From 21fc88a219157a6c08deea00c55198008332ac77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Fri, 12 Apr 2024 14:09:45 +0200 Subject: [PATCH 1/4] fix: edit update (pre)release title on success/failure --- .github/workflows/prerelease.yml | 18 ++++++++++++++++++ .github/workflows/release.yml | 12 ++++++++++++ 2 files changed, 30 insertions(+) diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 6136746..755ac6d 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -202,6 +202,12 @@ jobs: packageLocation: repo stagingRepo: true upgrade: false + - uses: actions/checkout@v4 + - name: Update title for successful pre-release + env: + GH_TOKEN: "${{ secrets.COREINT_BOT_TOKEN }}" + run: | + gh release edit ${{ github.event.release.tag_name }} --title "${{ github.event.release.tag_name }}" notify-failure: if: ${{ always() && failure() }} @@ -214,3 +220,15 @@ jobs: slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [prerelease pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." + + update-release-title-on-failure: + if: ${{ always() && failure() }} + needs: [ test-nix, test-windows, prerelease, package-win, publish-to-s3 ] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Reflect failure in pre-release title + env: + GH_TOKEN: "${{ secrets.COREINT_BOT_TOKEN }}" + run: | + gh release edit ${{ github.event.release.tag_name }} --title "${{ github.event.release.tag_name }} (pre-release-failure)" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 09ab32f..03fbe0d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -70,3 +70,15 @@ jobs: slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [release pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." + + update-release-title-on-failure: + if: ${{ always() && failure() }} + needs: [ publish-to-s3 ] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Reflect failure in release title + env: + GH_TOKEN: "${{ secrets.COREINT_BOT_TOKEN }}" + run: | + gh release edit ${{ github.event.release.tag_name }} --title "${{ github.event.release.tag_name }} (release-failure)" From a497f7a56f02f23b4c18bc2857a92b1603cb092c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Mon, 15 Apr 2024 10:44:16 +0200 Subject: [PATCH 2/4] chore: leverage reusable workflow --- .github/workflows/prerelease.yml | 230 +------------------------------ .github/workflows/push_pr.yml | 119 +--------------- .github/workflows/release.yml | 80 +---------- 3 files changed, 18 insertions(+), 411 deletions(-) diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 755ac6d..8e4c29c 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -7,228 +7,10 @@ on: tags: - 'v*' -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - INTEGRATION: "mongodb" - ORIGINAL_REPO_NAME: 'newrelic/nri-mongodb' - REPO_FULL_NAME: ${{ github.event.repository.full_name }} - TAG: ${{ github.event.release.tag_name }} - jobs: - snyk: - name: Run security checks via snyk - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Scan code for vulnerabilities - env: - SNYK_TOKEN: ${{ secrets.COREINT_SNYK_TOKEN }} - run: make ci/snyk-test - - test-nix: - name: Run unit tests on *Nix - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Unit tests - run: make ci/test - - test-windows: - name: Run unit tests on Windows - runs-on: windows-2022 - env: - GOPATH: ${{ github.workspace }} - defaults: - run: - working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}} - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version-file: "src/github.com/${{ env.ORIGINAL_REPO_NAME }}/go.mod" - - name: Running unit tests - shell: pwsh - run: | - .\build\windows\unit_tests.ps1 - - test-integration-nix: - name: Run integration tests on *Nix - runs-on: ubuntu-22.04 - defaults: - run: - working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}} - steps: - - name: Check out code - uses: actions/checkout@v2 - with: - fetch-depth: 1 - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version-file: "src/github.com/${{ env.ORIGINAL_REPO_NAME }}/go.mod" - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Integration test - env: - GOPATH: ${{ github.workspace }} - run: make integration-test - - prerelease: - name: Build binary for *Nix/Win, create archives for *Nix/Win, create packages for *Nix, upload all artifacts into GH Release assets - runs-on: ubuntu-22.04 - needs: [test-nix, test-windows, test-integration-nix, snyk] - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Pre release - run: make ci/prerelease - env: - GPG_MAIL: 'infrastructure-eng@newrelic.com' - GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }} - GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded - - name: Test package installability - uses: newrelic/integrations-pkg-test-action/linux@v1 - with: - tag: ${{ env.TAG }} - integration: nri-${{ env.INTEGRATION }} - - package-win: - name: Create MSI & Upload into GH Release assets - runs-on: windows-2022 - needs: [prerelease] - env: - GOPATH: ${{ github.workspace }} - PFX_CERTIFICATE_BASE64: ${{ secrets.OHAI_PFX_CERTIFICATE_BASE64 }} # base64 encoded - PFX_CERTIFICATE_DESCRIPTION: 'New Relic' - PFX_PASSPHRASE: ${{ secrets.OHAI_PFX_PASSPHRASE }} - defaults: - run: - working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}} - strategy: - matrix: - goarch: [amd64,386] - test-upgrade: [true,false] - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Get PFX certificate from GH secrets - shell: bash - run: printf "%s" "$PFX_CERTIFICATE_BASE64" | base64 -d - > wincert.pfx - - name: Download zip from GH Release assets and extract .exe - shell: pwsh - run: | - build\windows\download_zip_extract_exe.ps1 "$env:INTEGRATION" ${{ matrix.goarch }} "$env:TAG" "$env:REPO_FULL_NAME" - - name: Create MSI - shell: pwsh - run: | - build\windows\package_msi.ps1 -integration "$env:INTEGRATION" -arch ${{ matrix.goarch }} -tag "$env:TAG" -pfx_passphrase "$env:PFX_PASSPHRASE" -pfx_certificate_description "$env:PFX_CERTIFICATE_DESCRIPTION" - - name: Test win packages installation - uses: newrelic/integrations-pkg-test-action/windows@v1 - with: - tag: ${{ env.TAG }} - integration: nri-${{ env.INTEGRATION }} - arch: ${{ matrix.goarch }} - upgrade: ${{ matrix.test-upgrade }} - - name: Upload MSI to GH - if: startsWith(matrix.test-upgrade, 'false') - shell: bash - run: | - build/windows/upload_msi.sh ${INTEGRATION} ${{ matrix.goarch }} ${TAG} - - publish-to-s3: - name: Send release assets to S3 - runs-on: ubuntu-22.04 - needs: [package-win] - steps: - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Publish to S3 action - uses: newrelic/infrastructure-publish-action@v1 - env: - AWS_S3_BUCKET_NAME: "nr-downloads-ohai-staging" - AWS_S3_LOCK_BUCKET_NAME: "onhost-ci-lock-staging" - with: - disable_lock: false - run_id: ${{ github.run_id }} - tag: ${{env.TAG}} - app_name: "nri-${{env.INTEGRATION}}" - repo_name: ${{ env.ORIGINAL_REPO_NAME }} - access_point_host: "staging" - # 'ohi' is for integrations - schema: "ohi" - aws_region: "us-east-1" - aws_role_arn: ${{ secrets.OHAI_AWS_ROLE_ARN_STAGING }} - aws_role_session_name: ${{ secrets.OHAI_AWS_ROLE_SESSION_NAME_STAGING }} - aws_access_key_id: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_STAGING }} - aws_secret_access_key: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_STAGING }} - aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }} - # used for locking in case of concurrent releases - aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }} - # used for signing package stuff - gpg_passphrase: ${{ secrets.OHAI_GPG_PASSPHRASE }} - gpg_private_key_base64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} - - name: Test uploaded package installability - uses: newrelic/integrations-pkg-test-action/linux@v1 - with: - tag: ${{ env.TAG }} - integration: nri-${{ env.INTEGRATION }} - packageLocation: repo - stagingRepo: true - upgrade: false - - uses: actions/checkout@v4 - - name: Update title for successful pre-release - env: - GH_TOKEN: "${{ secrets.COREINT_BOT_TOKEN }}" - run: | - gh release edit ${{ github.event.release.tag_name }} --title "${{ github.event.release.tag_name }}" - - notify-failure: - if: ${{ always() && failure() }} - needs: [ test-nix, test-windows, prerelease, package-win, publish-to-s3 ] - runs-on: ubuntu-latest - steps: - - name: Notify failure via Slack - uses: archive/github-actions-slack@master - with: - slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} - slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} - slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [prerelease pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." - - update-release-title-on-failure: - if: ${{ always() && failure() }} - needs: [ test-nix, test-windows, prerelease, package-win, publish-to-s3 ] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Reflect failure in pre-release title - env: - GH_TOKEN: "${{ secrets.COREINT_BOT_TOKEN }}" - run: | - gh release edit ${{ github.event.release.tag_name }} --title "${{ github.event.release.tag_name }} (pre-release-failure)" + pre-release: + uses: newrelic/coreint-automation/.github/workflows/reusable_pre_release.yaml@v2 + with: + tag: ${{ github.event.release.tag_name }} + integration: "mongodb" + secrets: inherit diff --git a/.github/workflows/push_pr.yml b/.github/workflows/push_pr.yml index a64ba61..c93694c 100644 --- a/.github/workflows/push_pr.yml +++ b/.github/workflows/push_pr.yml @@ -1,4 +1,4 @@ -name: Push/PR +name: Push/PR pipeline on: push: @@ -8,116 +8,9 @@ on: - renovate/** pull_request: -env: - TAG: "v0.0.0" # needed for goreleaser windows builds - REPO_FULL_NAME: ${{ github.event.repository.full_name }} - ORIGINAL_REPO_NAME: "newrelic/nri-mongodb" - DOCKER_LOGIN_AVAILABLE: ${{ secrets.OHAI_DOCKER_HUB_ID }} jobs: - static-analysis: - name: Run all static analysis checks - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - uses: newrelic/newrelic-infra-checkers@v1 - - name: golangci-lint - uses: golangci/golangci-lint-action@v3 - continue-on-error: ${{ github.event_name != 'pull_request' }} - with: - only-new-issues: true - - name: Check if CHANGELOG is valid - uses: newrelic/release-toolkit/validate-markdown@v1 - - snyk: - name: Run security checks via snyk - runs-on: ubuntu-22.04 - env: - SNYK_TOKEN: ${{ secrets.COREINT_SNYK_TOKEN }} - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - if: ${{env.DOCKER_LOGIN_AVAILABLE}} - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Scan code for vulnerabilities - if: ${{env.SNYK_TOKEN}} - run: make ci/snyk-test - - test-nix: - name: Run unit tests on *Nix - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - if: ${{env.DOCKER_LOGIN_AVAILABLE}} - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Unit tests - run: make ci/test - - test-windows: - name: Run unit tests on Windows - runs-on: windows-2022 - env: - GOPATH: ${{ github.workspace }} - defaults: - run: - working-directory: src/github.com/${{ env.ORIGINAL_REPO_NAME }} - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version-file: "src/github.com/${{ env.ORIGINAL_REPO_NAME }}/go.mod" - - name: Running unit tests - shell: pwsh - run: | - .\build\windows\unit_tests.ps1 - - test-integration-nix: - name: Run integration tests on *Nix - runs-on: ubuntu-22.04 - defaults: - run: - working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}} - steps: - - name: Check out code - uses: actions/checkout@v2 - with: - fetch-depth: 1 - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version-file: "src/github.com/${{ env.ORIGINAL_REPO_NAME }}/go.mod" - - name: Login to DockerHub - if: ${{env.DOCKER_LOGIN_AVAILABLE}} - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Integration test - env: - GOPATH: ${{ github.workspace }} - run: make integration-test - - test-build: - name: Test binary compilation for all platforms:arch - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - if: ${{env.DOCKER_LOGIN_AVAILABLE}} - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Build all platforms:arch - run: make ci/build + push-pr: + uses: newrelic/coreint-automation/.github/workflows/reusable_push_pr.yaml@v2 + with: + integration: mongodb + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 03fbe0d..f974d7a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,78 +7,10 @@ on: tags: - 'v*' -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - INTEGRATION: "mongodb" - ORIGINAL_REPO_NAME: ${{ github.event.repository.full_name }} - TAG: ${{ github.event.release.tag_name }} - jobs: - - publish-to-s3: - name: Send release assets to S3 - runs-on: ubuntu-22.04 - steps: - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Publish to S3 action - uses: newrelic/infrastructure-publish-action@v1 - env: - AWS_S3_BUCKET_NAME: "nr-downloads-main" - AWS_S3_LOCK_BUCKET_NAME: "onhost-ci-lock" - AWS_REGION: "us-east-1" - with: - # lock enabled - disable_lock: false - run_id: ${{ github.run_id }} - tag: ${{env.TAG}} - app_name: "nri-${{env.INTEGRATION}}" - repo_name: ${{ env.ORIGINAL_REPO_NAME }} - access_point_host: "production" - # 'ohi' is for integrations - schema: "ohi" - aws_region: ${{ env.AWS_REGION }} - aws_role_arn: ${{ secrets.OHAI_AWS_ROLE_ARN_PRODUCTION }} - aws_role_session_name: ${{ secrets.OHAI_AWS_ROLE_SESSION_NAME_PRODUCTION }} - aws_access_key_id: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_PRODUCTION }} - aws_secret_access_key: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_PRODUCTION }} - aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }} - # used for locking in case of concurrent releases - aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }} - # used for signing package stuff - gpg_passphrase: ${{ secrets.OHAI_GPG_PASSPHRASE }} - gpg_private_key_base64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} - - name: Test package from prod repo - uses: newrelic/integrations-pkg-test-action/linux@v1 - with: - tag: ${{ env.TAG }} - integration: 'nri-${{ env.INTEGRATION }}' # Required, with nri- prefix - packageLocation: repo - upgrade: false - - notify-failure: - if: ${{ always() && failure() }} - needs: [ publish-to-s3 ] - runs-on: ubuntu-latest - steps: - - name: Notify failure via Slack - uses: archive/github-actions-slack@master - with: - slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} - slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} - slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [release pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." - - update-release-title-on-failure: - if: ${{ always() && failure() }} - needs: [ publish-to-s3 ] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Reflect failure in release title - env: - GH_TOKEN: "${{ secrets.COREINT_BOT_TOKEN }}" - run: | - gh release edit ${{ github.event.release.tag_name }} --title "${{ github.event.release.tag_name }} (release-failure)" + release: + uses: newrelic/coreint-automation/.github/workflows/reusable_on_release.yaml@v2 + with: + integration: mongodb + tag: ${{ github.event.release.tag_name }} + secrets: inherit From 4df21f3c932415a72190a4df17a359083e600a68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Mon, 15 Apr 2024 12:39:03 +0200 Subject: [PATCH 3/4] chore: rename workflow files --- .github/workflows/{prerelease.yml => on_prerelease.yml} | 0 .github/workflows/{push_pr.yml => on_push_pr.yml} | 0 .github/workflows/{release.yml => on_release.yml} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{prerelease.yml => on_prerelease.yml} (100%) rename .github/workflows/{push_pr.yml => on_push_pr.yml} (100%) rename .github/workflows/{release.yml => on_release.yml} (100%) diff --git a/.github/workflows/prerelease.yml b/.github/workflows/on_prerelease.yml similarity index 100% rename from .github/workflows/prerelease.yml rename to .github/workflows/on_prerelease.yml diff --git a/.github/workflows/push_pr.yml b/.github/workflows/on_push_pr.yml similarity index 100% rename from .github/workflows/push_pr.yml rename to .github/workflows/on_push_pr.yml diff --git a/.github/workflows/release.yml b/.github/workflows/on_release.yml similarity index 100% rename from .github/workflows/release.yml rename to .github/workflows/on_release.yml From 8590910fd98002f71af8d07fd7fc6b66910c9d61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Mon, 15 Apr 2024 13:03:48 +0200 Subject: [PATCH 4/4] chore: reusable missing files --- .github/workflows/repolinter.yml | 31 ++++------------------- .github/workflows/security.yml | 42 +++----------------------------- 2 files changed, 9 insertions(+), 64 deletions(-) diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml index acb921f..a239f6a 100644 --- a/.github/workflows/repolinter.yml +++ b/.github/workflows/repolinter.yml @@ -1,31 +1,10 @@ -# NOTE: This file should always be named `repolinter.yml` to allow # workflow_dispatch to work properly name: Repolinter Action -# NOTE: This workflow will ONLY check the default branch! -# Currently there is no elegant way to specify the default -# branch in the event filtering, so branches are instead -# filtered in the "Test Default Branch" step. -on: [push, workflow_dispatch] +on: + push: + workflow_dispatch: jobs: - repolint: - name: Run Repolinter - runs-on: ubuntu-latest - steps: - - name: Test Default Branch - id: default-branch - uses: actions/github-script@v2 - with: - script: | - const data = await github.repos.get(context.repo) - return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0] - - name: Checkout Self - if: ${{ steps.default-branch.outputs.result == 'true' }} - uses: actions/checkout@v2 - - name: Run Repolinter - if: ${{ steps.default-branch.outputs.result == 'true' }} - uses: newrelic/repolinter-action@v1 - with: - config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-plus.yml - output_type: issue + repolinter: + uses: newrelic/coreint-automation/.github/workflows/reusable_repolinter.yaml@v2 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index fad9a8d..185f20e 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -11,41 +11,7 @@ on: - cron: "0 3 * * *" jobs: - trivy: - name: Trivy security scan - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.12.0 - if: ${{ ! github.event.schedule }} # Do not run inline checks when running periodically - with: - scan-type: fs - ignore-unfixed: true - exit-code: 1 - severity: 'HIGH,CRITICAL' - skip-dirs: 'build' - # test private key - skip-files: 'tests/integration/tls_cert/redis.key' - - - name: Run Trivy vulnerability scanner sarif output - uses: aquasecurity/trivy-action@0.12.0 - if: ${{ github.event.schedule }} # Generate sarif when running periodically - with: - scan-type: fs - ignore-unfixed: true - severity: 'HIGH,CRITICAL' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - skip-dirs: 'build' - # test private key - skip-files: 'tests/integration/tls_cert/redis.key' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: ${{ github.event.schedule }} # Upload sarif when running periodically - with: - sarif_file: 'trivy-results.sarif' + security: + uses: newrelic/coreint-automation/.github/workflows/reusable_security.yaml@v2 + with: + skip-dirs: "build"