mirror of
https://github.com/super-linter/super-linter.git
synced 2024-11-25 15:41:02 -05:00
9d7268fb99
- Add support to run Checkov against infrastructure as code descriptors that are in a given (configurable) directory. Defaults to lint the whole workspace. - Establish a baseline for our own codebase so we don't have to fix issues right away with this change.
285 lines
9.9 KiB
YAML
285 lines
9.9 KiB
YAML
name: Publish Images
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
# Don't grant any access by default
|
|
permissions: {}
|
|
|
|
jobs:
|
|
test:
|
|
name: Build and Test
|
|
runs-on: ubuntu-latest
|
|
concurrency:
|
|
group: ${{ github.workflow }}-main-${{ matrix.images.target }}
|
|
cancel-in-progress: true
|
|
permissions:
|
|
contents: read
|
|
deployments: write
|
|
issues: write
|
|
packages: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
images:
|
|
- prefix: slim-
|
|
target: slim
|
|
- prefix: ""
|
|
target: standard
|
|
timeout-minutes: 60
|
|
env:
|
|
CONTAINER_IMAGE_ID: "ghcr.io/super-linter/super-linter:${{ matrix.images.prefix }}latest"
|
|
CONTAINER_IMAGE_TARGET: "${{ matrix.images.target }}"
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set build metadata
|
|
run: |
|
|
if [[ ${{ github.event_name }} == 'push' ]] || [[ ${{ github.event_name }} == 'merge_group' ]]; then
|
|
BUILD_REVISION=${{ github.sha }}
|
|
BUILD_VERSION=${{ github.sha }}
|
|
elif [[ ${{ github.event_name }} == 'pull_request' ]]; then
|
|
BUILD_REVISION=${{ github.event.pull_request.head.sha }}
|
|
BUILD_VERSION=${{ github.event.pull_request.head.sha }}
|
|
else
|
|
echo "[ERROR] Event not supported when setting build revision and build version"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "${BUILD_REVISION}" ]; then
|
|
echo "[ERROR] BUILD_REVISION is empty"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "${BUILD_VERSION}" ]; then
|
|
echo "[ERROR] BUILD_VERSION is empty"
|
|
exit 1
|
|
fi
|
|
|
|
{
|
|
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
|
|
echo "BUILD_REVISION=${BUILD_REVISION}"
|
|
echo "BUILD_VERSION=${BUILD_VERSION}"
|
|
} >> "${GITHUB_ENV}"
|
|
|
|
- name: Free Disk space
|
|
shell: bash
|
|
run: |
|
|
sudo rm -rf /usr/local/lib/android
|
|
sudo rm -rf /usr/share/dotnet
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Build Image
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
build-args: |
|
|
BUILD_DATE=${{ env.BUILD_DATE }}
|
|
BUILD_REVISION=${{ env.BUILD_REVISION }}
|
|
BUILD_VERSION=${{ env.BUILD_VERSION }}
|
|
cache-from: type=registry,ref=${{ env.CONTAINER_IMAGE_ID }}-buildcache
|
|
load: true
|
|
push: false
|
|
secrets: |
|
|
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
|
|
tags: |
|
|
${{ env.CONTAINER_IMAGE_ID }}
|
|
target: "${{ matrix.images.target }}"
|
|
|
|
- name: Run Test Suite
|
|
run: make test
|
|
|
|
- name: Login to GHCR
|
|
uses: docker/login-action@v3.0.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Start deployment
|
|
uses: bobheadxi/deployments@v1.4.0
|
|
id: deployment
|
|
with:
|
|
step: start
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
env: Production
|
|
|
|
- name: Build and Push Image
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
build-args: |
|
|
BUILD_DATE=${{ env.BUILD_DATE }}
|
|
BUILD_REVISION=${{ env.BUILD_REVISION }}
|
|
BUILD_VERSION=${{ env.BUILD_VERSION }}
|
|
cache-from: type=registry,ref=${{ env.CONTAINER_IMAGE_ID }}-buildcache
|
|
cache-to: type=registry,ref=${{ env.CONTAINER_IMAGE_ID }}-buildcache,mode=max
|
|
load: false
|
|
push: true
|
|
secrets: |
|
|
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
|
|
tags: |
|
|
${{ env.CONTAINER_IMAGE_ID }}
|
|
target: "${{ matrix.images.target }}"
|
|
|
|
- name: Update deployment
|
|
uses: bobheadxi/deployments@v1.4.0
|
|
# We depend on the 'deployment' step outputs, so we can't run this step
|
|
# if the 'deployment' step didn't run. This can happen if any step
|
|
# before the 'deployment' step fails. That's why 'always()' is not
|
|
# suitable here.
|
|
if: steps.deployment.conclusion != 'cancelled' && steps.deployment.conclusion != 'skipped'
|
|
with:
|
|
step: finish
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
status: ${{ job.status }}
|
|
deployment_id: ${{ steps.deployment.outputs.deployment_id }}
|
|
env: ${{ steps.deployment.outputs.env }}
|
|
env_url: https://github.com/super-linter/super-linter
|
|
|
|
- name: Create Issue on Failure
|
|
uses: actions/github-script@v7
|
|
if: failure()
|
|
with:
|
|
github-token: ${{secrets.GITHUB_TOKEN}}
|
|
script: |
|
|
const create = await github.rest.issues.create({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
title: "Failed to deploy to production",
|
|
body: "Automation has failed us!\nMore information can be found at:\n - ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
|
|
assignees: [
|
|
"zkoppert", "Hanse00", "ferrarimarco"
|
|
]
|
|
})
|
|
|
|
release:
|
|
name: Release
|
|
needs:
|
|
- test
|
|
runs-on: ubuntu-latest
|
|
concurrency:
|
|
group: ${{ github.workflow }}-main-release
|
|
cancel-in-progress: true
|
|
permissions:
|
|
contents: write
|
|
deployments: write
|
|
issues: write
|
|
packages: write
|
|
pull-requests: write
|
|
timeout-minutes: 60
|
|
steps:
|
|
- uses: google-github-actions/release-please-action@v4
|
|
id: release
|
|
with:
|
|
config-file: .github/release-please/release-please-config.json
|
|
manifest-file: .github/release-please/.release-please-manifest.json
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Start deployment
|
|
if: steps.release.outputs.release_created
|
|
uses: bobheadxi/deployments@v1.4.0
|
|
id: deployment
|
|
with:
|
|
step: start
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
env: Release
|
|
|
|
- name: Configure release metedata
|
|
if: steps.release.outputs.release_created
|
|
# shellcheck disable=SC2062
|
|
run: |
|
|
RELEASE_VERSION="${{ steps.release.outputs.tag_name }}"
|
|
|
|
if [ -z "${RELEASE_VERSION}" ]; then
|
|
echo "Error RELEASE_VERSION is empty. Exiting..."
|
|
exit 1
|
|
fi
|
|
|
|
if ! echo "${RELEASE_VERSION}" | grep -E -o "v[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+"; then
|
|
echo "Error: RELEASE_VERSION doesn't look like a semantic version: ${RELEASE_VERSION}"
|
|
exit 2
|
|
fi
|
|
|
|
SEMVER_MAJOR_VERSION=v${{ steps.release.outputs.major }}
|
|
|
|
{
|
|
echo "RELEASE_VERSION=${RELEASE_VERSION}"
|
|
echo "SEMVER_MAJOR_VERSION=${SEMVER_MAJOR_VERSION}"
|
|
} >> "${GITHUB_ENV}"
|
|
|
|
- name: Login to GHCR
|
|
if: steps.release.outputs.release_created
|
|
uses: docker/login-action@v3.0.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
# We don't rebuild the image to avoid that the latest tag and the release tags don't point to the very same container image.
|
|
# Instead, we pull the latest image and tag it.
|
|
- name: Retag and Push Images
|
|
if: steps.release.outputs.release_created
|
|
uses: akhilerm/tag-push-action@v2.1.0
|
|
with:
|
|
src: ghcr.io/super-linter/super-linter:latest
|
|
dst: |
|
|
ghcr.io/super-linter/super-linter:${{ env.SEMVER_MAJOR_VERSION }}
|
|
ghcr.io/super-linter/super-linter:${{ env.RELEASE_VERSION }}
|
|
|
|
- name: Retag and Push Images slim
|
|
if: steps.release.outputs.release_created
|
|
uses: akhilerm/tag-push-action@v2.1.0
|
|
with:
|
|
src: ghcr.io/super-linter/super-linter:slim-latest
|
|
dst: |
|
|
ghcr.io/super-linter/super-linter:slim-${{ env.SEMVER_MAJOR_VERSION }}
|
|
ghcr.io/super-linter/super-linter:slim-${{ env.RELEASE_VERSION }}
|
|
|
|
# No need to tag major.minor.patch because that tag is automatically created when creating the release
|
|
- name: Tag major, minor, and latest versions
|
|
if: steps.release.outputs.release_created
|
|
run: |
|
|
git tag --annotate --force ${{ env.SEMVER_MAJOR_VERSION }} -m "Release ${{ env.SEMVER_MAJOR_VERSION }}"
|
|
git tag --annotate --force latest -m "Release latest (${{ env.RELEASE_VERSION }})"
|
|
|
|
git push --force origin ${{ env.SEMVER_MAJOR_VERSION }}
|
|
git push --force origin latest
|
|
|
|
- name: Update deployment
|
|
uses: bobheadxi/deployments@v1.4.0
|
|
# We depend on the 'deployment' step outputs, so we can't run this step
|
|
# if the 'deployment' step didn't run. This can happen if any step
|
|
# before the 'deployment' step fails. That's why 'always()' is not
|
|
# suitable here.
|
|
if: steps.deployment.conclusion != 'cancelled' && steps.deployment.conclusion != 'skipped'
|
|
with:
|
|
step: finish
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
status: ${{ job.status }}
|
|
deployment_id: ${{ steps.deployment.outputs.deployment_id }}
|
|
env: ${{ steps.deployment.outputs.env }}
|
|
env_url: https://github.com/super-linter/super-linter
|
|
|
|
- name: Create Issue on Failure
|
|
uses: actions/github-script@v7
|
|
if: failure()
|
|
with:
|
|
github-token: ${{secrets.GITHUB_TOKEN}}
|
|
script: |
|
|
const create = await github.rest.issues.create({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
title: "Failed to deploy to production",
|
|
body: "Automation has failed us!\nMore information can be found at:\n - ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
|
|
assignees: [
|
|
"zkoppert", "Hanse00", "ferrarimarco"
|
|
]
|
|
})
|