Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DT-1122] Apply zizmor suggestions #2445

Merged
merged 1 commit into from
Jan 10, 2025
Merged

[DT-1122] Apply zizmor suggestions #2445

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 15 additions & 10 deletions .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Get Short Sha
id: short-sha
run: echo "sha=$(git rev-parse --short=12 HEAD)" >> $GITHUB_OUTPUT
Expand All @@ -30,23 +32,23 @@ jobs:
- name: Construct tags
id: construct-tags
run: |
SHA_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ steps.short-sha.outputs.sha }}"
SHA_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:${SHORT_SHA}"
ENVIRONMENT_TAG=""
if ${{ github.event_name == 'pull_request'}}; then
ENVIRONMENT_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:pr-${{ steps.short-sha.outputs.sha }}"
ENVIRONMENT_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:pr-${SHORT_SHA}"
elif ${{github.event_name == 'push' }}; then
ENVIRONMENT_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:dev"
fi
echo "sha-tag=$SHA_TAG" >> $GITHUB_OUTPUT
echo "environment-tag=$ENVIRONMENT_TAG" >> $GITHUB_OUTPUT
env:
SHORT_SHA: ${{ steps.short-sha.outputs.sha }}
- name: Build Image
run: |
docker build \
-t ${{ steps.construct-tags.outputs.sha-tag }} \
-t ${{ steps.construct-tags.outputs.environment-tag }} \
.
- name: Log Github Actor
run: echo "${{ github.actor }}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why don't we need this Log Github Actor part anymore?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actors are logged in the action runs so it isn't necessary to write this to the logs.

docker build -t "${SHA_TAG}" -t "${ENVIRONMENT_TAG}" .
env:
SHA_TAG: ${{ steps.construct-tags.outputs.sha-tag }}
ENVIRONMENT_TAG: ${{ steps.construct-tags.outputs.environment-tag }}
- id: 'auth'
if: github.actor != 'dependabot[bot]'
name: 'Authenticate to Google Cloud'
Expand All @@ -59,8 +61,11 @@ jobs:
if: github.actor != 'dependabot[bot]'
run: |
gcloud auth configure-docker --quiet
docker push ${{ steps.construct-tags.outputs.sha-tag }}
docker push ${{ steps.construct-tags.outputs.environment-tag }}
docker push "${SHA_TAG}"
docker push "${ENVIRONMENT_TAG}"
env:
SHA_TAG: ${{ steps.construct-tags.outputs.sha-tag }}
ENVIRONMENT_TAG: ${{ steps.construct-tags.outputs.environment-tag }}
report-to-sherlock:
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: [ tag-build-push ]
Expand Down
29 changes: 20 additions & 9 deletions .github/workflows/consumer_contract_tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,11 @@ jobs:
outputs:
sha-short: ${{ steps.extract-branch.outputs.sha-short }}
pact-b64: ${{ steps.encode-pact.outputs.pact-b64 }}

steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
Expand All @@ -39,11 +40,11 @@ jobs:
run: |
GITHUB_EVENT_NAME=${{ github.event_name }}
if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then
GITHUB_REF=${{ github.ref }}
GITHUB_SHA=${{ github.sha }}
GITHUB_REF="${GITHUB_DEFAULT_REF}"
GITHUB_SHA="${GITHUB_DEFAULT_SHA}"
elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
GITHUB_REF=refs/heads/${{ github.head_ref }}
GITHUB_SHA=${{ github.event.pull_request.head.sha }}
GITHUB_REF="refs/heads/${GITHUB_HEAD_REF}"
GITHUB_SHA="${GITHUB_HEAD_SHA}"
else
echo "Failed to extract branch information"
exit 1
Expand All @@ -52,13 +53,23 @@ jobs:
echo "sha=$GITHUB_SHA" >> $GITHUB_OUTPUT
echo "sha-short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
echo "branch=${GITHUB_REF/refs\/heads\//""}" >> $GITHUB_OUTPUT
env:
GITHUB_DEFAULT_SHA: ${{ github.sha }}
GITHUB_DEFAULT_REF: ${{ github.ref }}
GITHUB_HEAD_REF: ${{ github.head_ref }}
GITHUB_HEAD_SHA: ${{ github.event.pull_request.head.sha }}

- name: Echo branch information
run: |
echo ${{ steps.extract-branch.outputs.ref }}
echo ${{ steps.extract-branch.outputs.sha }}
echo ${{ steps.extract-branch.outputs.sha-short }}
echo ${{ steps.extract-branch.outputs.branch }}
echo "${BRANCH_REF}"
echo "${BRANCH_SHA}"
echo "${BRANCH_SHA_SHORT}"
echo "${BRANCH_NAME}"
env:
BRANCH_REF: ${{ steps.extract-branch.outputs.ref }}
BRANCH_SHA: ${{ steps.extract-branch.outputs.sha }}
BRANCH_SHA_SHORT: ${{ steps.extract-branch.outputs.sha-short }}
BRANCH_NAME: ${{ steps.extract-branch.outputs.branch }}

- name: Run consumer tests
run: mvn clean test -Ppact-tests
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/coverage.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/maven.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/semgrep.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,6 @@ jobs:
name: Check
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- run: semgrep ci --config=p/findsecbugs
11 changes: 9 additions & 2 deletions .github/workflows/smoke-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,14 @@ jobs:
- name: setup
id: setup
run:
echo "bee-name=${{ github.event.repository.name }}-${{ github.run_id }}-dev" >> $GITHUB_OUTPUT
echo "bee-name=${REPO_NAME}-${RUN_ID}-dev" >> $GITHUB_OUTPUT
env:
REPO_NAME: ${{ github.event.repository.name }}
RUN_ID: ${{ github.run_id }}
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
Expand All @@ -36,7 +41,9 @@ jobs:
inputs: '{ "bee-name": "${{ steps.setup.outputs.bee-name }}", "bee-template-name": "duos", "version-template": "dev" }'
- name: Run Smoke Tests
run: |
mvn clean test -P integration-tests -DbaseUrl=https://consent.${{ steps.setup.outputs.bee-name }}.bee.envs-terra.bio/
mvn clean test -P integration-tests -DbaseUrl="https://consent.${BEE_NAME}.bee.envs-terra.bio/"
env:
BEE_NAME: ${{ steps.setup.outputs.bee-name }}
- name: Store Test Result Artifact
uses: actions/upload-artifact@v4
if: always()
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/trivy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: broadinstitute/dsp-appsec-trivy-action@v1
Loading