Skip to content

CI

CI #423

Workflow file for this run

---
name: 'CI'
on:
push:
branches:
- main
- feature/*
pull_request:
branches:
- main
- feature/*
workflow_dispatch:
# Inputs are only available for workflow_dispatch - the default is not available for other type of triggers
# https://dev.to/mrmike/github-action-handling-input-default-value-5f2g
inputs:
runner:
description: 'Runner type'
required: true
default: 'ubuntu-22.04'
type: choice
options:
- ubuntu-22.04
- matihost
schedule:
- cron: '27 20 * * 0'
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
permissions:
actions: read
contents: read
packages: write
security-events: write
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
env:
IMAGE_TAG: "${{ github.ref == 'refs/heads/main' && 'latest' || github.sha }}"
jobs:
sources:
name: Checkout sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 5
container:
image: maven:3-eclipse-temurin-21
outputs:
GIT_COMMIT_HASH: ${{ steps.git_hash.outputs.GIT_COMMIT_HASH }}
steps:
- name: Checkout sources
uses: actions/checkout@v4
with:
fetch-depth: 0
# Workaround for https://github.com/actions/runner/issues/2033
- name: Set ownership
run: |
chown -R $(id -u):$(id -g) $PWD
- name: Obtain git version
id: git_hash
run: |
echo "GIT_COMMIT_HASH=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
- name: Cache workspace
uses: actions/cache/save@v4
with:
# avoid using github.workspace in caching?
# so how effectivelly share source code between jobs?
# https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
# artifacts?
# cleaning artifacts after workflow requires custom, non standard action:
# https://github.com/marketplace/actions/delete-artifact
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
enableCrossOsArchive: true
java:
needs: sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 30
container:
image: maven:3-eclipse-temurin-21
steps:
- name: Download sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
enableCrossOsArchive: true
- name: Cache local Maven repository
uses: actions/cache@v4
with:
# TODO reading from MAVEN_CONFIG env did not work here
path: "/root/.m2/repository"
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
# Do not use actions/setup-java@v3 cache option as it requires downloading java again, but container image contains java already
# Use actions/cache to cache M2 repository manually instead
#
# - name: Set up JDK 21
# uses: actions/setup-java@v3
# with:
# java-version: '21'
# distribution: 'adopt'
# cache: maven
- name: Build Java source code
working-directory: java
run: mvn -s .mvn/settings.xml --show-version clean install
- name: Archive app jars artifacts
uses: actions/upload-artifact@v4
with:
name: app-jars
path: java/apps/**/target/*.jar
retention-days: 2
- name: Cache java build sources
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/java
key: java-${{ github.run_id }}-${{ github.run_attempt }}
enableCrossOsArchive: true
java-image-mq-app:
needs: java
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 30
container:
image: quay.io/matihost/gh-gcp-java-kaniko
steps:
- name: Download java build sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}/java
key: java-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
enableCrossOsArchive: true
- name: Build Java mq client image
working-directory: java/apps/mq/client
env:
container: "${{ inputs.runner == 'ubuntu-22.04' && 'docker' || 'kube' }}"
REGISTRY: "${{ vars.REGISTRY || 'quay.io' }}"
REGISTRY_USER: "${{ secrets.REGISTRY_USER }}"
REGISTRY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD }}"
run: |
mkdir -p /kaniko/.docker
echo "{\"auths\":{\"${{ env.REGISTRY }}\":{\"username\":\"${{ env.REGISTRY_USER }}\",\"password\":\"${{ env.REGISTRY_PASSWORD }}\"}}}" > /kaniko/.docker/config.json
/kaniko/executor -f ./Dockerfile -c "$(pwd)" --insecure --ignore-path=/var/mail --ignore-path=/var/spool/mail --push-retry 2 --skip-tls-verify --cache=false \
--use-new-run --snapshot-mode=redo \
--build-arg JAR_FILE=target/*.jar \
--destination="${{ env.REGISTRY }}/matihost/mq/basic-client:${{ env.IMAGE_TAG }}"
java-image-cmdline:
needs: java
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 30
container:
image: quay.io/matihost/gh-gcp-java-kaniko
steps:
- name: Download java build sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}/java
key: java-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
enableCrossOsArchive: true
- name: Build Java command-line image
working-directory: java/apps/command-line
env:
container: "${{ inputs.runner == 'ubuntu-22.04' && 'docker' || 'kube' }}"
REGISTRY: "${{ vars.REGISTRY || 'quay.io' }}"
REGISTRY_USER: "${{ secrets.REGISTRY_USER }}"
REGISTRY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD }}"
run: |
mkdir -p /kaniko/.docker
echo "{\"auths\":{\"${{ env.REGISTRY }}\":{\"username\":\"${{ env.REGISTRY_USER }}\",\"password\":\"${{ env.REGISTRY_PASSWORD }}\"}}}" > /kaniko/.docker/config.json
echo "Building Java commandline image"
/kaniko/executor -f ./Dockerfile -c "$(pwd)" --insecure --ignore-path=/var/mail --ignore-path=/var/spool/mail --push-retry 2 --skip-tls-verify --cache=false \
--use-new-run --snapshot-mode=redo \
--build-arg JAR_FILE=target/*.jar \
--destination="${{ env.REGISTRY }}/matihost/commandline:${{ env.IMAGE_TAG }}"
codeql-java:
needs: sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 30
container:
image: maven:3-eclipse-temurin-21
steps:
- name: Download sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
enableCrossOsArchive: true
- name: Cache local Maven repository
uses: actions/cache@v4
with:
path: "/root/.m2/repository"
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java
queries: security-extended,security-and-quality
- name: Build Java source code
working-directory: java
run: mvn -s .mvn/settings.xml --show-version clean install
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:java"
codeql-go:
needs: sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 30
container: golang:1.22
env:
GO_CACHE: /go
steps:
- name: Download sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
- name: Set up cache
uses: actions/cache@v4
with:
path: |-
/go
key: "${{ runner.os }}-gopath"
# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container
- name: Install CodeQL dependencies
run: apt update && apt -y install file
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: go
queries: security-extended,security-and-quality
- name: Build Go source code
working-directory: go/learning
run: go build -buildvcs=false -mod=mod -o . ./... && go test ./pkg/language && ./language
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:go"
codeql-python:
needs: sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 30
container:
image: quay.io/matihost/ansible:root
steps:
- name: Download sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: python
queries: security-extended,security-and-quality
- name: Build Python exchange-rate app
run: |-
make init
make build
make tests
# make install
# TODO github overrides HOME with /home/github - so if venv is stored in original HOME dir it has to be defined explicitely
/root/.venv/user/bin/pip3 install --force-reinstall .
exchange-rate
working-directory: python/apps/exchange-rate
- name: Run Ruff
run: ruff check --output-format=github .
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:python"
ansible:
needs: sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 30
container:
image: quay.io/matihost/ansible:root
steps:
- name: Download sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
- name: Run Ansible dictionaries playbook
run: |-
make dictionaries.yaml
working-directory: ansible/learning
rust:
needs: sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 30
container:
image: rust
steps:
- name: Download sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
- name: Build rust
run: make build
working-directory: rust/guessing_game
image-build-on-gcp-artifact-registry:
needs: sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
if: ((inputs.runner || 'ubuntu-22.04') != 'ubuntu-22.04') && vars.GCP_PROJECT
timeout-minutes: 30
container:
image: quay.io/matihost/gh-gcp-java-kaniko
steps:
- name: Download sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
enableCrossOsArchive: true
- name: Build Ansible image in GKE hosted runner
working-directory: k8s/images/ansible
env:
container: "kube"
GCP_PROJECT: "${{ vars.GCP_PROJECT }}"
GIT_COMMIT_HASH: "${{ needs.sources.outputs.GIT_COMMIT_HASH }}"
run: |
# remove ignore-path when fixed https://github.com/GoogleContainerTools/kaniko/issues/2214
/kaniko/executor -f ./Dockerfile -c "$(pwd)" --insecure --skip-tls-verify --cache=true --ignore-path=/var/mail --ignore-path=/var/spool/mail \
--destination="gcr.io/${{ env.GCP_PROJECT }}/ansible:${{ env.GIT_COMMIT_HASH }}"
image-build-generic-registry:
needs: sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
if: vars.REGISTRY
timeout-minutes: 30
container:
image: quay.io/matihost/gh-gcp-java-kaniko
steps:
- name: Download sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
enableCrossOsArchive: true
- name: Build Ansible image on GH hosted runner with deployment to generic image registry
working-directory: k8s/images/ansible
env:
container: "docker"
REGISTRY: "${{ vars.REGISTRY || 'quay.io' }}"
REGISTRY_USER: "${{ secrets.REGISTRY_USER }}"
REGISTRY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD }}"
run: |
mkdir -p /kaniko/.docker
echo "{\"auths\":{\"${{ env.REGISTRY }}\":{\"username\":\"${{ env.REGISTRY_USER }}\",\"password\":\"${{ env.REGISTRY_PASSWORD }}\"}}}" > /kaniko/.docker/config.json
/kaniko/executor -f ./Dockerfile -c "$(pwd)" --insecure --push-retry 2 - --skip-tls-verify --cache=true --ignore-path=/var/mail --ignore-path=/var/spool/mail \
--destination="${{ env.REGISTRY }}/matihost/ansible:${{ env.IMAGE_TAG }}"
image-build-ghcr:
needs: sources
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
timeout-minutes: 30
container:
image: quay.io/matihost/gh-gcp-java-kaniko
steps:
- name: Download sources
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}
key: sources-${{ github.run_id }}-${{ github.run_attempt }}
fail-on-cache-miss: true
enableCrossOsArchive: true
- name: Build Ansible image on GH hosted runner with deployment to GH Packages
working-directory: k8s/images/ansible
env:
container: "${{ inputs.runner == 'ubuntu-22.04' && 'docker' || 'kube' }}"
run: |
mkdir -p /kaniko/.docker
AUTH=$(echo -n ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} | base64)
echo "{\"auths\": {\"ghcr.io\": {\"auth\": \"${AUTH}\"}}}" > /kaniko/.docker/config.json
/kaniko/executor -c "$(pwd)" \
-f ./Dockerfile \
--destination="ghcr.io/${{ github.repository }}/ansible:${{ env.IMAGE_TAG }}" \
--insecure --skip-tls-verify --cache=true --ignore-path=/var/mail --ignore-path=/var/spool/mail \
--push-retry 2