-
-
Notifications
You must be signed in to change notification settings - Fork 4
145 lines (132 loc) · 5.1 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: CI
# Enable Buildkit and let compose use it to speed up image building
env:
DOCKER_BUILDKIT: 1
COMPOSE_DOCKER_CLI_BUILD: 1
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
on:
pull_request:
branches: [ "master", "main" ]
paths-ignore: [ "docs/**", "README.md" ]
push:
branches: [ "master", "main" ]
paths-ignore: [ "docs/**", "README.md" ]
tags: [ 'v*.*.*' ]
concurrency:
group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
# With no caching at all the entire ci process takes 4m 30s to complete!
tests:
runs-on: ubuntu-latest
steps:
- name: Checkout Code Repository
uses: actions/checkout@v3
- name: Build the Stack
run: docker compose -f local.yml build
- name: Run DB Migrations
run: docker compose -f local.yml run --rm django python manage.py migrate --skip-checks
- name: Run Django Tests
run: docker compose -f local.yml run --rm django pytest
- name: Tear down the database
run: docker compose -f local.yml run --rm django python manage.py drop_test_database --no-input
- name: Run Django Tests
run: docker compose -f local.yml run --rm django coverage run manage.py test colander --no-input
- name: Tear down the Stack
run: docker compose -f local.yml down
docker-build:
if: github.event_name == 'push' && github.repository_owner == 'PiRogueToolSuite'
needs: [tests]
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v2
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# generate Docker tags based on the following events/attributes
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v5
with:
context: .
file: ./compose/production/django/Dockerfile
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: |
annotation.org.opencontainers.image.source="https://github.com/PiRogueToolSuite/colander"
annotation.org.opencontainers.image.description="Case, knowledge management and digital investigation platform"
annotation.org.opencontainers.image.vendor="Defensive Lab Agency"
annotation.org.opencontainers.image.licenses="GPL-3.0"
annotation.org.opencontainers.image.revision="${{ github.sha }}"
- name: Log into Docker Hub
uses: docker/login-action@v3.1.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker Scout
id: docker-scout
uses: docker/scout-action@v1
with:
command: cves,sbom
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DOCKER_METADATA_OUTPUT_VERSION }}
sarif-file: sarif.output.json
summary: true
only-severities: critical,high
write-comment: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF result
id: upload-sarif
if: ${{ github.event_name != 'pull_request' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif.output.json
build-deployment-package:
if: github.event_name == 'push' && github.repository_owner == 'PiRogueToolSuite'
needs: [docker-build]
runs-on: ubuntu-latest
steps:
- name: Checkout Code Repository
uses: actions/checkout@v3
- name: Compress the deployment package
run: tar czf deployment-package.tar.gz deploy_package
- name: Release
uses: fnkr/github-action-ghr@v1
if: startsWith(github.ref, 'refs/tags/')
env:
GHR_PATH: deployment-package.tar.gz
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}