Skip to content

Merge pull request #1004 from GitGuardian/policy-breaks-deprecation #2278

Merge pull request #1004 from GitGuardian/policy-breaks-deprecation

Merge pull request #1004 from GitGuardian/policy-breaks-deprecation #2278

Workflow file for this run

name: CI
# About steps requiring the GITGUARDIAN_API_KEY:
#
# For security reasons, secrets are not available when a workflow is triggered by a pull request from a fork. This
# causes all steps requiring the GITGUARDIAN_API_KEY to fail. To avoid this, we skip those steps when we are triggered
# by a pull request from a fork.
on:
pull_request:
push:
branches:
- '*'
tags-ignore:
- '*'
paths-ignore:
- 'doc/**'
- 'README.md'
jobs:
lint:
name: Lint package
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install pipenv==2023.12.1 pre-commit
pipenv install --dev --skip-lock
- uses: actions/cache@v3
with:
path: ~/.cache/pre-commit
key: pre-commit|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
- name: Install pre-commit hooks
run: pre-commit install --install-hooks
- name: Skip ggshield hooks when running from a fork
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ github.event.pull_request.head.repo.fork }}
run: |
echo "SKIP=ggshield,ggshield-local" >> $GITHUB_ENV
- name: Run pre-commit checks
run: |
pre-commit run --show-diff-on-failure --all-files
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
- name: Check commit messages
if: github.event_name == 'pull_request'
run: |
PR_REF="${GITHUB_REF%/merge}/head"
git fetch origin "$PR_REF"
if git log --format=%s "origin/$GITHUB_BASE_REF..FETCH_HEAD" | grep '^fixup!' ; then
echo 'Error: this pull request contains fixup commits. Squash them.'
exit 1
fi
# In case `git log` fails
exit "${PIPESTATUS[0]}"
build:
name: Build and Test
runs-on: ${{ matrix.os }}
env:
# We skip pipenv lockfile by default, because a Pipfile.lock should only
# be used for the Python version it was generated for.
PIPENV_SKIP_LOCK: 1
strategy:
fail-fast: false
matrix:
os: [ubuntu-22.04, macos-13, windows-2022]
python-version: ['3.8', '3.9', '3.10', '3.11']
steps:
- uses: actions/checkout@v4
with:
# Get enough commits to run `ggshield secret scan commit-range` on ourselves
fetch-depth: 10
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Use Pipfile.lock on locked version of Python
# Keep version in sync with scripts/update-pipfile-lock/Dockerfile
if: matrix.python-version == '3.10'
run: |
echo "PIPENV_SKIP_LOCK=0" >> $GITHUB_ENV
- name: Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade pipenv==2023.12.1
pipenv install --system --dev
- name: Install Windows dev dependencies
if: matrix.os == 'windows-2022'
run: |
# Those are win32-only dependencies from pytest
python -m pip install atomicwrites colorama
- name: Override base Docker image used for functional tests on Windows
if: matrix.os == 'windows-2022'
# This is required because GitHub Windows runner is not configured to
# run Linux-based Docker images
shell: bash
run: |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV
- name: Ensure a clean package installation
run: |
pip install build wheel check-wheel-contents
python -m build --wheel
# The created wheel (.whl) file will be found and analyzed within the `dist/` folder
check-wheel-contents dist/
- name: Run unit tests
run: |
coverage run --source ggshield -m pytest --disable-pytest-warnings --disable-socket tests/unit
- name: Gather coverage report
run: |
coverage report --fail-under=80
coverage xml
- uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: unittests
name: codecov-umbrella
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: false
- name: Run functional tests
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
shell: bash
run: |
make functest
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }}
TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }}
TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }}
TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }}
build_os_packages:
uses: ./.github/workflows/build_release_assets.yml
secrets: inherit
test_github_secret_scan_action:
name: Test GitHub action for `secret scan`
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan commits for hardcoded secrets
uses: ./actions-unstable/secret
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
test_github_iac_scan_action:
name: Test GitHub action for `iac scan`
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan commits for IaC vulnerabilities
uses: ./actions-unstable/iac
with:
args: .
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
test_github_sca_scan_action:
name: Test GitHub action for `sca scan`
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan commits for SCA vulnerabilities
uses: ./actions-unstable/sca
with:
args: .
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
dockerhub-unstable:
name: Push Docker image to Docker Hub
runs-on: ubuntu-22.04
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
needs:
- lint
- build
- test_github_iac_scan_action
- test_github_sca_scan_action
- test_github_secret_scan_action
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build and push
uses: docker/build-push-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: gitguardian/ggshield
tags: unstable
github_packages-unstable:
name: Push Docker image to GitHub Packages
runs-on: ubuntu-22.04
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
needs:
- lint
- build
- test_github_iac_scan_action
- test_github_sca_scan_action
- test_github_secret_scan_action
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Push to GitHub Packages
uses: docker/build-push-action@v1
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: docker.pkg.github.com
repository: gitguardian/ggshield/ggshield
tags: unstable