Skip to content

Commit

Permalink
Switch to canonical ci yaml workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
@JonJagger
JonJagger committed Mar 2, 2024
1 parent 635071c commit 02b82e1
Show file tree
Hide file tree
Showing 32 changed files with 1,531 additions and 109 deletions.
383 changes: 323 additions & 60 deletions .github/workflows/main.yml
View file

Large diffs are not rendered by default.

377 changes: 377 additions & 0 deletions .github/workflows/main_staging.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,377 @@
name: Main - reports Trails to https://staging.app.kosli.com

on:
push:
branches:
- main

env:
KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }} # False
KOSLI_HOST: ${{ vars.KOSLI_HOST_STAGING }} # https://staging.app.kosli.com
KOSLI_ORG: ${{ vars.KOSLI_ORG }} # cyber-dojo
KOSLI_FLOW: runner-ci
KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN_STAGING }}
KOSLI_TRAIL: ${{ github.sha }}

jobs:

kosli-trail:
runs-on: ubuntu-latest
outputs:
image_tag: ${{ steps.variables.outputs.image_tag }}
image_name: ${{ steps.variables.outputs.image_name }}
steps:
- uses: actions/checkout@v4

- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Create Kosli Flow
run:
kosli create flow "${{ env.KOSLI_FLOW }}"
--description="Test runner"
--template-file=.kosli.yml

- name: Begin Kosli Trail
run:
kosli begin trail "${{ env.KOSLI_TRAIL }}"

- name: Set outputs
id: variables
run: |
IMAGE_TAG=${GITHUB_SHA:0:7}
echo "image_tag=${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
echo "image_name=cyberdojo/runner:${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
# pull-request:
# needs: [kosli-trail]
# runs-on: ubuntu-latest
# permissions:
# id-token: write
# contents: write
# pull-requests: read
# steps:
# - uses: actions/checkout@v4
#
# - name: Setup Kosli CLI
# uses: kosli-dev/setup-cli-action@v2
# with:
# version: ${{ vars.KOSLI_CLI_VERSION }}
#
# - name: Report pull-request evidence to Kosli Trail
# run:
# kosli attest pullrequest github
# --github-token=${{ secrets.GITHUB_TOKEN }}
# --name=runner.pull-request


# lint:
# needs: [kosli-trail]
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v4
#
# - uses: ruby/setup-ruby@v1
# with:
# ruby-version: 3.2.0
# bundler-cache: true
#
# - name: Setup Kosli CLI
# uses: kosli-dev/setup-cli-action@v2
# with:
# version: ${{ vars.KOSLI_CLI_VERSION }}
#
# - name: Run Rubocop linter on source, attest results to Kosli Trail
# env:
# KOSLI_ATTACHMENTS: /tmp/kosli_attachments
# run: |
# mkdir -p "${KOSLI_ATTACHMENTS}"
# set +e
# make lint | tee "${KOSLI_ATTACHMENTS}"/rubocop.log
# STATUS=${PIPESTATUS[0]}
# set -e
#
# KOSLI_COMPLIANT=$([ ${STATUS} = 0 ] && echo true || echo false)
# cp .rubocop.yml "${KOSLI_ATTACHMENTS}"
# kosli attest generic \
# --attachments="${KOSLI_ATTACHMENTS}" \
# --compliant="${KOSLI_COMPLIANT}" \
# --name=runner.lint
# exit ${STATUS}


wait-for-image:
needs: [kosli-trail]
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
outputs:
kosli_fingerprint: ${{ steps.variables.outputs.kosli_fingerprint }}
steps:
- uses: actions/checkout@v4

- name: Wait for image to be built in main.yml
run:
./sh/wait_for_image.sh "${IMAGE_NAME}"

- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Attest image to Kosli Trail
run:
kosli attest artifact "${IMAGE_NAME}"
--artifact-type=docker
--name=runner

- name: Set outputs
id: variables
run: |
FINGERPRINT=$(kosli fingerprint "${IMAGE_NAME}" --artifact-type=docker)
echo "kosli_fingerprint=${FINGERPRINT}" >> ${GITHUB_OUTPUT}
unit-tests:
needs: [wait-for-image, kosli-trail]
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }}
steps:
- uses: actions/checkout@v4

- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Run tests with branch-coverage
run: |
make test
kosli attest generic "${IMAGE_NAME}" \
--attachments=./tmp/coverage \
--description="server & client branch-coverage" \
--name=runner.branch-coverage \
--user-data=./tmp/evidence.json
# kosli attest junit "${IMAGE_NAME}"
# --name=runner.unit-test
# --results-dir=test/reports/junit


snyk-container-scan:
needs: [wait-for-image, kosli-trail]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Setup Snyk
uses: snyk/actions/setup@master

- name: Run Snyk container scan and report results to Kosli Trail
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }}
KOSLI_ATTACHMENTS: /tmp/kosli_attachments
SARIF_FILENAME: snyk.container.scan.json
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
set +e
snyk container test ${IMAGE_NAME} \
--file=Dockerfile \
--sarif \
--sarif-file-output="${SARIF_FILENAME}" \
--policy-path=.snyk
set -e
mkdir "${KOSLI_ATTACHMENTS}"
cp .snyk "${KOSLI_ATTACHMENTS}"
kosli attest snyk "${IMAGE_NAME}" \
--name=runner.snyk-container-scan \
--scan-results="${SARIF_FILENAME}"
snyk-code-scan:
needs: [wait-for-image, kosli-trail]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Setup Snyk
uses: snyk/actions/setup@master

- name: Run Snyk code scan and report results to Kosli Trail
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }}
KOSLI_ATTACHMENTS: /tmp/kosli_attachments
SARIF_FILENAME: snyk.code.scan.json
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
set +e
snyk code test \
--sarif \
--sarif-file-output="${SARIF_FILENAME}" \
--policy-path=.snyk \
.
set -e
mkdir "${KOSLI_ATTACHMENTS}"
cp .snyk "${KOSLI_ATTACHMENTS}"
kosli attest snyk "${IMAGE_NAME}" \
--name=runner.snyk-code-scan \
--scan-results="${SARIF_FILENAME}"
sdlc-control-gate:
needs: [unit-tests, snyk-container-scan, snyk-code-scan, kosli-trail, wait-for-image]
runs-on: ubuntu-latest
steps:
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Kosli SDLC gate to short-circuit the Trail
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }}
run:
kosli assert artifact ${IMAGE_NAME}


approve-deployment-to-beta:
needs: [sdlc-control-gate, kosli-trail, wait-for-image]
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }}
KOSLI_ENVIRONMENT: aws-beta
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Report approval of deployment to Kosli
run:
kosli report approval ${IMAGE_NAME}
--approver="${{ github.actor }}"


wait-for-deploy-to-beta:
needs: [approve-deployment-to-beta, kosli-trail]
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
KOSLI_ENVIRONMENT: aws-beta
steps:
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- uses: actions/checkout@v4

- name: Wait for deployment to aws-beta in main.yml
run:
./sh/wait_for_deployment.sh
"${IMAGE_NAME}"
"${{ env.KOSLI_HOST }}"
"${{ env.KOSLI_API_TOKEN }}"
"${{ env.KOSLI_ORG }}"
"${KOSLI_ENVIRONMENT}"


approve-deployment-to-prod:
needs: [wait-for-deploy-to-beta, kosli-trail, wait-for-image]
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }}
KOSLI_ENVIRONMENT: aws-prod
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Report approval of deployment to Kosli
run:
kosli report approval ${IMAGE_NAME}
--approver="${{ github.actor }}"


wait-for-deploy-to-prod:
needs: [approve-deployment-to-prod, kosli-trail]
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
KOSLI_ENVIRONMENT: aws-prod
steps:
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- uses: actions/checkout@v4

- name: Wait for deployment to aws-prod in main.yml
run:
./sh/wait_for_deployment.sh
"${IMAGE_NAME}"
"${{ env.KOSLI_HOST }}"
"${{ env.KOSLI_API_TOKEN }}"
"${{ env.KOSLI_ORG }}"
"${KOSLI_ENVIRONMENT}"


# The cyberdojo/versioner refresh-env.sh script
# https://github.com/cyber-dojo/versioner/blob/master/sh/refresh-env.sh
# relies on being able to:
# - get the :latest image
# - extract the SHA env-var embedded inside it
# - use the 1st 7 chars of the SHA as a latest-equivalent tag

push-latest:
needs: [wait-for-deploy-to-prod, kosli-trail]
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }}
steps:
- uses: actions/checkout@v4

- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASS }}

- name: Tag image to :latest and push to Dockerhub Registry
run: |
docker pull "${IMAGE_NAME}"
docker tag "${IMAGE_NAME}" cyberdojo/runner:latest
docker push cyberdojo/runner:latest

0 comments on commit 02b82e1

Please sign in to comment.