-
-
Notifications
You must be signed in to change notification settings - Fork 0
153 lines (139 loc) · 5 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: CI
# Enable Buildkit and let compose use it to speed up image building
env:
DOCKER_BUILDKIT: 1
COMPOSE_DOCKER_CLI_BUILD: 1
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
on:
pull_request:
branches: [ "master", "main" ]
paths-ignore: [ "docs/**" ]
push:
branches: [ "master", "main" ]
paths-ignore: [ "docs/**" ]
tags: [ 'v*.*.*' ]
concurrency:
group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
linter:
runs-on: ubuntu-latest
steps:
- name: Checkout Code Repository
uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.10"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install flake8
- name: Lint with flake8
run: |
echo $PWD
flake8
# - name: Reformat
# uses: psf/black@stable
# with:
# options: "--check --verbose --extend-exclude ./threatr/core/migrations"
# src: "./threatr/core"
# version: "~= 22.0"
# With no caching at all the entire ci process takes 4m 30s to complete!
# pytest:
# runs-on: ubuntu-latest
# steps:
# - name: Checkout Code Repository
# uses: actions/checkout@v3
# - name: Build the Stack
# run: docker-compose -f local.yml build
# - name: Run DB Migrations
# run: docker-compose -f local.yml run --rm django python manage.py migrate
# - name: Run Django Tests
# run: docker-compose -f local.yml run django pytest
# - name: Tear down the Stack
# run: docker-compose -f local.yml down
docker-build:
if: github.event_name == 'push'
needs: [linter]
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v2
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# generate Docker tags based on the following events/attributes
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
# Add the Git commit hash into base.py GIT_COMMIT_HASH
- name: Add the Git commit hash
run: echo "GIT_COMMIT_HASH = \"${{ github.sha }}\"" >> config/settings/base.py
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v5
with:
context: .
file: ./compose/production/django/Dockerfile
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: |
annotation.org.opencontainers.image.source="https://github.com/PiRogueToolSuite/threatr"
annotation.org.opencontainers.image.description="Observables analysis and enrichment for Colander"
annotation.org.opencontainers.image.vendor="Defensive Lab Agency"
annotation.org.opencontainers.image.licenses="GPL-3.0"
annotation.org.opencontainers.image.revision="${{ github.sha }}"
- name: Log into Docker Hub
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker Scout
id: docker-scout
uses: docker/scout-action@v1
with:
command: cves,sbom
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DOCKER_METADATA_OUTPUT_VERSION }}
sarif-file: sarif.output.json
summary: true
only-severities: critical,high
write-comment: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF result
id: upload-sarif
if: ${{ github.event_name != 'pull_request' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif.output.json