actions/superlint
1
0
Fork 0
mirror of https://github.com/super-linter/super-linter.git synced 2024-11-06 09:15:49 -05:00
Code Issues Projects Releases Packages Wiki Activity
superlint/.github/workflows/cd.yml
Marco Ferrari 9d7268fb99
feat: add support for checkov to lint iac files (#4925) 
- Add support to run Checkov against infrastructure as code descriptors
  that are in a given (configurable) directory. Defaults to lint the
  whole workspace.
- Establish a baseline for our own codebase so we don't have to fix
  issues right away with this change.
2023-12-22 13:22:15 +01:00

285 lines
9.9 KiB
YAML
Raw Blame History

name: Publish Images
on:
push:
branches:
- main
# Don't grant any access by default
permissions: {}
jobs:
test:
name: Build and Test
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-main-${{ matrix.images.target }}
cancel-in-progress: true
permissions:
contents: read
deployments: write
issues: write
packages: write
strategy:
fail-fast: false
matrix:
images:
- prefix: slim-
target: slim
- prefix: ""
target: standard
timeout-minutes: 60
env:
CONTAINER_IMAGE_ID: "ghcr.io/super-linter/super-linter:${{ matrix.images.prefix }}latest"
CONTAINER_IMAGE_TARGET: "${{ matrix.images.target }}"
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Set build metadata
run: |
if [[ ${{ github.event_name }} == 'push' ]] || [[ ${{ github.event_name }} == 'merge_group' ]]; then
BUILD_REVISION=${{ github.sha }}
BUILD_VERSION=${{ github.sha }}
elif [[ ${{ github.event_name }} == 'pull_request' ]]; then
BUILD_REVISION=${{ github.event.pull_request.head.sha }}
BUILD_VERSION=${{ github.event.pull_request.head.sha }}
else
echo "[ERROR] Event not supported when setting build revision and build version"
exit 1
fi
if [ -z "${BUILD_REVISION}" ]; then
echo "[ERROR] BUILD_REVISION is empty"
exit 1
fi
if [ -z "${BUILD_VERSION}" ]; then
echo "[ERROR] BUILD_VERSION is empty"
exit 1
fi
{
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
echo "BUILD_REVISION=${BUILD_REVISION}"
echo "BUILD_VERSION=${BUILD_VERSION}"
} >> "${GITHUB_ENV}"
- name: Free Disk space
shell: bash
run: |
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
build-args: |
BUILD_DATE=${{ env.BUILD_DATE }}
BUILD_REVISION=${{ env.BUILD_REVISION }}
BUILD_VERSION=${{ env.BUILD_VERSION }}
cache-from: type=registry,ref=${{ env.CONTAINER_IMAGE_ID }}-buildcache
load: true
push: false
secrets: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
tags: |
${{ env.CONTAINER_IMAGE_ID }}
target: "${{ matrix.images.target }}"
- name: Run Test Suite
run: make test
- name: Login to GHCR
uses: docker/login-action@v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Start deployment
uses: bobheadxi/deployments@v1.4.0
id: deployment
with:
step: start
token: ${{ secrets.GITHUB_TOKEN }}
env: Production
- name: Build and Push Image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
build-args: |
BUILD_DATE=${{ env.BUILD_DATE }}
BUILD_REVISION=${{ env.BUILD_REVISION }}
BUILD_VERSION=${{ env.BUILD_VERSION }}
cache-from: type=registry,ref=${{ env.CONTAINER_IMAGE_ID }}-buildcache
cache-to: type=registry,ref=${{ env.CONTAINER_IMAGE_ID }}-buildcache,mode=max
load: false
push: true
secrets: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
tags: |
${{ env.CONTAINER_IMAGE_ID }}
target: "${{ matrix.images.target }}"
- name: Update deployment
uses: bobheadxi/deployments@v1.4.0
# We depend on the 'deployment' step outputs, so we can't run this step
# if the 'deployment' step didn't run. This can happen if any step
# before the 'deployment' step fails. That's why 'always()' is not
# suitable here.
if: steps.deployment.conclusion != 'cancelled' && steps.deployment.conclusion != 'skipped'
with:
step: finish
token: ${{ secrets.GITHUB_TOKEN }}
status: ${{ job.status }}
deployment_id: ${{ steps.deployment.outputs.deployment_id }}
env: ${{ steps.deployment.outputs.env }}
env_url: https://github.com/super-linter/super-linter
- name: Create Issue on Failure
uses: actions/github-script@v7
if: failure()
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const create = await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: "Failed to deploy to production",
body: "Automation has failed us!\nMore information can be found at:\n - ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
assignees: [
"zkoppert", "Hanse00", "ferrarimarco"
]
})
release:
name: Release
needs:
- test
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-main-release
cancel-in-progress: true
permissions:
contents: write
deployments: write
issues: write
packages: write
pull-requests: write
timeout-minutes: 60
steps:
- uses: google-github-actions/release-please-action@v4
id: release
with:
config-file: .github/release-please/release-please-config.json
manifest-file: .github/release-please/.release-please-manifest.json
token: ${{ secrets.GITHUB_TOKEN }}
- name: Start deployment
if: steps.release.outputs.release_created
uses: bobheadxi/deployments@v1.4.0
id: deployment
with:
step: start
token: ${{ secrets.GITHUB_TOKEN }}
env: Release
- name: Configure release metedata
if: steps.release.outputs.release_created
# shellcheck disable=SC2062
run: |
RELEASE_VERSION="${{ steps.release.outputs.tag_name }}"
if [ -z "${RELEASE_VERSION}" ]; then
echo "Error RELEASE_VERSION is empty. Exiting..."
exit 1
fi
if ! echo "${RELEASE_VERSION}" | grep -E -o "v[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+"; then
echo "Error: RELEASE_VERSION doesn't look like a semantic version: ${RELEASE_VERSION}"
exit 2
fi
SEMVER_MAJOR_VERSION=v${{ steps.release.outputs.major }}
{
echo "RELEASE_VERSION=${RELEASE_VERSION}"
echo "SEMVER_MAJOR_VERSION=${SEMVER_MAJOR_VERSION}"
} >> "${GITHUB_ENV}"
- name: Login to GHCR
if: steps.release.outputs.release_created
uses: docker/login-action@v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# We don't rebuild the image to avoid that the latest tag and the release tags don't point to the very same container image.
# Instead, we pull the latest image and tag it.
- name: Retag and Push Images
if: steps.release.outputs.release_created
uses: akhilerm/tag-push-action@v2.1.0
with:
src: ghcr.io/super-linter/super-linter:latest
dst: |
ghcr.io/super-linter/super-linter:${{ env.SEMVER_MAJOR_VERSION }}
ghcr.io/super-linter/super-linter:${{ env.RELEASE_VERSION }}
- name: Retag and Push Images slim
if: steps.release.outputs.release_created
uses: akhilerm/tag-push-action@v2.1.0
with:
src: ghcr.io/super-linter/super-linter:slim-latest
dst: |
ghcr.io/super-linter/super-linter:slim-${{ env.SEMVER_MAJOR_VERSION }}
ghcr.io/super-linter/super-linter:slim-${{ env.RELEASE_VERSION }}
# No need to tag major.minor.patch because that tag is automatically created when creating the release
- name: Tag major, minor, and latest versions
if: steps.release.outputs.release_created
run: |
git tag --annotate --force ${{ env.SEMVER_MAJOR_VERSION }} -m "Release ${{ env.SEMVER_MAJOR_VERSION }}"
git tag --annotate --force latest -m "Release latest (${{ env.RELEASE_VERSION }})"
git push --force origin ${{ env.SEMVER_MAJOR_VERSION }}
git push --force origin latest
- name: Update deployment
uses: bobheadxi/deployments@v1.4.0
# We depend on the 'deployment' step outputs, so we can't run this step
# if the 'deployment' step didn't run. This can happen if any step
# before the 'deployment' step fails. That's why 'always()' is not
# suitable here.
if: steps.deployment.conclusion != 'cancelled' && steps.deployment.conclusion != 'skipped'
with:
step: finish
token: ${{ secrets.GITHUB_TOKEN }}
status: ${{ job.status }}
deployment_id: ${{ steps.deployment.outputs.deployment_id }}
env: ${{ steps.deployment.outputs.env }}
env_url: https://github.com/super-linter/super-linter
- name: Create Issue on Failure
uses: actions/github-script@v7
if: failure()
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const create = await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: "Failed to deploy to production",
body: "Automation has failed us!\nMore information can be found at:\n - ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
assignees: [
"zkoppert", "Hanse00", "ferrarimarco"
]
})
Reference in a new issue View git blame Copy permalink