-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Switch to canonical ci yaml workflows
- Loading branch information
Showing
32 changed files
with
1,531 additions
and
109 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,377 @@ | ||
name: Main - reports Trails to https://staging.app.kosli.com | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
|
||
env: | ||
KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }} # False | ||
KOSLI_HOST: ${{ vars.KOSLI_HOST_STAGING }} # https://staging.app.kosli.com | ||
KOSLI_ORG: ${{ vars.KOSLI_ORG }} # cyber-dojo | ||
KOSLI_FLOW: runner-ci | ||
KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN_STAGING }} | ||
KOSLI_TRAIL: ${{ github.sha }} | ||
|
||
jobs: | ||
|
||
kosli-trail: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
image_tag: ${{ steps.variables.outputs.image_tag }} | ||
image_name: ${{ steps.variables.outputs.image_name }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- name: Create Kosli Flow | ||
run: | ||
kosli create flow "${{ env.KOSLI_FLOW }}" | ||
--description="Test runner" | ||
--template-file=.kosli.yml | ||
|
||
- name: Begin Kosli Trail | ||
run: | ||
kosli begin trail "${{ env.KOSLI_TRAIL }}" | ||
|
||
- name: Set outputs | ||
id: variables | ||
run: | | ||
IMAGE_TAG=${GITHUB_SHA:0:7} | ||
echo "image_tag=${IMAGE_TAG}" >> ${GITHUB_OUTPUT} | ||
echo "image_name=cyberdojo/runner:${IMAGE_TAG}" >> ${GITHUB_OUTPUT} | ||
# pull-request: | ||
# needs: [kosli-trail] | ||
# runs-on: ubuntu-latest | ||
# permissions: | ||
# id-token: write | ||
# contents: write | ||
# pull-requests: read | ||
# steps: | ||
# - uses: actions/checkout@v4 | ||
# | ||
# - name: Setup Kosli CLI | ||
# uses: kosli-dev/setup-cli-action@v2 | ||
# with: | ||
# version: ${{ vars.KOSLI_CLI_VERSION }} | ||
# | ||
# - name: Report pull-request evidence to Kosli Trail | ||
# run: | ||
# kosli attest pullrequest github | ||
# --github-token=${{ secrets.GITHUB_TOKEN }} | ||
# --name=runner.pull-request | ||
|
||
|
||
# lint: | ||
# needs: [kosli-trail] | ||
# runs-on: ubuntu-latest | ||
# steps: | ||
# - uses: actions/checkout@v4 | ||
# | ||
# - uses: ruby/setup-ruby@v1 | ||
# with: | ||
# ruby-version: 3.2.0 | ||
# bundler-cache: true | ||
# | ||
# - name: Setup Kosli CLI | ||
# uses: kosli-dev/setup-cli-action@v2 | ||
# with: | ||
# version: ${{ vars.KOSLI_CLI_VERSION }} | ||
# | ||
# - name: Run Rubocop linter on source, attest results to Kosli Trail | ||
# env: | ||
# KOSLI_ATTACHMENTS: /tmp/kosli_attachments | ||
# run: | | ||
# mkdir -p "${KOSLI_ATTACHMENTS}" | ||
# set +e | ||
# make lint | tee "${KOSLI_ATTACHMENTS}"/rubocop.log | ||
# STATUS=${PIPESTATUS[0]} | ||
# set -e | ||
# | ||
# KOSLI_COMPLIANT=$([ ${STATUS} = 0 ] && echo true || echo false) | ||
# cp .rubocop.yml "${KOSLI_ATTACHMENTS}" | ||
# kosli attest generic \ | ||
# --attachments="${KOSLI_ATTACHMENTS}" \ | ||
# --compliant="${KOSLI_COMPLIANT}" \ | ||
# --name=runner.lint | ||
# exit ${STATUS} | ||
|
||
|
||
wait-for-image: | ||
needs: [kosli-trail] | ||
runs-on: ubuntu-latest | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
outputs: | ||
kosli_fingerprint: ${{ steps.variables.outputs.kosli_fingerprint }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- name: Wait for image to be built in main.yml | ||
run: | ||
./sh/wait_for_image.sh "${IMAGE_NAME}" | ||
|
||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- name: Attest image to Kosli Trail | ||
run: | ||
kosli attest artifact "${IMAGE_NAME}" | ||
--artifact-type=docker | ||
--name=runner | ||
|
||
- name: Set outputs | ||
id: variables | ||
run: | | ||
FINGERPRINT=$(kosli fingerprint "${IMAGE_NAME}" --artifact-type=docker) | ||
echo "kosli_fingerprint=${FINGERPRINT}" >> ${GITHUB_OUTPUT} | ||
unit-tests: | ||
needs: [wait-for-image, kosli-trail] | ||
runs-on: ubuntu-latest | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- name: Run tests with branch-coverage | ||
run: | | ||
make test | ||
kosli attest generic "${IMAGE_NAME}" \ | ||
--attachments=./tmp/coverage \ | ||
--description="server & client branch-coverage" \ | ||
--name=runner.branch-coverage \ | ||
--user-data=./tmp/evidence.json | ||
# kosli attest junit "${IMAGE_NAME}" | ||
# --name=runner.unit-test | ||
# --results-dir=test/reports/junit | ||
|
||
|
||
snyk-container-scan: | ||
needs: [wait-for-image, kosli-trail] | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- name: Setup Snyk | ||
uses: snyk/actions/setup@master | ||
|
||
- name: Run Snyk container scan and report results to Kosli Trail | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }} | ||
KOSLI_ATTACHMENTS: /tmp/kosli_attachments | ||
SARIF_FILENAME: snyk.container.scan.json | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
run: | | ||
set +e | ||
snyk container test ${IMAGE_NAME} \ | ||
--file=Dockerfile \ | ||
--sarif \ | ||
--sarif-file-output="${SARIF_FILENAME}" \ | ||
--policy-path=.snyk | ||
set -e | ||
mkdir "${KOSLI_ATTACHMENTS}" | ||
cp .snyk "${KOSLI_ATTACHMENTS}" | ||
kosli attest snyk "${IMAGE_NAME}" \ | ||
--name=runner.snyk-container-scan \ | ||
--scan-results="${SARIF_FILENAME}" | ||
snyk-code-scan: | ||
needs: [wait-for-image, kosli-trail] | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- name: Setup Snyk | ||
uses: snyk/actions/setup@master | ||
|
||
- name: Run Snyk code scan and report results to Kosli Trail | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }} | ||
KOSLI_ATTACHMENTS: /tmp/kosli_attachments | ||
SARIF_FILENAME: snyk.code.scan.json | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
run: | | ||
set +e | ||
snyk code test \ | ||
--sarif \ | ||
--sarif-file-output="${SARIF_FILENAME}" \ | ||
--policy-path=.snyk \ | ||
. | ||
set -e | ||
mkdir "${KOSLI_ATTACHMENTS}" | ||
cp .snyk "${KOSLI_ATTACHMENTS}" | ||
kosli attest snyk "${IMAGE_NAME}" \ | ||
--name=runner.snyk-code-scan \ | ||
--scan-results="${SARIF_FILENAME}" | ||
sdlc-control-gate: | ||
needs: [unit-tests, snyk-container-scan, snyk-code-scan, kosli-trail, wait-for-image] | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- name: Kosli SDLC gate to short-circuit the Trail | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }} | ||
run: | ||
kosli assert artifact ${IMAGE_NAME} | ||
|
||
|
||
approve-deployment-to-beta: | ||
needs: [sdlc-control-gate, kosli-trail, wait-for-image] | ||
runs-on: ubuntu-latest | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }} | ||
KOSLI_ENVIRONMENT: aws-beta | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- name: Report approval of deployment to Kosli | ||
run: | ||
kosli report approval ${IMAGE_NAME} | ||
--approver="${{ github.actor }}" | ||
|
||
|
||
wait-for-deploy-to-beta: | ||
needs: [approve-deployment-to-beta, kosli-trail] | ||
runs-on: ubuntu-latest | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
KOSLI_ENVIRONMENT: aws-beta | ||
steps: | ||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- uses: actions/checkout@v4 | ||
|
||
- name: Wait for deployment to aws-beta in main.yml | ||
run: | ||
./sh/wait_for_deployment.sh | ||
"${IMAGE_NAME}" | ||
"${{ env.KOSLI_HOST }}" | ||
"${{ env.KOSLI_API_TOKEN }}" | ||
"${{ env.KOSLI_ORG }}" | ||
"${KOSLI_ENVIRONMENT}" | ||
|
||
|
||
approve-deployment-to-prod: | ||
needs: [wait-for-deploy-to-beta, kosli-trail, wait-for-image] | ||
runs-on: ubuntu-latest | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
KOSLI_FINGERPRINT: ${{ needs.wait-for-image.outputs.kosli_fingerprint }} | ||
KOSLI_ENVIRONMENT: aws-prod | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- name: Report approval of deployment to Kosli | ||
run: | ||
kosli report approval ${IMAGE_NAME} | ||
--approver="${{ github.actor }}" | ||
|
||
|
||
wait-for-deploy-to-prod: | ||
needs: [approve-deployment-to-prod, kosli-trail] | ||
runs-on: ubuntu-latest | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
KOSLI_ENVIRONMENT: aws-prod | ||
steps: | ||
- name: Setup Kosli CLI | ||
uses: kosli-dev/setup-cli-action@v2 | ||
with: | ||
version: ${{ vars.KOSLI_CLI_VERSION }} | ||
|
||
- uses: actions/checkout@v4 | ||
|
||
- name: Wait for deployment to aws-prod in main.yml | ||
run: | ||
./sh/wait_for_deployment.sh | ||
"${IMAGE_NAME}" | ||
"${{ env.KOSLI_HOST }}" | ||
"${{ env.KOSLI_API_TOKEN }}" | ||
"${{ env.KOSLI_ORG }}" | ||
"${KOSLI_ENVIRONMENT}" | ||
|
||
|
||
# The cyberdojo/versioner refresh-env.sh script | ||
# https://github.com/cyber-dojo/versioner/blob/master/sh/refresh-env.sh | ||
# relies on being able to: | ||
# - get the :latest image | ||
# - extract the SHA env-var embedded inside it | ||
# - use the 1st 7 chars of the SHA as a latest-equivalent tag | ||
|
||
push-latest: | ||
needs: [wait-for-deploy-to-prod, kosli-trail] | ||
runs-on: ubuntu-latest | ||
env: | ||
IMAGE_NAME: ${{ needs.kosli-trail.outputs.image_name }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- uses: docker/login-action@v3 | ||
with: | ||
username: ${{ secrets.DOCKER_USER }} | ||
password: ${{ secrets.DOCKER_PASS }} | ||
|
||
- name: Tag image to :latest and push to Dockerhub Registry | ||
run: | | ||
docker pull "${IMAGE_NAME}" | ||
docker tag "${IMAGE_NAME}" cyberdojo/runner:latest | ||
docker push cyberdojo/runner:latest |
Oops, something went wrong.