ci: fix download artifact vulnerability #839
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: packing | |
on: | |
push: | |
pull_request: | |
pull_request_target: | |
types: [labeled] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
pack_pip: | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
# Checkout all tags for correct version computation. | |
with: | |
fetch-depth: 0 | |
- name: Setup Python and basic packing tools | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.11' | |
- name: Install tools for packing and verification | |
run: pip3 install wheel twine | |
- name: Pack source and binary files | |
run: make pip-dist | |
- name: Verify the package | |
run: make pip-dist-check | |
- name: Archive pip artifacts | |
uses: actions/[email protected] | |
with: | |
name: pip_dist | |
path: pip_dist | |
retention-days: 1 | |
if-no-files-found: error | |
run_tests_pip_package_linux: | |
needs: pack_pip | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.11' | |
- name: Remove connector source code | |
run: python3 .github/scripts/remove_source_code.py | |
- name: Install tarantool | |
uses: tarantool/setup-tarantool@v2 | |
with: | |
tarantool-version: '2.11' | |
- name: Download pip package artifacts | |
uses: actions/[email protected] | |
with: | |
name: pip_dist | |
path: pip_dist | |
- name: Install the package from pip artifacts | |
run: pip3 install pip_dist/*.whl | |
- name: Install test requirements | |
run: pip3 install -r requirements-test.txt | |
- name: Install the crud module for testing purposes | |
run: | | |
curl -L https://tarantool.io/release/2/installer.sh | bash | |
sudo apt install -y tt | |
tt rocks install crud | |
- name: Run tests | |
run: make test-pure-install | |
run_tests_pip_package_windows: | |
needs: pack_pip | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: windows-2022 | |
strategy: | |
fail-fast: false | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.11' | |
- name: Remove connector source code | |
run: python3 .github/scripts/remove_source_code.py | |
- name: Download pip package artifacts | |
uses: actions/[email protected] | |
with: | |
name: pip_dist | |
path: pip_dist | |
- name: Install the package from pip artifacts | |
run: pip3 install (gci ./pip_dist *.whl).fullname | |
- name: Install test requirements | |
run: pip3 install -r requirements-test.txt | |
- name: Setup WSL for tarantool | |
uses: Vampire/setup-wsl@v1 | |
with: | |
distribution: Ubuntu-22.04 | |
- name: Install tarantool | |
shell: wsl-bash_Ubuntu-22.04 {0} | |
run: | | |
curl -L https://tarantool.io/release/2/installer.sh | bash -s | |
sudo apt install -y tarantool tarantool-dev | |
- name: Setup test tarantool instance | |
shell: wsl-bash_Ubuntu-22.04 {0} | |
run: | | |
rm -f ./tarantool.pid ./tarantool.log | |
TNT_PID=$(tarantool ./test/suites/lib/tarantool_python_ci.lua > tarantool.log 2>&1 & echo $!) | |
touch tarantool.pid | |
echo $TNT_PID > ./tarantool.pid | |
- name: Run tests | |
env: | |
REMOTE_TARANTOOL_HOST: localhost | |
REMOTE_TARANTOOL_CONSOLE_PORT: 3302 | |
run: make test-pure-install | |
- name: Stop test tarantool instance | |
if: ${{ always() }} | |
shell: wsl-bash_Ubuntu-22.04 {0} | |
run: | | |
cat tarantool.log || true | |
kill $(cat tarantool.pid) || true | |
publish_pip: | |
if: startsWith(github.ref, 'refs/tags') | |
needs: | |
- run_tests_pip_package_linux | |
- run_tests_pip_package_windows | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
- name: Setup Python and basic packing tools | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.11' | |
- name: Install tools for package publishing | |
run: pip3 install twine | |
- name: Download pip package artifacts | |
uses: actions/[email protected] | |
with: | |
name: pip_dist | |
path: pip_dist | |
- name: Publish artifacts | |
run: twine upload -r $PYPI_REPO -u __token__ -p $PYPI_TOKEN pip_dist/* | |
env: | |
PYPI_REPO: pypi | |
PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} | |
pack_rpm: | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: ubuntu-20.04 | |
container: | |
image: ${{ matrix.target.os }}:${{ matrix.target.dist }} | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- os: fedora | |
dist: '34' | |
- os: fedora | |
dist: '35' | |
- os: fedora | |
dist: '36' | |
steps: | |
- name: Bump git version | |
# Fails to compute package version inside docker otherwise: | |
# https://github.com/actions/runner/issues/2033 | |
run: dnf install -y git | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
# Checkout all tags for correct version computation. | |
with: | |
fetch-depth: 0 | |
- name: Set ownership | |
# Fails to compute package version inside docker otherwise: | |
# https://github.com/actions/runner/issues/2033 | |
run: chown -R $(id -u):$(id -g) $PWD | |
- name: Setup Python and various packing tools | |
run: dnf install -y python3 python3-libs python3-pip python3-setuptools python3-wheel | |
- name: Install RPM packing tools | |
run: | | |
dnf install -y gcc make coreutils diffutils patch | |
dnf install -y rpm-build rpm-devel rpmlint rpmdevtools | |
- name: Pack source and binary RPM | |
run: make rpm-dist | |
- name: Verify the package | |
run: make rpm-dist-check | |
- name: Archive RPM artifacts | |
uses: actions/[email protected] | |
with: | |
name: rpm_dist_${{ matrix.target.os }}_${{ matrix.target.dist }} | |
path: rpm_dist | |
retention-days: 1 | |
if-no-files-found: error | |
run_tests_rpm: | |
needs: pack_rpm | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: ubuntu-20.04 | |
container: | |
image: ${{ matrix.target.os }}:${{ matrix.target.dist }} | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- os: fedora | |
dist: '34' | |
- os: fedora | |
dist: '35' | |
- os: fedora | |
dist: '36' | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
- name: Setup Python and test running tools | |
# cmake rocks fail to install as expected without findutils: | |
# https://github.com/tarantool/luarocks/issues/14 | |
run: dnf install -y python3 python3-libs python3-pip git make cmake gcc unzip findutils | |
- name: Remove connector source code | |
run: python3 .github/scripts/remove_source_code.py | |
- name: Install tarantool | |
run: | | |
curl -L https://tarantool.io/release/2/installer.sh | bash | |
dnf install -y tarantool tarantool-devel | |
- name: Download RPM artifacts | |
uses: actions/[email protected] | |
with: | |
name: rpm_dist_${{ matrix.target.os }}_${{ matrix.target.dist }} | |
path: rpm_dist | |
- name: Install the package from rpm artifacts | |
run: dnf install -y rpm_dist/python3-tarantool-*.noarch.rpm | |
- name: Install test requirements | |
run: pip3 install -r requirements-test.txt | |
- name: Install the crud module for testing purposes | |
run: | | |
sudo dnf install -y tt | |
tt rocks install crud | |
- name: Run tests | |
run: make test-pure-install | |
publish_rpm: | |
if: startsWith(github.ref, 'refs/tags') | |
needs: | |
- run_tests_rpm | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- os: fedora | |
dist: '34' | |
- os: fedora | |
dist: '35' | |
- os: fedora | |
dist: '36' | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
- name: Install tools for package publishing | |
run: sudo apt install -y curl make | |
- name: Download RPM artifacts | |
uses: actions/[email protected] | |
with: | |
name: rpm_dist_${{ matrix.target.os }}_${{ matrix.target.dist }} | |
path: rpm_dist | |
- name: Publish artifacts | |
run: | | |
export FILE_FLAGS=$(find rpm_dist/ -type f -regex '.*\.rpm' \ | |
| xargs -I {} sh -c 'echo -F $(basename {})=@{}' \ | |
| xargs) | |
echo $FILE_FLAGS | |
curl -v -LfsS -X PUT $RWS_REPO/release/modules/$OS/$DIST \ | |
-F product=python3-tarantool $FILE_FLAGS -u $RWS_AUTH | |
env: | |
RWS_REPO: https://rws.tarantool.org | |
RWS_AUTH: ${{ secrets.RWS_AUTH }} | |
OS: ${{ matrix.target.os }} | |
DIST: ${{ matrix.target.dist }} | |
pack_deb: | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
# Checkout all tags for correct version computation | |
with: | |
fetch-depth: 0 | |
- name: Install deb packing tools | |
run: | | |
sudo apt update | |
sudo apt install -y devscripts equivs | |
- name: Make changelog entry for non-release build | |
if: startsWith(github.ref, 'refs/tags') != true | |
run: make deb-changelog-entry | |
- name: Install build tools | |
run: sudo mk-build-deps -i --tool "apt-get --no-install-recommends -y" | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
- name: Pack source and binary deb | |
run: make deb-dist | |
- name: Verify the package | |
run: make deb-dist-check | |
- name: Archive deb artifacts | |
uses: actions/[email protected] | |
with: | |
name: deb_dist | |
path: deb_dist | |
run_tests_deb: | |
needs: pack_deb | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: ubuntu-20.04 | |
container: | |
image: ${{ matrix.target.os }}:${{ matrix.target.dist }} | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- os: ubuntu | |
dist: focal # 20.04 | |
- os: ubuntu | |
dist: jammy # 22.04 | |
- os: debian | |
dist: buster # 10 | |
- os: debian | |
dist: bullseye # 11 | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
- name: Prepare apt | |
run: apt update | |
- name: Setup Python | |
run: apt install -y python3 python3-pip git | |
- name: Remove connector source code | |
run: python3 .github/scripts/remove_source_code.py | |
- name: Install tarantool ${{ matrix.tarantool }} | |
run: | | |
apt install -y curl | |
curl -L https://tarantool.io/release/2/installer.sh | bash | |
apt install -y tarantool tarantool-dev | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
- name: Download deb artifacts | |
uses: actions/[email protected] | |
with: | |
name: deb_dist | |
path: deb_dist | |
- name: Install the package from deb artifacts | |
run: apt install -y `pwd`/deb_dist/python3-tarantool_*.deb | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
- name: Install test requirements | |
run: pip3 install -r requirements-test.txt | |
- name: Install the crud module for testing purposes | |
run: | | |
apt install -y tt | |
tt rocks install crud | |
- name: Run tests | |
run: make test-pure-install | |
publish_deb: | |
if: startsWith(github.ref, 'refs/tags') | |
needs: | |
- run_tests_deb | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- os: ubuntu | |
dist: focal # 20.04 | |
- os: ubuntu | |
dist: jammy # 22.04 | |
- os: debian | |
dist: buster # 10 | |
- os: debian | |
dist: bullseye # 11 | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
- name: Install tools for package publishing | |
run: sudo apt install -y curl make | |
- name: Download deb artifacts | |
uses: actions/[email protected] | |
with: | |
name: deb_dist | |
path: deb_dist | |
- name: Publish artifacts | |
run: | | |
export FILE_FLAGS=$(find deb_dist/ -type f -regex '.*\.deb' -or -regex '.*\.dsc' \ | |
| xargs -I {} sh -c 'echo -F $(basename {})=@{}' \ | |
| xargs) | |
echo $FILE_FLAGS | |
curl -v -LfsS -X PUT $RWS_REPO/release/modules/$OS/$DIST \ | |
-F product=python3-tarantool $FILE_FLAGS -u $RWS_AUTH | |
env: | |
RWS_REPO: https://rws.tarantool.org | |
RWS_AUTH: ${{ secrets.RWS_AUTH }} | |
OS: ${{ matrix.target.os }} | |
DIST: ${{ matrix.target.dist }} |