Skip to content
build

apb #964

Sign in to view logs

apb

apb #964

Workflow file for this run

.github/workflows/build.yml at c9542a0
---
name: build
on:
merge_group:
types:
- checks_requested
pull_request:
push:
repository_dispatch:
types:
- apb
# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
# nounset, errexit, and pipefail. The `-x` will print all commands as they are
# run. Please see the GitHub Actions documentation for more information:
# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
defaults:
run:
shell: bash -Eueo pipefail -x {0}
env:
CURL_CACHE_DIR: ~/.cache/curl
IMAGE_NAME: cisagov/gophish-tools
PIP_CACHE_DIR: ~/.cache/pip
PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
RUN_TMATE: ${{ secrets.RUN_TMATE }}
TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers
TERRAFORM_DOCS_REPO_DEPTH: 1
TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git
jobs:
diagnostics:
name: Run diagnostics
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v4
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
lint:
needs:
- diagnostics
runs-on: ubuntu-latest
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ steps.setup-env.outputs.python-version }}
# We need the Go version and Go cache location for the actions/cache step,
# so the Go installation must happen before that.
- id: setup-go
uses: actions/setup-go@v5
with:
# There is no expectation for actual Go code so we disable caching as
# it relies on the existence of a go.sum file.
cache: false
go-version: ${{ steps.setup-env.outputs.go-version }}
- id: go-cache
name: Lookup Go cache directory
run: |
echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
- uses: actions/cache@v3
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
go${{ steps.setup-go.outputs.go-version }}-\
packer${{ steps.setup-env.outputs.packer-version }}-\
tf${{ steps.setup-env.outputs.terraform-version }}-"
with:
# We do not use '**/setup.py' in the cache key so only the 'setup.py'
# file in the root of the repository is used. This is in case a Python
# package were to have a 'setup.py' as part of its internal codebase.
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements-test.txt') }}-\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('**/.pre-commit-config.yaml') }}-\
${{ hashFiles('setup.py') }}"
# Note that the .terraform directory IS NOT included in the
# cache because if we were caching, then we would need to use
# the `-upgrade=true` option. This option blindly pulls down the
# latest modules and providers instead of checking to see if an
# update is required. That behavior defeats the benefits of caching.
# so there is no point in doing it for the .terraform directory.
path: |
${{ env.PIP_CACHE_DIR }}
${{ env.PRE_COMMIT_CACHE_DIR }}
${{ env.CURL_CACHE_DIR }}
${{ steps.go-cache.outputs.dir }}
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Setup curl cache
run: mkdir -p ${{ env.CURL_CACHE_DIR }}
- name: Install Packer
env:
PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
run: |
PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
--time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
--location \
"https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}"
sudo unzip -d /opt/packer \
${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
sudo ln -s /opt/packer/packer /usr/local/bin/packer
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install go-critic
env:
PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install goimports
env:
PACKAGE_URL: golang.org/x/tools/cmd/goimports
PACKAGE_VERSION: ${{ steps.setup-env.outputs.goimports-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install gosec
env:
PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install staticcheck
env:
PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
# TODO: https://github.com/cisagov/skeleton-generic/issues/165
# We are temporarily using @mcdonnnj's forked branch of terraform-docs
# until his PR: https://github.com/terraform-docs/terraform-docs/pull/745
# is approved. This temporary fix will allow for ATX header support when
# terraform-docs is run during linting.
- name: Clone ATX headers branch from terraform-docs fork
run: |
git clone \
--branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \
--depth $TERRAFORM_DOCS_REPO_DEPTH \
--single-branch \
$TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs
- name: Build and install terraform-docs binary
run: |
go build \
-C /tmp/terraform-docs \
-o $(go env GOPATH)/bin/terraform-docs
- name: Install dependencies
# We don't upgrade setuptools here because the versions of
# gophish on PyPI are ancient and depend on an equally ancient
# version of setuptools. The gophish package installation
# will fail if we let pip pull in the latest setuptools;
# instead, we let the gophish package installation itself
# choose the version of setuptools to install.
run: |
python -m pip install --upgrade pip wheel
pip install --upgrade --requirement requirements-test.txt
- name: Set up pre-commit hook environments
run: pre-commit install-hooks
- name: Run pre-commit on all files
run: pre-commit run --all-files
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
test:
name: test source - py${{ matrix.python-version }}
needs:
- diagnostics
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version:
- "3.7"
- "3.8"
- "3.9"
- "3.10"
- "3.11"
# gophish-tools cannot support Python 3.12 until the gophish
# Python package supports a newer version of the urllib3
# library. The reason is identical to what is discussed here:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1857492
# - "3.12"
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- uses: actions/cache@v3
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-"
with:
path: ${{ env.PIP_CACHE_DIR }}
# We do not use '**/setup.py' in the cache key so only the 'setup.py'
# file in the root of the repository is used. This is in case a Python
# package were to have a 'setup.py' as part of its internal codebase.
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements-test.txt') }}-\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('setup.py') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install --upgrade --requirement requirements-test.txt
- name: Run tests
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: pytest
- name: Upload coverage report
run: coveralls
env:
COVERALLS_FLAG_NAME: "py${{ matrix.python-version }}"
COVERALLS_PARALLEL: true
COVERALLS_SERVICE_NAME: github
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: success()
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
coveralls-finish:
runs-on: ubuntu-latest
needs:
- diagnostics
- test
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- id: setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ steps.setup-env.outputs.python-version }}
- uses: actions/cache@v3
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-"
with:
path: ${{ env.PIP_CACHE_DIR }}
# We do not use '**/setup.py' in the cache key so only the 'setup.py'
# file in the root of the repository is used. This is in case a Python
# package were to have a 'setup.py' as part of its internal codebase.
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements-test.txt') }}-\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('setup.py') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Install dependencies
# We manually upgrade urllib3 here because coveralls needs it
# but gophish-tools (really gophish) doesn't allow it.
run: |
python -m pip install --upgrade pip
pip install --upgrade --requirement requirements-test.txt
pip install --upgrade urllib3
- name: Finished coveralls reports
run: coveralls --finish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
build:
name: build wheel - py${{ matrix.python-version }}
needs:
- diagnostics
- lint
- test
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version:
- "3.7"
- "3.8"
- "3.9"
- "3.10"
- "3.11"
# gophish-tools cannot support Python 3.12 until the gophish
# Python package supports a newer version of the urllib3
# library. The reason is identical to what is discussed here:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1857492
# - "3.12"
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- uses: actions/cache@v3
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-"
with:
path: ${{ env.PIP_CACHE_DIR }}
# We do not use '**/setup.py' in the cache key so only the 'setup.py'
# file in the root of the repository is used. This is in case a Python
# package were to have a 'setup.py' as part of its internal codebase.
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('setup.py') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Install build dependencies
# We don't upgrade setuptools here because gophish is ancient
# code that depends on an ancient version of setuptools. The
# pip install command fails if we let the python -m pip
# command pull in the latest setuptools; it is safer to let
# the pip install command pull in setuptools itself.
run: |
python -m pip install --upgrade pip wheel
python -m pip install --upgrade build
- name: Build Python artifacts
run: python -m build
- name: Determine project version
id: get_ver
run: |
echo "##[set-output name=version;]$(./bump_version.sh project show)"
- name: Build Docker image
run: |
version=$(./bump_version.sh project show)
docker build \
--tag "$IMAGE_NAME" \
--build-arg GIT_COMMIT=$(git log -1 --format=%H) \
--build-arg GIT_REMOTE=$(git remote get-url origin) \
--build-arg VERSION=${{ steps.get_ver.outputs.version }} \
.
- name: Save Docker image artifact
run: |
version=$(./bump_version.sh project show)
docker save $IMAGE_NAME:latest | gzip > dist/image.tar.gz
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: dist-${{ matrix.python-version }}
path: dist
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
test-build:
name: test built wheel - py${{ matrix.python-version }}
needs:
- diagnostics
- build
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version:
- "3.7"
- "3.8"
- "3.9"
- "3.10"
- "3.11"
# gophish-tools cannot support Python 3.12 until the gophish
# Python package supports a newer version of the urllib3
# library. The reason is identical to what is discussed here:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1857492
# - "3.12"
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- uses: actions/cache@v3
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-"
with:
path: ${{ env.PIP_CACHE_DIR }}
# We do not use '**/setup.py' in the cache key so only the 'setup.py'
# file in the root of the repository is used. This is in case a Python
# package were to have a 'setup.py' as part of its internal codebase.
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('setup.py') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Retrieve the built wheel
uses: actions/download-artifact@v4
with:
name: dist-${{ matrix.python-version }}
path: dist
- id: find-wheel
name: Get the name of the retrieved wheel (there should only be one)
run: echo "wheel=$(ls dist/*whl)" >> $GITHUB_OUTPUT
- name: Update core Python packages
# We don't upgrade setuptools here because the versions of
# gophish on PyPI are ancient and depend on an equally ancient
# version of setuptools. The gophish package installation
# will fail if we let pip pull in the latest setuptools;
# instead, we let the gophish package installation itself
# choose the version of setuptools to install.
run: python -m pip install --upgrade pip wheel
- name: Install the built wheel (along with testing dependencies)
run: python -m pip install ${{ steps.find-wheel.outputs.wheel }}[test]
- name: Run tests
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: pytest
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE