Dependencies, Dockerfile and Build Updates #302
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Checks | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| REQUIRED_COVERAGE: 30 | |
| PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring | |
| jobs: | |
| python: | |
| name: python checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-python@v2 | |
| with: | |
| python-version: '3.10' | |
| - name: Install Poetry | |
| run: pip install poetry | |
| - name: Install requirements | |
| run: poetry install | |
| - name: Check formatting | |
| run: poetry run black --check . | |
| - name: Check pylint | |
| run: poetry run pylint --rcfile pyproject.toml vault_monitor | |
| - name: Check typing | |
| run: poetry run mypy --config-file pyproject.toml . | |
| - name: Execute tests | |
| run: poetry run pytest --cov-fail-under $REQUIRED_COVERAGE | |
| docker: | |
| name: docker checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: hadolint/hadolint-action@v2.0.0 | |
| with: | |
| dockerfile: Dockerfile | |
| - name: Build PR Check | |
| id: containers | |
| run: | | |
| if [[ "${{ secrets.BUILD_PR }}" != "" && \ | |
| "${{ secrets.PR_CONTAINERS_USER }}" != "" && \ | |
| "${{ secrets.PR_CONTAINERS }}" != "" ]] | |
| then | |
| echo "PR Builds configured" | |
| echo "::set-output name=BUILD_PR::true" | |
| else | |
| echo "PR Builds not configured" | |
| echo "::set-output name=BUILD_PR::false" | |
| fi | |
| - name: Get PR ID | |
| id: pr | |
| run: echo "::set-output name=id::$(echo ${{ github.ref_name }} | cut -d"/" -f1)" | |
| if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ secrets.PR_CONTAINERS_USER }} | |
| password: ${{ secrets.PR_CONTAINERS }} | |
| if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }} | |
| - name: PR Cross Platform Build and Push | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| push: true | |
| tags: ghcr.io/${{ github.repository }}:pr-${{ steps.pr.outputs.id }} | |
| platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
| if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }} | |
| - name: PR Cross Platform Build | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| tags: ghcr.io/${{ github.repository }}:pr-${{ steps.pr.outputs.id }} | |
| platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
| if: ${{ !fromJSON(steps.containers.outputs.BUILD_PR) }} | |
| security: | |
| name: security checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: '0' | |
| - uses: actions/setup-python@v2 | |
| with: | |
| python-version: '3.11' | |
| - name: Install Poetry | |
| run: pip install poetry | |
| - name: Install requirements | |
| run: poetry install | |
| - name: Execute Bandit Security Checks | |
| run: poetry run bandit -r vault_monitor | |
| - name: Test Image Build | |
| run: docker build . -t build-exporter:test | |
| - name: Scan Image | |
| uses: Azure/container-scan@v0.1 | |
| with: | |
| image-name: build-exporter:test | |
| run-quality-checks: false # Disabled for now due to bug https://github.com/Azure/container-scan/issues/133 (and partially duplicating linting anyway) | |
| version: | |
| name: version check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Install Poetry | |
| run: pip install poetry | |
| - name: Install requirements | |
| run: poetry install | |
| - name: Get current version | |
| id: current_version | |
| run: echo "::set-output name=version::$(poetry version | cut -d" " -f2)" | |
| - name: Checkout ${{ github.base_ref }} | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.base_ref }} | |
| - name: Get ${{ github.base_ref }} version | |
| id: old_version | |
| run: | | |
| echo "::set-output name=version::$(poetry version | cut -d" " -f2)" | |
| - name: Checkout current branch | |
| uses: actions/checkout@v3 | |
| - name: Check version has been bumped | |
| run: "python .github/workflows/version_check.py --current-branch ${{ steps.current_version.outputs.version }} --target-branch ${{ steps.old_version.outputs.version }}" |