-
Notifications
You must be signed in to change notification settings - Fork 124
190 lines (182 loc) · 7.06 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
name: build
on:
push:
branches:
- main
paths-ignore:
- 'docs/**'
- 'INTHEWILD.md'
- 'README.md'
- '.github/**'
- '.pre-commit-config.yaml'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions:
contents: read
concurrency:
group: 'build'
cancel-in-progress: true
jobs:
security:
uses: ./.github/workflows/security-shared.yml
secrets: inherit
test:
runs-on: [self-hosted, public, linux, x64]
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
token: ${{ secrets.PAT }}
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v3
with:
# needed for terraform-setup https://github.com/hashicorp/setup-terraform/issues/84
node-version: '16'
- name: Install Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4
with:
go-version: 1.19
- name: Setup Terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2
with:
terraform_version: 0.14.5
- name: Terraform Init
working-directory: ./tests/terraform/resources
run: terraform init
- name: Prepare external plugin tests
run: |
go build -buildmode=plugin -o tests/yor_plugins/example/extra_tags.so tests/yor_plugins/example/*.go
go build -buildmode=plugin -o tests/yor_plugins/tag_group_example/extra_tag_groups.so tests/yor_plugins/tag_group_example/*.go
- name: Test
run: |
go build -v && go test ./src/... -covermode=count -coverprofile=coverage.out
go tool cover -func=coverage.out -o=coverage.out
- name: Go Coverage Badge # Pass the `coverage.out` output to this action
uses: tj-actions/coverage-badge-go@7f447a2281e6c95d57526e53b2e800dfb3c07425 # v2
with:
filename: coverage.out
- name: Verify Changed files
uses: tj-actions/verify-changed-files@7f1b21ceb7ef533b97b46e89e2f882ee5cb17ae0 # v16
id: verify-changed-files
with:
files: README.md
- name: Commit + Push changes
if: steps.verify-changed-files.outputs.files_changed == 'true'
env:
GITHUB_TOKEN: ${{ secrets.PAT }}
run: |
git config --local user.email "[email protected]"
git config --local user.name "GitHub Action"
git add README.md
git commit -m "chore: Updated coverage badge."
git push origin
linter:
name: golangci-lint
runs-on: [self-hosted, public, linux, x64]
permissions:
checks: write
contents: read
pull-requests: write
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: golangci-lint
uses: reviewdog/action-golangci-lint@94d61e3205b61acf4ddabfeb13c5f8a13eb4167b # v2
with:
tool_name: golangci-lint
fail_on_error: true
golangci_lint_flags: "--skip-dirs tests/yor_plugins"
integration-tests:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: Install Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4
with:
go-version: 1.19
- name: build
run: go build
- name: Clone Terragoat - vulnerable terraform
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
repository: bridgecrewio/terragoat # clone https://github.com/bridgecrewio/terragoat/
fetch-depth: 0
clean: false
path: 'terragoat'
ref: 063dc2db3bb036160ed39d3705508ee8293a27c8
- name: Run yor
run: |
git config --local user.email "[email protected]"
./yor list-tags -g code2cloud,git > list-tags-result.txt
./yor tag -d terragoat -o json --output-json-file result.json
go test -race ./tests/integration/...
create-release:
runs-on: [self-hosted, public, linux, x64]
needs:
- integration-tests
- test
- linter
permissions:
contents: write
outputs:
version: ${{ steps.version.outputs.new_tag }}
steps:
- name: Wait for coverage to update
run: sleep 10s
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
ref: main
- name: version
uses: anothrNick/github-tag-action@a2c70ae13a881faf2b4953baaa9e49731997ab36 # v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
WITH_V: false
RELEASE_BRANCHES: main
DEFAULT_BUMP: patch
id: version
- name: Install Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4
with:
go-version: 1.19
- name: Git Fetch Repo
run: |
git fetch
- uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4
name: goreleaser
with:
version: latest
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.PAT }}
# - name: Update go reportcard
# uses: creekorful/[email protected]
publish-dockerhub:
runs-on: [self-hosted, public, linux, x64]
needs:
- create-release
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@d0321869e187cfd3124343ea2b39b1db31f89685 # v5
with:
name: bridgecrew/yor
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
buildoptions: "--no-cache"
tags: "latest,${{ needs.create-release.outputs.version }}"
- name: Update Docker Hub README
uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864 # v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: bridgecrew/yor
short-description: ${{ github.event.repository.description }}
update-bridgecrew-projects:
needs: publish-dockerhub
runs-on: [self-hosted, public, linux, x64]
steps:
- name: update on yor release
run: |
curl -XPOST -H "Authorization: token ${{ secrets.PAT }}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/yor-action/dispatches --data '{"event_type": "build"}'
curl -XPOST -H "Authorization: token ${{ secrets.PAT }}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/yor-choco/dispatches --data '{"event_type": "build"}'
curl -X POST "https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-yor&token=${{ secrets.BC_JENKINS_TOKEN }}"