Skip to content

[Snyk] Security upgrade python from 3.13.0rc1-alpine to 3.14.0a1-alpine #14

[Snyk] Security upgrade python from 3.13.0rc1-alpine to 3.14.0a1-alpine

[Snyk] Security upgrade python from 3.13.0rc1-alpine to 3.14.0a1-alpine #14

Workflow file for this run

############################################################################
# Bitbucket CLI (bb): Work seamlessly with Bitbucket from the command line
#
# Copyright (C) 2022 P S, Adithya (psadi) (ps.adithya@icloud.com)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
############################################################################
name: Continuous Integration
on:
workflow_dispatch: {}
push:
branches: ["main"]
pull_request:
types: [opened, synchronize, reopened]
branches: ["main"]
release:
types: [published]
jobs:
build:
runs-on: ${{ matrix.os }}
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
python-version: ["3.12"]
os: ["ubuntu-latest", "windows-latest", "macos-latest"]
language: ["python"]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Cache Pip Dependencies
if: ${{ github.ref == 'refs/heads/main' }}
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/*.py') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Cache .venv
if: ${{ github.ref == 'refs/heads/main' }}
uses: actions/cache@v4
with:
path: .venv
key: ${{ runner.os }}-venv-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
${{ runner.os }}-venv-
- name: Cache .tox
if: ${{ github.ref == 'refs/heads/main' }}
uses: actions/cache@v4
with:
path: .tox
key: ${{ runner.os }}-tox-${{ hashFiles('tox.ini') }}
restore-keys: |
${{ runner.os }}-tox-
- name: Set up PDM
uses: pdm-project/setup-pdm@v4
with:
python-version: ${{ matrix.python-version }}
- name: Prepare Environment, Sync Dependencies and Run Tox
run: |
mkdir -p ~/.config/bb
cp config.ini ~/.config/bb
pdm fix
pdm sync
pdm run tox
- name: SonarCloud Scan
if: ${{ matrix.os == 'ubuntu-latest' }}
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: |
-Dsonar.projectKey=psadi_bbcli
-Dsonar.organization=psadi
-Dsonar.python.version=3
-Dsonar.sources=bb
-Dsonar.tests=tests
-Dsonar.python.coverage.reportPaths=coverage.xml
-Dsonar.exclusions=tests
- name: Initialize CodeQL
if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'release' }}
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'release' }}
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'release' }}
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
- name: Run build and generate artifacts
run: |
pdm build
- uses: actions/upload-artifact@v4
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
name: workspace
path: .
upload_binaries_to_release:
name: "Upload binaries to current release"
runs-on: ubuntu-latest
if: ${{ github.event_name == 'release' }}
needs: "build"
steps:
- uses: actions/download-artifact@v4
with:
name: workspace
- name: Upload binaries to release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: dist/bb-*
tag: ${{ github.ref }}
overwrite: true
file_glob: true
push_to_registry:
name: Build, Scan & Push Docker image to Docker Hub
runs-on: ubuntu-latest
needs: "build"
steps:
- uses: actions/download-artifact@v4
with:
name: workspace
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build Docker Image
run: |
docker build -t docker.io/psadi/bbcli:${{ github.event.release.tag_name || github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: docker.io/psadi/bbcli:${{ github.event.release.tag_name || github.sha }}
format: "sarif"
output: "trivy-results.sarif"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
- name: Push Docker Image
if: ${{ github.event_name == 'release' }}
run: |
docker push docker.io/psadi/bbcli:${{ github.event.release.tag_name }}