-
Notifications
You must be signed in to change notification settings - Fork 3
165 lines (161 loc) · 5.23 KB
/
commit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
---
name: "CI"
on: # yamllint disable-line rule:truthy
push:
branches:
- main
pull_request:
branches:
- main
env:
python_version: "3.11"
defaults:
run:
shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
jobs:
test:
name: Test
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm64
steps:
- name: Checkout the repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v4
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install Task
uses: arduino/setup-task@v2
- name: Initialize the repo
run: task -v init
- name: Set up QEMU for cross-platform emulation
uses: docker/setup-qemu-action@v3
- name: Build the goat
run: task -v build
env:
PLATFORM: ${{ matrix.platform }}
- name: Run the tests
run: task -v test -- debug
env:
PLATFORM: ${{ matrix.platform }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate the SBOMs
run: task -v sbom
env:
PLATFORM: ${{ matrix.platform }}
- name: Set env var for unique artifact uploads
run: echo SANITIZED_PLATFORM="$(echo "${{ matrix.platform }}" | sed 's/\//_/g')" >> $GITHUB_ENV
- name: Upload the SBOMs to GitHub
uses: actions/upload-artifact@v4
with:
name: SBOM-${{ env.SANITIZED_PLATFORM }}
path: sbom.*.json
if-no-files-found: error
- name: Generate vuln scan results
run: task -v vulnscan
env:
PLATFORM: ${{ matrix.platform }}
- name: Upload the vuln scan results to GitHub
uses: actions/upload-artifact@v4
with:
name: Vulns-${{ env.SANITIZED_PLATFORM }}
path: vulns.*.json
if-no-files-found: error
distribute:
name: Distribute
needs: [test]
if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}"
permissions:
contents: write
runs-on: ubuntu-22.04
steps:
- name: Checkout the repository
uses: actions/checkout@v4
with:
token: ${{ secrets.SEISO_AUTOMATION_PAT }}
fetch-depth: 0
- name: Setup python
uses: actions/setup-python@v5
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v4
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install Task
uses: arduino/setup-task@v2
- name: Initialize the repo
run: task -v init
- name: Update and bump the version
run: |
task -v release
TAG="$(git describe --tags)"
echo "TAG=${TAG}" >> "${GITHUB_ENV}"
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up QEMU for cross-platform emulation
uses: docker/setup-qemu-action@v3
- name: Build and publish all the supported images to Docker Hub
run: task -v publish
env:
PLATFORM: all
- name: Generate the SBOMs
run: task -v sbom
env:
PLATFORM: all
- name: Set env var for unique artifact uploads
run: echo SANITIZED_PLATFORM="$(echo "${{ matrix.platform }}" | sed 's/\//_/g')" >> $GITHUB_ENV
- name: Upload the SBOMs to GitHub
uses: actions/upload-artifact@v4
with:
name: SBOM-${{ env.SANITIZED_PLATFORM }}
path: sbom.*.json
if-no-files-found: error
- name: Generate vuln scan results
run: task -v vulnscan
env:
PLATFORM: all
- name: Upload the vuln scan results to GitHub
uses: actions/upload-artifact@v4
with:
name: Vulns-${{ env.SANITIZED_PLATFORM }}
path: vulns.*.json
if-no-files-found: error
- name: Publish the release README to Docker Hub
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: seiso/goat
short-description: Seiso's Grand Opinionated AutoTester (GOAT)
- name: Push the release commit
run: |
BRANCH="$(git branch --show-current)"
git push --atomic origin "${BRANCH}" "${{ env.TAG }}"
- name: Publish the release to GitHub
uses: softprops/action-gh-release@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
name: ${{ env.TAG }}
tag_name: ${{ env.TAG }}
generate_release_notes: true
files: |
vulns.*.json
sbom.*.json
draft: false
prerelease: false