-
Notifications
You must be signed in to change notification settings - Fork 0
133 lines (125 loc) · 3.63 KB
/
Copy pathci.yml
File metadata and controls
133 lines (125 loc) · 3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: CI
on:
pull_request:
branches: [main, AION]
push:
branches: [main, AION]
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: console/package-lock.json
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Install python deps
run: |
python -m pip install --upgrade pip
pip install ruff bandit pytest
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
- name: Python lint
run: ruff check .
- name: Rust lint
run: cargo clippy --manifest-path rust-runtime/Cargo.toml --all-targets -- -D warnings
- name: Conventional commits (PR title)
if: github.event_name == 'pull_request'
run: |
echo "${{ github.event.pull_request.title }}" | grep -E '^(feat|fix|chore|docs|refactor|test|ci|perf|build|revert)(\(.+\))?!?: .+'
test:
runs-on: ubuntu-latest
needs: lint
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- uses: dtolnay/rust-toolchain@stable
- name: Install test deps
run: |
python -m pip install --upgrade pip
pip install pytest
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
- name: Unit and architecture tests
run: pytest -q tests/
- name: Rust tests
run: cargo test --manifest-path rust-runtime/Cargo.toml --all-targets
integration:
runs-on: ubuntu-latest
needs: test
services:
redis:
image: redis:7
ports: ['6379:6379']
steps:
- uses: actions/checkout@v4
- name: Integration test placeholder
run: pytest -q tests/integration || echo "No integration tests yet"
security:
runs-on: ubuntu-latest
needs: lint
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- uses: dtolnay/rust-toolchain@stable
- name: Bandit
run: |
python -m pip install --upgrade pip
pip install bandit
bandit -r . -x tests
- name: Cargo audit
run: |
cargo install cargo-audit --locked
cargo audit --manifest-path rust-runtime/Cargo.toml
- name: Trivy filesystem scan
uses: aquasecurity/trivy-action@0.24.0
with:
scan-type: fs
scan-ref: .
docker:
runs-on: ubuntu-latest
needs: [test, security]
strategy:
matrix:
platform: [linux/amd64, linux/arm64]
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: Build compose image
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile
push: false
platforms: ${{ matrix.platform }}
tags: omertaos:${{ github.sha }}
sbom:
runs-on: ubuntu-latest
needs: docker
steps:
- uses: actions/checkout@v4
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
path: .
format: spdx-json
output-file: sbom.spdx.json
- uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.spdx.json