAINER_REGISTRY_DOCKER_HUB }} | |
| username: clemlesne | |
| password: ${{ secrets.DOCKER_HUB_PAT }} | |
| - name: Push to registry | |
| run: | | |
| oras push \ | |
| ${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }}:artifacthub.io \ | |
| artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml \ | |
| --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml | |
| oras push \ | |
| ${{ env.CONTAINER_REGISTRY_DOCKER_HUB }}/${{ env.CONTAINER_NAME }}:artifacthub.io \ | |
| artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml \ | |
| --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml | |
| create-release: | |
| name: Create release | |
| needs: | |
| - init | |
| - sast-creds | |
| - sast-semgrep | |
| permissions: | |
| # Allow to create releases | |
| contents: write | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| RELEASE_ID: ${{ steps.create-release.outputs.result }} | |
| # Only publish on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version | |
| # if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.1 | |
| - name: Setup node | |
| uses: actions/setup-node@v4.0.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Create release | |
| id: create-release | |
| uses: actions/github-script@v7.0.1 | |
| with: | |
| script: | | |
| const isMain = context.ref == `refs/heads/main`; | |
| const repoName = context.repo.repo; | |
| console.log(isMain ? 'Creating release for default branch' : 'Creating release for non-default branch'); | |
| const { data } = await github.rest.repos.createRelease({ | |
| draft: true, | |
| generate_release_notes: true, | |
| name: `${repoName} v${{ needs.init.outputs.VERSION }}`, | |
| owner: context.repo.owner, | |
| prerelease: !isMain, | |
| repo: repoName, | |
| tag_name: 'v${{ needs.init.outputs.VERSION }}', | |
| target_commitish: context.ref, | |
| }); | |
| return data.id | |
| publish-release: | |
| name: Publish release | |
| permissions: | |
| # Allow to write releases | |
| contents: write | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - create-release | |
| - init | |
| - publish-helm | |
| # Only publish on non-scheduled default branch | |
| if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
| steps: | |
| - name: publish release | |
| id: publish-release | |
| uses: actions/github-script@v7.0.1 | |
| with: | |
| script: | | |
| github.rest.repos.updateRelease({ | |
| draft: false, | |
| owner: context.repo.owner, | |
| release_id: ${{ needs.create-release.outputs.RELEASE_ID }}, | |
| repo: context.repo.repo, | |
| }); |