Merge pull request #1004 from GitGuardian/policy-breaks-deprecation #2278
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
# About steps requiring the GITGUARDIAN_API_KEY: | |
# | |
# For security reasons, secrets are not available when a workflow is triggered by a pull request from a fork. This | |
# causes all steps requiring the GITGUARDIAN_API_KEY to fail. To avoid this, we skip those steps when we are triggered | |
# by a pull request from a fork. | |
on: | |
pull_request: | |
push: | |
branches: | |
- '*' | |
tags-ignore: | |
- '*' | |
paths-ignore: | |
- 'doc/**' | |
- 'README.md' | |
jobs: | |
lint: | |
name: Lint package | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Python 3.10 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.10' | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install pipenv==2023.12.1 pre-commit | |
pipenv install --dev --skip-lock | |
- uses: actions/cache@v3 | |
with: | |
path: ~/.cache/pre-commit | |
key: pre-commit|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} | |
- name: Install pre-commit hooks | |
run: pre-commit install --install-hooks | |
- name: Skip ggshield hooks when running from a fork | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ github.event.pull_request.head.repo.fork }} | |
run: | | |
echo "SKIP=ggshield,ggshield-local" >> $GITHUB_ENV | |
- name: Run pre-commit checks | |
run: | | |
pre-commit run --show-diff-on-failure --all-files | |
env: | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
- name: Check commit messages | |
if: github.event_name == 'pull_request' | |
run: | | |
PR_REF="${GITHUB_REF%/merge}/head" | |
git fetch origin "$PR_REF" | |
if git log --format=%s "origin/$GITHUB_BASE_REF..FETCH_HEAD" | grep '^fixup!' ; then | |
echo 'Error: this pull request contains fixup commits. Squash them.' | |
exit 1 | |
fi | |
# In case `git log` fails | |
exit "${PIPESTATUS[0]}" | |
build: | |
name: Build and Test | |
runs-on: ${{ matrix.os }} | |
env: | |
# We skip pipenv lockfile by default, because a Pipfile.lock should only | |
# be used for the Python version it was generated for. | |
PIPENV_SKIP_LOCK: 1 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, macos-13, windows-2022] | |
python-version: ['3.8', '3.9', '3.10', '3.11'] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# Get enough commits to run `ggshield secret scan commit-range` on ourselves | |
fetch-depth: 10 | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Use Pipfile.lock on locked version of Python | |
# Keep version in sync with scripts/update-pipfile-lock/Dockerfile | |
if: matrix.python-version == '3.10' | |
run: | | |
echo "PIPENV_SKIP_LOCK=0" >> $GITHUB_ENV | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install --upgrade pipenv==2023.12.1 | |
pipenv install --system --dev | |
- name: Install Windows dev dependencies | |
if: matrix.os == 'windows-2022' | |
run: | | |
# Those are win32-only dependencies from pytest | |
python -m pip install atomicwrites colorama | |
- name: Override base Docker image used for functional tests on Windows | |
if: matrix.os == 'windows-2022' | |
# This is required because GitHub Windows runner is not configured to | |
# run Linux-based Docker images | |
shell: bash | |
run: | | |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV | |
- name: Ensure a clean package installation | |
run: | | |
pip install build wheel check-wheel-contents | |
python -m build --wheel | |
# The created wheel (.whl) file will be found and analyzed within the `dist/` folder | |
check-wheel-contents dist/ | |
- name: Run unit tests | |
run: | | |
coverage run --source ggshield -m pytest --disable-pytest-warnings --disable-socket tests/unit | |
- name: Gather coverage report | |
run: | | |
coverage report --fail-under=80 | |
coverage xml | |
- uses: codecov/codecov-action@v4 | |
with: | |
file: ./coverage.xml | |
flags: unittests | |
name: codecov-umbrella | |
token: ${{ secrets.CODECOV_TOKEN }} | |
fail_ci_if_error: false | |
- name: Run functional tests | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
shell: bash | |
run: | | |
make functest | |
env: | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }} | |
TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }} | |
TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }} | |
TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }} | |
build_os_packages: | |
uses: ./.github/workflows/build_release_assets.yml | |
secrets: inherit | |
test_github_secret_scan_action: | |
name: Test GitHub action for `secret scan` | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Scan commits for hardcoded secrets | |
uses: ./actions-unstable/secret | |
env: | |
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
test_github_iac_scan_action: | |
name: Test GitHub action for `iac scan` | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Scan commits for IaC vulnerabilities | |
uses: ./actions-unstable/iac | |
with: | |
args: . | |
env: | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
test_github_sca_scan_action: | |
name: Test GitHub action for `sca scan` | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Scan commits for SCA vulnerabilities | |
uses: ./actions-unstable/sca | |
with: | |
args: . | |
env: | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
dockerhub-unstable: | |
name: Push Docker image to Docker Hub | |
runs-on: ubuntu-22.04 | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
needs: | |
- lint | |
- build | |
- test_github_iac_scan_action | |
- test_github_sca_scan_action | |
- test_github_secret_scan_action | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Build and push | |
uses: docker/build-push-action@v1 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
repository: gitguardian/ggshield | |
tags: unstable | |
github_packages-unstable: | |
name: Push Docker image to GitHub Packages | |
runs-on: ubuntu-22.04 | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
needs: | |
- lint | |
- build | |
- test_github_iac_scan_action | |
- test_github_sca_scan_action | |
- test_github_secret_scan_action | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Push to GitHub Packages | |
uses: docker/build-push-action@v1 | |
with: | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
registry: docker.pkg.github.com | |
repository: gitguardian/ggshield/ggshield | |
tags: unstable |