-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature/add release and cve to mex-template (#28)
# Added - add release and cve pipelines to mex-template
- Loading branch information
1 parent
2e43cc1
commit e0710e9
Showing
7 changed files
with
194 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| name: CVE Scan | ||
|
|
||
| on: | ||
| push: | ||
| pull_request: | ||
| types: | ||
| - opened | ||
| - reopened | ||
| - synchronize | ||
| schedule: | ||
| - cron: "14 3 * * 1-5" | ||
| workflow_dispatch: | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| scan: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run trivy | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| format: 'sarif' | ||
| list-all-pkgs: 'true' | ||
| output: 'trivy-results.sarif' | ||
| scan-ref: '.' | ||
| scan-type: 'fs' | ||
| severity: 'MEDIUM,HIGH,CRITICAL' | ||
|
|
||
| - name: Publish results | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| if: always() | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| name: Release | ||
|
|
||
| run-name: bump ${{ inputs.version }} version by @${{ github.actor }} | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| version: | ||
| type: choice | ||
| description: 'part of the project version to update' | ||
| options: | ||
| - major | ||
| - minor | ||
| - patch | ||
| required: true | ||
|
|
||
| env: | ||
| PIP_NO_OPTION: on | ||
| PIP_NO_CLEAN: on | ||
| PIP_PREFER_BINARY: on | ||
|
|
||
| permissions: | ||
| contents: write | ||
| packages: write | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: false | ||
|
|
||
| jobs: | ||
| release: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
| outputs: | ||
| tag: ${{ steps.release.outputs.tag }} | ||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Cache requirements | ||
| uses: actions/cache@v4 | ||
| env: | ||
| cache-name: cache-requirements | ||
| with: | ||
| path: ~/.cache/pip | ||
| key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }} | ||
| restore-keys: | | ||
| ${{ env.cache-name }}- | ||
| - name: Setup python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: 3.11 | ||
|
|
||
| - name: Install requirements | ||
| run: make setup | ||
|
|
||
| - name: Configure git | ||
| env: | ||
| SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | ||
| SIGNING_PUB: ${{ secrets.SIGNING_PUB }} | ||
| run: | | ||
| {% raw -%} | ||
| eval "$(ssh-agent -s)" | ||
| install --directory ~/.ssh --mode 700 | ||
| base64 -d <<< '${{ secrets.SIGNING_KEY }}' > ~/.ssh/mex | ||
| base64 -d <<< '${{ secrets.SIGNING_PUB }}' > ~/.ssh/mex.pub | ||
| chmod 600 ~/.ssh/* | ||
| ssh-add ~/.ssh/mex | ||
| git config --local user.email ${{ vars.MEX_BOT_EMAIL }} | ||
| git config --local user.name ${{ vars.MEX_BOT_USER }} | ||
| git config --local gpg.format ssh | ||
| git config --local user.signingkey ~/.ssh/mex.pub | ||
| git config --local commit.gpgsign true | ||
| {%- endraw %} | ||
| - name: Release new version | ||
| id: release | ||
| env: | ||
| GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} | ||
| run: | | ||
| pdm release ${{ inputs.version }} | ||
| echo "tag=$(git describe --abbrev=0 --tags)" >> "$GITHUB_OUTPUT" | ||
| distribute: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
| needs: release | ||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Cache requirements | ||
| uses: actions/cache@v4 | ||
| env: | ||
| cache-name: cache-requirements | ||
| with: | ||
| path: ~/.cache/pip | ||
| key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }} | ||
| restore-keys: | | ||
| ${{ env.cache-name }}- | ||
| - name: Setup python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: 3.11 | ||
|
|
||
| - name: Install requirements | ||
| run: make setup | ||
|
|
||
| - name: Build wheel and sdist distros and create a github release | ||
| env: | ||
| GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} | ||
| PDM_CHECK_UPDATE: False | ||
| run: | | ||
| gh release create ${{ needs.release.outputs.tag }} --generate-notes --latest --verify-tag |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| .PHONY: all setup | ||
| all: setup | ||
|
|
||
| LATEST = $(shell git describe --tags $(shell git rev-list --tags --max-count=1)) | ||
| PWD = $(shell pwd) | ||
|
|
||
| setup: | ||
| # install meta requirements system-wide | ||
| @ echo installing requirements; \ | ||
| pip --disable-pip-version-check install --force-reinstall -r requirements.txt; \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| @echo off | ||
|
|
||
| set target=%1 | ||
|
|
||
| if "%target%"=="install" goto install | ||
| echo invalid argument %target% | ||
| exit /b 1 | ||
|
|
||
|
|
||
| :install | ||
| @REM install meta requirements system-wide | ||
| echo installing requirements | ||
| pip --disable-pip-version-check install --force-reinstall -r requirements.txt | ||
| if %errorlevel% neq 0 exit /b %errorlevel% |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| cruft==2.15.0 | ||
| mex-release @ git+https://github.com/robert-koch-institut/mex-release.git | ||
| pdm==2.15.4 | ||
| pre-commit==3.7.1 | ||
| wheel==0.43.0 |