Skip to content

build(CONTAINER): whitelist known vulnerability #1023

build(CONTAINER): whitelist known vulnerability

build(CONTAINER): whitelist known vulnerability #1023

---
name: cicd-tooling-github-workflow-cookiecutter-template
on:
push:
schedule:
- cron: "0 6 * * 1"
workflow_dispatch:
# secrets:
# SLACK_WEBHOOK:
# description: "Optional, enables Slack notifications."
# required: false
jobs:
configuration:
uses: ./.github/workflows/job-00-cookiecutter-read_configuration.yml
start:
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-00-generic-notification.yml
with:
NOTIFICATION_EMOJI: ":vertical_traffic_light:"
NOTIFICATION_MESSAGE: "Workflow has started!"
WORKFLOW_NAME: "cookiecutter"
security:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-10-generic-security_scan_credentials.yml
with:
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
markdown_links:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-30-cookiecutter-markdown_links.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
CONFIG_FILE: "{{cookiecutter.project_slug}}/.github/config/actions/gaurav-nelson-github-action-markdown-link-check.json"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
pre-commit_hooks:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-50-cookiecutter-test_precommit_hooks.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
ENABLED_PRECOMMIT_CHECKS: '["test_commit_lint_fails", "test_credentials_fails", "test_commit_spelling_fails", "test_shell_lint_fails", "test_shell_format_fails", "test_toml_lint_fails", "test_toml_lint_passes", "test_workflow_lint_fails", "test_workflow_header_lint_fails"]'
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
TEMPLATE_SCENARIOS: ${{ needs.configuration.outputs.COOKIECUTTER_ALL_SCENARIOS }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
commitizen_hooks:
needs:
- configuration
if: startsWith(github.ref, 'refs/heads')
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-50-poetry-test_commitizen_hooks.yml
with:
COMMITIZEN_BUMP_TYPE: "MINOR"
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
EXPECTED_BUMPED_VERSION: "0.2.0"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
commit_lint:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-poetry-rev_range_command.yml
with:
COMMAND: |
poetry run cz check --rev-range "${PUSHED_COMMIT_REV_RANGE}"
COMMAND_NAME: "Commit Message Lint"
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
commit_spell_check:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-poetry-rev_range_command.yml
with:
COMMAND: |
CICD_COMMIT_MESSAGES_FILE="$(mktemp XXXXXXXX.git_history_file)"
git log --pretty=format:%s "${PUSHED_COMMIT_REV_RANGE}" > "${CICD_COMMIT_MESSAGES_FILE}"
poetry run pre-commit run --hook-stage manual spelling-vale-sync
poetry run pre-commit run --hook-stage commit-msg spelling-commit-message --commit-msg-filename "${CICD_COMMIT_MESSAGES_FILE}"
COMMAND_NAME: "Commit Message Spelling"
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
git_conflict_markers:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: "git-conflict-markers"
PRECOMMIT_HOOK_NAME: "Git conflict markers"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
json_metaschema_lint:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: "check-metaschema"
PRECOMMIT_HOOK_NAME: "JSON Schema Metaschema Linter"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
json_schema_lint_cookiecutter:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: "cicd-tools-schema-cookiecutter"
PRECOMMIT_HOOK_NAME: "Cookiecutter JSON Schema Linter"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
markdown_lint:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: "lint-markdown"
PRECOMMIT_HOOK_NAME: "Markdown Linter"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
markdown_spelling:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRE_HOOK_COMMAND: poetry run pre-commit run --hook-stage manual spelling-vale-sync
PRECOMMIT_HOOK_ID: "spelling-markdown"
PRECOMMIT_HOOK_NAME: "Markdown Spelling"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
pre-commit_lint_config:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: "pre-commit-sort-config"
PRECOMMIT_HOOK_NAME: "Pre-Commit Config Linting"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
shell_lint:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
strategy:
fail-fast: true
matrix:
hook:
- id: "format-shell"
name: "Shell Formatting"
- id: "lint-shell"
name: "Shell Linting"
max-parallel: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
uses: ./.github/workflows/job-80-cookiecutter-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: ${{ matrix.hook.id }}
PRECOMMIT_HOOK_NAME: ${{ matrix.hook.name }}
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
spelling_vocabularies:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: "spelling-vale-vocab"
PRECOMMIT_HOOK_NAME: "Spelling vocabularies"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
toml_lint:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-cookiecutter-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: "format-toml"
PRECOMMIT_HOOK_NAME: "TOML Formatting"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
workflow_lint:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
strategy:
fail-fast: true
matrix:
hook:
- id: "lint-github-workflow"
name: "Workflow Linting"
- id: "lint-github-workflow-header"
name: "Workflow Header Linting"
max-parallel: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
uses: ./.github/workflows/job-80-cookiecutter-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: ${{ matrix.hook.id }}
PRECOMMIT_HOOK_NAME: ${{ matrix.hook.name }}
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
yaml_lint:
needs:
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-80-cookiecutter-precommit_commit_stage_hook.yml
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_CONCURRENCY }}
PRECOMMIT_HOOK_ID: "yamllint"
PRECOMMIT_HOOK_NAME: "YAML Linting"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_PYTHON_VERSIONS) }}
TEMPLATE_SCENARIOS: ${{ needs.configuration.outputs.COOKIECUTTER_ALL_SCENARIOS }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }}
WORKFLOW_NAME: "cookiecutter"
create_release:
permissions:
contents: write
needs:
- configuration
- commit_lint
- commit_spell_check
- commitizen_hooks
- git_conflict_markers
- json_metaschema_lint
- json_schema_lint_cookiecutter
- markdown_links
- markdown_lint
- markdown_spelling
- pre-commit_hooks
- pre-commit_lint_config
- security
- shell_lint
- spelling_vocabularies
- start
- toml_lint
- workflow_lint
- yaml_lint
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-99-poetry-create_release.yml
with:
APPENDED_CONTENT: |
## Release Checklist
- [ ] Ensure all remote references have been updated.
- [ ] Ensure main is synchronized with the release tag.
WORKFLOW_NAME: "cookiecutter"
success:
needs:
- create_release
- configuration
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: ./.github/workflows/job-00-generic-notification.yml
with:
NOTIFICATION_EMOJI: ":checkered_flag:"
NOTIFICATION_MESSAGE: "Workflow has completed successfully!"
WORKFLOW_NAME: "cookiecutter"