Skip to content

chore(main): release 1.4.6 (#23) #93

chore(main): release 1.4.6 (#23)

chore(main): release 1.4.6 (#23) #93

Workflow file for this run

---
name: ci
concurrency:
cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
group: ci-${{ github.ref_name }}-${{ github.event_name }}
on:
push:
branches:
- main
tags:
- v*
pull_request:
branches:
- main
env:
ANSIBLE_FORCE_COLOR: "1"
PY_COLORS: "1"
jobs:
checkov:
if: |
contains(fromJson('["schedule", "pull_request", "push"]'), github.event_name)
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Checkov GitHub Action
uses: bridgecrewio/checkov-action@v12
with:
config_file: .checkov_config.yaml
output_format: cli,sarif
output_file_path: console,results.sarif
trivy:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
scan-type:
- fs
- config
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Cache trivy db
uses: actions/cache@v4
with:
path: |
~/.cache/trivy
~/work/temp
key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }}
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
format: sarif
ignore-unfixed: true
output: trivy-results.sarif
scan-ref: .
scan-type: ${{ matrix.scan-type }}
severity: CRITICAL,HIGH
trivy-config: trivy.yaml
token-setup-trivy: ${{ secrets.GH_PAT }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
ansible-lint:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run ansible-lint
uses: ansible/ansible-lint@main
release-please:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
outputs:
releases_created: ${{ steps.release-please.outputs.releases_created }}
tag_name: ${{ steps.release-please.outputs.tag_name }}
steps:
- id: release-please
name: Release please
uses: googleapis/release-please-action@v4
with:
release-type: simple
release-oci:
needs:
- release-please
if: needs.release-please.outputs.releases_created == 'true'
permissions:
packages: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Flux CLI
uses: fluxcd/flux2/action@main
- name: Build source
run: tar cvzf kustomizations.tar.gz $(find . -maxdepth 1 -type d ! -name '.*' | grep -v -f .buildignore)
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Push to ghcr OCI registry
run: |
flux push artifact oci://ghcr.io/${{ github.repository }}:${{ needs.release-please.outputs.tag_name }} \
--path=kustomizations.tar.gz \
--source=${{ github.server_url }}/${{ github.repository }} \
--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
--annotations="org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
--annotations="org.opencontainers.image.description=OCI artifact containing Kustomizations" \
--annotations="org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \
--annotations="org.opencontainers.image.licenses=Apache-2.0" \
--annotations="org.opencontainers.image.revision=$(git rev-parse HEAD)" \
--annotations="org.opencontainers.image.title=Kustomizations" \
--annotations="org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}" \
--annotations="org.opencontainers.image.version=$(git tag --points-at HEAD)"