Skip to content

Walter CI

Walter CI #1076

Workflow file for this run

# This file is maintained by Walter CI, and may be rewritten.
# https://github.com/piotr-yuxuan/walter-ci
#
# You are free to remove this project from Walter CI realm by opening
# a PR. You may also create another workflow besides this one.
name: Walter CI
'on':
repository_dispatch: null
workflow_dispatch:
inputs:
walter-version:
description: Walter bin version
required: false
type: string
push:
branches: '**'
schedule:
- cron: 28 6,18 * * *
concurrency:
group: walter-ci
cancel-in-progress: true
env:
GIT_ASKPASS: ${HOME}/.walter-ci/bin/askpass.sh
GIT_AUTHOR_EMAIL: ${{ secrets.WALTER_GIT_EMAIL }}
GIT_AUTHOR_NAME: ${{ secrets.WALTER_AUTHOR_NAME }}
GIT_COMMITTER_EMAIL: ${{ secrets.WALTER_GIT_EMAIL }}
GIT_COMMITTER_NAME: ${{ secrets.WALTER_AUTHOR_NAME }}
GIT_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
WALTER_VERSION: ${{ github.event.inputs.walter-version }}
jobs:
security-sarif-clojure:
runs-on: ubuntu-latest
name: 'Security: clojure,clj-holmes'
steps:
- uses: actions/checkout@main
- uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
with:
output-type: sarif
output-file: clj-holmes.sarif
fail-on-result: 'false'
- run: cat clj-holmes.sarif
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: clj-holmes.sarif
wait-for-processing: true
security-policy:
runs-on: ubuntu-latest
name: 'Security: policy'
needs:
- security-nvd
- security-sarif-clojure
- security-sarif-terraform
- security-sarif-trivy
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: |-
walter security-policy \
--current-version $(awk '{$1=$1};1' < ./resources/*.version) \
--current-commit $(git rev-parse HEAD)
- run: git add .
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Security policy for version $(awk '{$1=$1};1' < ./resources/*.version)"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
security-nvd:
runs-on: ubuntu-latest
name: 'Security: clojure,nvd'
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/cache@8f1e2e02865c42348f9baddbbaafb1841dce610a
with:
path: ~/.m2/repository
key: ${{ runner.os }}-nvd-${{ hashFiles('**/project.clj') }}
restore-keys: ${{ runner.os }}-maven-
- run: git rm "./doc/Known vulnerabilities.txt"
continue-on-error: true
- run: clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' :as nvd
- run: clojure -Tnvd nvd.task/check :classpath '"'"$(lein with-profile -user,-dev classpath)"'"'
continue-on-error: true
- run: bb "$HOME/.walter-ci/cut-nvd.clj" ./target/nvd/dependency-check-report.csv
continue-on-error: true
- run: cp ./target/nvd/dependency-check-report.csv ./doc/known-vulnerabilities.csv
- run: git add ./doc/known-vulnerabilities.csv
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Update known vulnerabilities"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
clj-kondo:
runs-on: ubuntu-latest
name: clj-kondo, a linter for Clojure
steps:
- uses: actions/checkout@main
- uses: DeLaGuardo/setup-clj-kondo@afc83dbbf4e7e32e04649e29dbf30668d30e9e3e
with:
version: 2022.04.08
- run: clj-kondo --lint src --config '{:output {:pattern "::warning file={{filename}},line={{row}},col={{col}}::{{message}}"}}'
continue-on-error: true
conform-repository:
runs-on: ubuntu-latest
name: Conform GitHub repository
env:
WALTER_ACTOR: ${{ secrets.WALTER_ACTOR }}
WALTER_GITHUB_PASSWORD: ${{ secrets.WALTER_GITHUB_PASSWORD }}
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: walter conform-repository
- run: git add .github/CODEOWNERS.yml
continue-on-error: true
- run: git add .github/FUNDING.yml
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Conform repository"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
update-gitignore:
runs-on: ubuntu-latest
name: Update .gitignore
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: walter update-git-ignore
- run: git add .gitignore
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Update .gitignore"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
detect-secrets:
runs-on: ubuntu-latest
name: 'Security: secrets'
steps:
- uses: actions/checkout@main
- uses: reviewdog/action-detect-secrets@c29dcff1bd0ac2e4ea528311abac6fdd2d8bb13a
with:
github_token: ${{ secrets.github_token }}
fail_on_error: false
security-sarif-terraform:
runs-on: ubuntu-latest
name: 'Security: tfsec'
steps:
- uses: actions/checkout@main
- uses: aquasecurity/tfsec-sarif-action@9b703869c5108700605056134506e274ef6e9bd3
with:
sarif_file: tfsec.sarif
- run: cat tfsec.sarif
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
wait-for-processing: true
list-licenses:
runs-on: ubuntu-latest
name: List dependency licenses
steps:
- run: git rm "./doc/Licenses.csv"
continue-on-error: true
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: lein with-profile uberjar licenses :csv > ./doc/licences.csv
- run: sort -o ./doc/licences.csv{,}
continue-on-error: true
- run: awk -i inplace 'BEGINFILE{print "Library name,Version,License name"}{print}' ./doc/licences.csv
- run: git add ./doc/licences.csv
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "List dependency licences"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
ns-sort:
runs-on: ubuntu-latest
name: Sort namespace forms
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: lein help
- run: lein ns-sort
- run: git add .
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Sort namespace forms"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
idiomatic-code:
runs-on: ubuntu-latest
name: Idiomatic code
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: clojure -M:lint/idiom -- --replace
- run: git add .
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "More idiomatic code"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
security-sarif-trivy:
runs-on: ubuntu-latest
name: 'Security: general,clojure'
env:
TRIVY_CACHE_DIR: ${HOME}/.trivy-cache-dir
needs: []
permissions:
security-events: write
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: lein uberjar
- run: lein with-profile uberjar pom
- uses: aquasecurity/trivy-action@master
continue-on-error: true
with:
scan-type: fs
scan-ref: .
cache-dir: ${TRIVY_CACHE_DIR}
security-checks: vuln,config
output: trivy-results.sarif
ignore-unfixed: false
format: sarif
- run: cat trivy-results.sarif
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
wait-for-processing: true
update-dependencies:
runs-on: ubuntu-latest
name: Update dependency versions
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: lein ancient upgrade :no-tests :all :recursive :check-clojure :allow-qualified
- run: lein with-profile +walter/kaocha,+kaocha run -m kaocha.runner --skip-meta :slow --skip-meta :perf
- run: git add .
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Update dependency versions"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
code-coverage:
runs-on: ubuntu-latest
name: Code coverage
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/cache@8f1e2e02865c42348f9baddbbaafb1841dce610a
with:
path: ~/.m2/repository
key: ${{ runner.os }}-perf-${{ hashFiles('**/project.clj') }}
restore-keys: ${{ runner.os }}-maven-
- run: git rm ./doc/code-coverage/
continue-on-error: true
- run: lein with-profile +walter/kaocha,+kaocha run -m kaocha.runner --plugin cloverage --cov-output ./doc/code-coverage --skip-meta :slow --skip-meta :perf --cov-text --cov-html
- run: git add ./doc/code-coverage/**.{txt,css,html}
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Update code coverage"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase