diff --git a/.github/workflows/cid-pullrequest.yml b/.github/workflows/cid-pullrequest.yml new file mode 100644 index 0000000..53eb3e0 --- /dev/null +++ b/.github/workflows/cid-pullrequest.yml @@ -0,0 +1,226 @@ +# cid-workflow-version: 0.0.11 + +# name +name: cid-pullrequest + +# triggers +on: + workflow_dispatch: + inputs: + loglevel: + description: Log level + required: true + default: info + type: choice + options: + - debug + - info + - warn + - error + pull_request: + branches: + - main + paths-ignore: + - README.md + - LICENSE + - .github/** + - .gitignore + - .editorconfig + - renovate.json + +# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps +permissions: + actions: read # detection of GitHub Actions environment + checks: none + contents: read + deployments: none + id-token: none + issues: none + packages: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + +# cancel in progress when a new run starts +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + +env: + CID_WORKFLOW: main + CID_VERSION: latest + CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }} + # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. + EGRESS_POLICY: block + # allowed endpoints for egress traffic if egress-policy is set to 'block'. + EGRESS_POLICY_ALLOWED_ENDPOINTS: >- + api.github.com:443 + cdn01.quay.io:443 + cdn02.quay.io:443 + cdn03.quay.io:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + quay.io:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + uploads.github.com:443 + EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- + scanner.sonarcloud.io:443 + semgrep.dev:443 + sonarcloud.io:443 + EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: "" + +# jobs +jobs: + # info + info: + name: Info + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + timeout-minutes: 30 + if: ${{ github.event.inputs.loglevel == 'debug' }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@main + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: info + env: + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + echo "> project modules" + cid --log-level=${CID_LOGLEVEL:-info} module ls + echo "> catalog" + cid --log-level=${CID_LOGLEVEL:-info} catalog list + echo "> workflows" + cid --log-level=${CID_LOGLEVEL:-info} workflow ls + # build + build: + name: Build + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + permissions: + id-token: write # provenance signing + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@main + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: build + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build + - name: upload artifacts + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + with: + name: build-${{ github.run_id }} + path: .dist + retention-days: 1 + if-no-files-found: ignore + + # test + test: + name: Test + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@main + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: test + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test + - name: upload artifacts + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + with: + name: test-${{ github.run_id }} + path: .dist + retention-days: 1 + if-no-files-found: ignore + # scan + scan: + name: Scan + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + needs: [build, test] + permissions: + security-events: write + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@main + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: download artifacts > build + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + with: + name: build-${{ github.run_id }} + path: .dist + continue-on-error: true + - name: download artifacts > test + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + with: + name: test-${{ github.run_id }} + path: .dist + continue-on-error: true + - name: scan + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan diff --git a/.github/workflows/ci.yml b/.github/workflows/cid.yml similarity index 92% rename from .github/workflows/ci.yml rename to .github/workflows/cid.yml index 16ad61a..b56ca17 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/cid.yml @@ -1,4 +1,4 @@ -# cid-workflow-version: 0.0.9 +# cid-workflow-version: 0.0.11 # name name: cid-main @@ -88,7 +88,7 @@ jobs: if: ${{ github.event.inputs.loglevel == 'debug' }} steps: - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} @@ -120,7 +120,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} @@ -140,13 +140,13 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - name: upload artifacts - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: build-${{ github.run_id }} path: .dist retention-days: 1 if-no-files-found: ignore - + # test test: name: Test @@ -154,7 +154,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} @@ -174,7 +174,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - name: upload artifacts - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: test-${{ github.run_id }} path: .dist @@ -190,7 +190,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} @@ -236,7 +236,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} @@ -262,7 +262,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package - name: upload artifacts - uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: package-${{ github.run_id }} path: .dist @@ -282,7 +282,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true egress-policy: ${{ env.EGRESS_POLICY }} @@ -313,4 +313,4 @@ jobs: MAVEN_GPG_SIGN_PASSWORD: ${{ secrets.MAVEN_GPG_SIGN_PASSWORD }} MAVEN_GPG_SIGN_KEYID: ${{ secrets.MAVEN_GPG_SIGN_KEYID }} run: | - cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage publish \ No newline at end of file + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage publish