Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
# Conflicts:
#	.github/dependabot.yml
#	Dockerfile
  • Loading branch information
mcdonnnj committed Dec 6, 2023
2 parents 3e3ab07 + 1ea8a3f commit 792d42f
Show file tree
Hide file tree
Showing 9 changed files with 232 additions and 79 deletions.
2 changes: 1 addition & 1 deletion .bandit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# https://bandit.readthedocs.io/en/latest/config.html

# Tests are first included by `tests`, and then excluded by `skips`.
# If `tests` is empty, all tests are are considered included.
# If `tests` is empty, all tests are considered included.

tests:
# - B101
Expand Down
42 changes: 30 additions & 12 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,26 +5,27 @@
# these updates when the pull request(s) in the appropriate skeleton are merged
# and Lineage processes these changes.

version: 2
updates:
- package-ecosystem: "docker"
directory: "/"
- directory: /
package-ecosystem: docker
schedule:
interval: "weekly"
interval: weekly

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- directory: /
ignore:
# Managed by cisagov/skeleton-generic
- dependency-name: actions/cache
- dependency-name: actions/checkout
- dependency-name: actions/setup-go
- dependency-name: actions/setup-python
- dependency-name: crazy-max/ghaction-dump-context
- dependency-name: crazy-max/ghaction-github-labeler
- dependency-name: crazy-max/ghaction-github-status
- dependency-name: hashicorp/setup-terraform
- dependency-name: mxschmitt/action-tmate
- dependency-name: step-security/harden-runner
# Managed by cisagov/skeleton-docker
<<<<<<< HEAD
- dependency-name: actions/download-artifact

Check failure on line 29 in .github/dependabot.yml

View workflow job for this annotation

GitHub Actions / Lint sources

29:24 syntax error: could not find expected ':' (syntax)

Check failure on line 29 in .github/dependabot.yml

View workflow job for this annotation

GitHub Actions / Lint sources

29:24 syntax error: could not find expected ':' (syntax)
- dependency-name: actions/github-script
- dependency-name: actions/upload-artifact
Expand All @@ -36,10 +37,27 @@ updates:

- package-ecosystem: "pip"
directory: "/"
=======
# - dependency-name: actions/download-artifact
# - dependency-name: actions/github-script
# - dependency-name: actions/upload-artifact
# - dependency-name: docker/build-push-action
# - dependency-name: docker/login-action
# - dependency-name: docker/setup-buildx-action
# - dependency-name: docker/setup-qemu-action
# - dependency-name: github/codeql-action
package-ecosystem: github-actions
>>>>>>> 1ea8a3fa98e790d66f8d5e10375f73c5be4d5fd5
schedule:
interval: "weekly"
interval: weekly

- package-ecosystem: "terraform"
directory: "/"
- directory: /
package-ecosystem: pip
schedule:
interval: weekly

- directory: /
package-ecosystem: terraform
schedule:
interval: "weekly"
interval: weekly
version: 2
111 changes: 90 additions & 21 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,39 @@ env:
RUN_TMATE: ${{ secrets.RUN_TMATE }}

jobs:
diagnostics:
name: Run diagnostics
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v3
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
lint:
# Checks out the source and runs pre-commit hooks. Detects coding errors
# and style deviations.
name: "Lint sources"
name: Lint sources
needs:
- diagnostics
runs-on: ubuntu-latest
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
with:
Expand Down Expand Up @@ -104,11 +128,26 @@ jobs:
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install go-critic
env:
PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install gosec
env:
PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install shfmt
env:
PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install staticcheck
env:
PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install Terraform-docs
env:
PACKAGE_URL: github.com/terraform-docs/terraform-docs
Expand Down Expand Up @@ -166,15 +205,22 @@ jobs:
# with the value specified by the user.
#
# Scheduled builds are tagged with `:nightly`.
name: "Prepare build variables"
runs-on: ubuntu-latest
name: Prepare build variables
needs:
- diagnostics
outputs:
created: ${{ steps.prep.outputs.created }}
repometa: ${{ steps.repo.outputs.result }}
source_version: ${{ steps.prep.outputs.source_version }}
tags: ${{ steps.prep.outputs.tags }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- name: Gather repository metadata
id: repo
uses: actions/github-script@v6
Expand Down Expand Up @@ -228,16 +274,23 @@ jobs:
build:
# Builds a single test image for the native platform. This image is saved
# as an artifact and loaded by the test job.
name: "Build test image"
name: Build test image
needs:
- diagnostics
- prepare
runs-on: ubuntu-latest
needs: [prepare]
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
uses: actions/cache@v3
env:
Expand Down Expand Up @@ -298,11 +351,18 @@ jobs:
if: env.RUN_TMATE
test:
# Executes tests on the single-platform image created in the "build" job.
name: "Test image"
name: Test image
needs:
- diagnostics
- build
runs-on: ubuntu-latest
needs: [build]
steps:
- uses: actions/checkout@v3
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
with:
Expand Down Expand Up @@ -344,32 +404,41 @@ jobs:
# GitHub Container Registry. The contents of README.md are pushed as the
# image's description to Docker Hub. This job is skipped when the
# triggering event is a pull request.
name: "Build and push all platforms"
runs-on: ubuntu-latest
needs: [lint, prepare, test]
if: github.event_name != 'pull_request'
name: Build and push all platforms
needs:
- diagnostics
- lint
- prepare
- test
# When Dependabot creates a PR it requires this permission in
# order to push Docker images to ghcr.io.
permissions:
packages: write
runs-on: ubuntu-latest
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- name: Login to Docker Hub
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
uses: actions/cache@v3
env:
Expand Down
29 changes: 27 additions & 2 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "CodeQL"
name: CodeQL

on:
push:
Expand All @@ -20,8 +20,27 @@ on:
- cron: '0 21 * * 6'

jobs:
diagnostics:
name: Run diagnostics
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v3
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
analyze:
name: Analyze
needs:
- diagnostics
runs-on: ubuntu-latest
permissions:
# required for all workflows
Expand All @@ -37,8 +56,14 @@ jobs:
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/sync-labels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ jobs:
issues: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Sync repository labels
if: success()
uses: crazy-max/ghaction-github-labeler@v4
uses: crazy-max/ghaction-github-labeler@v5
with:
# This is a hideous ternary equivalent so we only do a dry run unless
# this workflow is triggered by the develop branch.
Expand Down
Loading

0 comments on commit 792d42f

Please sign in to comment.