CI #423
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: 'CI' | |
on: | |
push: | |
branches: | |
- main | |
- feature/* | |
pull_request: | |
branches: | |
- main | |
- feature/* | |
workflow_dispatch: | |
# Inputs are only available for workflow_dispatch - the default is not available for other type of triggers | |
# https://dev.to/mrmike/github-action-handling-input-default-value-5f2g | |
inputs: | |
runner: | |
description: 'Runner type' | |
required: true | |
default: 'ubuntu-22.04' | |
type: choice | |
options: | |
- ubuntu-22.04 | |
- matihost | |
schedule: | |
- cron: '27 20 * * 0' | |
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
permissions: | |
actions: read | |
contents: read | |
packages: write | |
security-events: write | |
concurrency: | |
group: ci-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
IMAGE_TAG: "${{ github.ref == 'refs/heads/main' && 'latest' || github.sha }}" | |
jobs: | |
sources: | |
name: Checkout sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 5 | |
container: | |
image: maven:3-eclipse-temurin-21 | |
outputs: | |
GIT_COMMIT_HASH: ${{ steps.git_hash.outputs.GIT_COMMIT_HASH }} | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
# Workaround for https://github.com/actions/runner/issues/2033 | |
- name: Set ownership | |
run: | | |
chown -R $(id -u):$(id -g) $PWD | |
- name: Obtain git version | |
id: git_hash | |
run: | | |
echo "GIT_COMMIT_HASH=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT | |
- name: Cache workspace | |
uses: actions/cache/save@v4 | |
with: | |
# avoid using github.workspace in caching? | |
# so how effectivelly share source code between jobs? | |
# https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache | |
# artifacts? | |
# cleaning artifacts after workflow requires custom, non standard action: | |
# https://github.com/marketplace/actions/delete-artifact | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
enableCrossOsArchive: true | |
java: | |
needs: sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 30 | |
container: | |
image: maven:3-eclipse-temurin-21 | |
steps: | |
- name: Download sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
enableCrossOsArchive: true | |
- name: Cache local Maven repository | |
uses: actions/cache@v4 | |
with: | |
# TODO reading from MAVEN_CONFIG env did not work here | |
path: "/root/.m2/repository" | |
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
${{ runner.os }}-maven- | |
# Do not use actions/setup-java@v3 cache option as it requires downloading java again, but container image contains java already | |
# Use actions/cache to cache M2 repository manually instead | |
# | |
# - name: Set up JDK 21 | |
# uses: actions/setup-java@v3 | |
# with: | |
# java-version: '21' | |
# distribution: 'adopt' | |
# cache: maven | |
- name: Build Java source code | |
working-directory: java | |
run: mvn -s .mvn/settings.xml --show-version clean install | |
- name: Archive app jars artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: app-jars | |
path: java/apps/**/target/*.jar | |
retention-days: 2 | |
- name: Cache java build sources | |
uses: actions/cache/save@v4 | |
with: | |
path: ${{ github.workspace }}/java | |
key: java-${{ github.run_id }}-${{ github.run_attempt }} | |
enableCrossOsArchive: true | |
java-image-mq-app: | |
needs: java | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 30 | |
container: | |
image: quay.io/matihost/gh-gcp-java-kaniko | |
steps: | |
- name: Download java build sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }}/java | |
key: java-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
enableCrossOsArchive: true | |
- name: Build Java mq client image | |
working-directory: java/apps/mq/client | |
env: | |
container: "${{ inputs.runner == 'ubuntu-22.04' && 'docker' || 'kube' }}" | |
REGISTRY: "${{ vars.REGISTRY || 'quay.io' }}" | |
REGISTRY_USER: "${{ secrets.REGISTRY_USER }}" | |
REGISTRY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD }}" | |
run: | | |
mkdir -p /kaniko/.docker | |
echo "{\"auths\":{\"${{ env.REGISTRY }}\":{\"username\":\"${{ env.REGISTRY_USER }}\",\"password\":\"${{ env.REGISTRY_PASSWORD }}\"}}}" > /kaniko/.docker/config.json | |
/kaniko/executor -f ./Dockerfile -c "$(pwd)" --insecure --ignore-path=/var/mail --ignore-path=/var/spool/mail --push-retry 2 --skip-tls-verify --cache=false \ | |
--use-new-run --snapshot-mode=redo \ | |
--build-arg JAR_FILE=target/*.jar \ | |
--destination="${{ env.REGISTRY }}/matihost/mq/basic-client:${{ env.IMAGE_TAG }}" | |
java-image-cmdline: | |
needs: java | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 30 | |
container: | |
image: quay.io/matihost/gh-gcp-java-kaniko | |
steps: | |
- name: Download java build sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }}/java | |
key: java-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
enableCrossOsArchive: true | |
- name: Build Java command-line image | |
working-directory: java/apps/command-line | |
env: | |
container: "${{ inputs.runner == 'ubuntu-22.04' && 'docker' || 'kube' }}" | |
REGISTRY: "${{ vars.REGISTRY || 'quay.io' }}" | |
REGISTRY_USER: "${{ secrets.REGISTRY_USER }}" | |
REGISTRY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD }}" | |
run: | | |
mkdir -p /kaniko/.docker | |
echo "{\"auths\":{\"${{ env.REGISTRY }}\":{\"username\":\"${{ env.REGISTRY_USER }}\",\"password\":\"${{ env.REGISTRY_PASSWORD }}\"}}}" > /kaniko/.docker/config.json | |
echo "Building Java commandline image" | |
/kaniko/executor -f ./Dockerfile -c "$(pwd)" --insecure --ignore-path=/var/mail --ignore-path=/var/spool/mail --push-retry 2 --skip-tls-verify --cache=false \ | |
--use-new-run --snapshot-mode=redo \ | |
--build-arg JAR_FILE=target/*.jar \ | |
--destination="${{ env.REGISTRY }}/matihost/commandline:${{ env.IMAGE_TAG }}" | |
codeql-java: | |
needs: sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 30 | |
container: | |
image: maven:3-eclipse-temurin-21 | |
steps: | |
- name: Download sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
enableCrossOsArchive: true | |
- name: Cache local Maven repository | |
uses: actions/cache@v4 | |
with: | |
path: "/root/.m2/repository" | |
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
${{ runner.os }}-maven- | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: java | |
queries: security-extended,security-and-quality | |
- name: Build Java source code | |
working-directory: java | |
run: mvn -s .mvn/settings.xml --show-version clean install | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:java" | |
codeql-go: | |
needs: sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 30 | |
container: golang:1.22 | |
env: | |
GO_CACHE: /go | |
steps: | |
- name: Download sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
- name: Set up cache | |
uses: actions/cache@v4 | |
with: | |
path: |- | |
/go | |
key: "${{ runner.os }}-gopath" | |
# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container | |
- name: Install CodeQL dependencies | |
run: apt update && apt -y install file | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: go | |
queries: security-extended,security-and-quality | |
- name: Build Go source code | |
working-directory: go/learning | |
run: go build -buildvcs=false -mod=mod -o . ./... && go test ./pkg/language && ./language | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:go" | |
codeql-python: | |
needs: sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 30 | |
container: | |
image: quay.io/matihost/ansible:root | |
steps: | |
- name: Download sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: python | |
queries: security-extended,security-and-quality | |
- name: Build Python exchange-rate app | |
run: |- | |
make init | |
make build | |
make tests | |
# make install | |
# TODO github overrides HOME with /home/github - so if venv is stored in original HOME dir it has to be defined explicitely | |
/root/.venv/user/bin/pip3 install --force-reinstall . | |
exchange-rate | |
working-directory: python/apps/exchange-rate | |
- name: Run Ruff | |
run: ruff check --output-format=github . | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:python" | |
ansible: | |
needs: sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 30 | |
container: | |
image: quay.io/matihost/ansible:root | |
steps: | |
- name: Download sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
- name: Run Ansible dictionaries playbook | |
run: |- | |
make dictionaries.yaml | |
working-directory: ansible/learning | |
rust: | |
needs: sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 30 | |
container: | |
image: rust | |
steps: | |
- name: Download sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
- name: Build rust | |
run: make build | |
working-directory: rust/guessing_game | |
image-build-on-gcp-artifact-registry: | |
needs: sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
if: ((inputs.runner || 'ubuntu-22.04') != 'ubuntu-22.04') && vars.GCP_PROJECT | |
timeout-minutes: 30 | |
container: | |
image: quay.io/matihost/gh-gcp-java-kaniko | |
steps: | |
- name: Download sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
enableCrossOsArchive: true | |
- name: Build Ansible image in GKE hosted runner | |
working-directory: k8s/images/ansible | |
env: | |
container: "kube" | |
GCP_PROJECT: "${{ vars.GCP_PROJECT }}" | |
GIT_COMMIT_HASH: "${{ needs.sources.outputs.GIT_COMMIT_HASH }}" | |
run: | | |
# remove ignore-path when fixed https://github.com/GoogleContainerTools/kaniko/issues/2214 | |
/kaniko/executor -f ./Dockerfile -c "$(pwd)" --insecure --skip-tls-verify --cache=true --ignore-path=/var/mail --ignore-path=/var/spool/mail \ | |
--destination="gcr.io/${{ env.GCP_PROJECT }}/ansible:${{ env.GIT_COMMIT_HASH }}" | |
image-build-generic-registry: | |
needs: sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
if: vars.REGISTRY | |
timeout-minutes: 30 | |
container: | |
image: quay.io/matihost/gh-gcp-java-kaniko | |
steps: | |
- name: Download sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
enableCrossOsArchive: true | |
- name: Build Ansible image on GH hosted runner with deployment to generic image registry | |
working-directory: k8s/images/ansible | |
env: | |
container: "docker" | |
REGISTRY: "${{ vars.REGISTRY || 'quay.io' }}" | |
REGISTRY_USER: "${{ secrets.REGISTRY_USER }}" | |
REGISTRY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD }}" | |
run: | | |
mkdir -p /kaniko/.docker | |
echo "{\"auths\":{\"${{ env.REGISTRY }}\":{\"username\":\"${{ env.REGISTRY_USER }}\",\"password\":\"${{ env.REGISTRY_PASSWORD }}\"}}}" > /kaniko/.docker/config.json | |
/kaniko/executor -f ./Dockerfile -c "$(pwd)" --insecure --push-retry 2 - --skip-tls-verify --cache=true --ignore-path=/var/mail --ignore-path=/var/spool/mail \ | |
--destination="${{ env.REGISTRY }}/matihost/ansible:${{ env.IMAGE_TAG }}" | |
image-build-ghcr: | |
needs: sources | |
runs-on: ${{ inputs.runner || 'ubuntu-22.04' }} | |
timeout-minutes: 30 | |
container: | |
image: quay.io/matihost/gh-gcp-java-kaniko | |
steps: | |
- name: Download sources | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }} | |
key: sources-${{ github.run_id }}-${{ github.run_attempt }} | |
fail-on-cache-miss: true | |
enableCrossOsArchive: true | |
- name: Build Ansible image on GH hosted runner with deployment to GH Packages | |
working-directory: k8s/images/ansible | |
env: | |
container: "${{ inputs.runner == 'ubuntu-22.04' && 'docker' || 'kube' }}" | |
run: | | |
mkdir -p /kaniko/.docker | |
AUTH=$(echo -n ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} | base64) | |
echo "{\"auths\": {\"ghcr.io\": {\"auth\": \"${AUTH}\"}}}" > /kaniko/.docker/config.json | |
/kaniko/executor -c "$(pwd)" \ | |
-f ./Dockerfile \ | |
--destination="ghcr.io/${{ github.repository }}/ansible:${{ env.IMAGE_TAG }}" \ | |
--insecure --skip-tls-verify --cache=true --ignore-path=/var/mail --ignore-path=/var/spool/mail \ | |
--push-retry 2 |