-
Notifications
You must be signed in to change notification settings - Fork 0
122 lines (109 loc) · 4.43 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# This is a basic workflow to help you get started with Actions
name: CI-MAIN
# Controls when the action will run.
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [master]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
test:
# The type of runner that the job will run on
if: "!contains(github.event.head_commit.message, '[skip ci]')"
runs-on: ubuntu-latest
name: Python ${{ matrix.python-version }}
strategy:
matrix:
python-version: [ "3.7", "3.8", "3.9", "3.10"]
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- uses: actions/checkout@v2
- name: Setup python
uses: actions/setup-python@v2
with:
python-version: ${{ matrix.python-version }}
architecture: x64
- run: ./tools/ci/tests.sh
coverage:
if: "!contains(github.event.head_commit.message, '[skip ci]')"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup python
uses: actions/setup-python@v2
with:
python-version: '3.7'
architecture: x64
- run: ./tools/ci/coverage.sh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
deploy:
needs: test
if: "!contains(github.event.head_commit.message, '[skip ci]')"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
token: ${{ secrets.GH_TOKEN }}
- name: Setup python
uses: actions/setup-python@v2
with:
python-version: '3.7'
architecture: x64
- run: ./tools/ci/github.sh
env:
GH_TOKEN: '${{ secrets.GH_TOKEN }}'
- name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@master
with:
user: __token__
password: ${{ secrets.PYPI_TOKEN }}
- name: set version
run: echo version=`python setup.py --version`>> $GITHUB_ENV
- name: Install Trivy
run: |
wget https://github.com/aquasecurity/trivy/releases/download/v0.43.0/trivy_0.43.0_Linux-64bit.deb
sudo dpkg -i trivy_0.43.0_Linux-64bit.deb
- name: Run Trivy license scan on filesystem
run: trivy fs /home/runner/work --scanners license --license-full --severity 'HIGH,CRITICAL' > trivy_license_filesystem.txt
- name: Run Trivy vulnerability scanner on the repo
run: trivy fs /home/runner/work --severity 'HIGH,CRITICAL' --format sarif --output trivy_vulnerability.sarif
- name: Upload Trivy vulnerability scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy_vulnerability.sarif'
- name: Create branch for scan results
run: |
git config --global user.email "[email protected]"
git config --global user.name "GitHub Action"
existed_in_remote=$(git ls-remote --heads origin trivy-scan-results)
if [[ ${existed_in_remote} ]]; then
echo "branch exists in remote"
git fetch origin trivy-scan-results
echo "branch fetched"
git checkout trivy-scan-results
echo "origin branch swapped"
else
git checkout -b trivy-scan-results
echo "new branch swapped"
fi
mkdir -p TrivyScans
TIMESTAMP=$(date +"%Y-%m-%d %H:%M:%S")
echo "$TIMESTAMP" > ScanTimeStamp.txt
cp ScanTimeStamp.txt TrivyScans/
cp trivy_license_filesystem.txt TrivyScans/
git add TrivyScans/trivy_license_filesystem.txt
git add TrivyScans/ScanTimeStamp.txt
git commit -m "Add trivy scan result files to the folder 'TrivyScans'"
git push origin trivy-scan-results
- name: Display branch and file path link
run: echo "Results uploaded to [trivy-scan-results branch](https://github.com/$GITHUB_REPOSITORY/tree/trivy-scan-results/TrivyScans/)"
- name: trigger artifacts registry
uses: octokit/[email protected]
with:
route: POST /repos/kube-HPC/artifacts-registry/dispatches
event_type: trigger
client_payload: "{\"version\": \"${{env.version}}\" , \"wrapper\": \"python\" , \"action\": \"dev-version\" }"
env:
GITHUB_TOKEN: '${{ secrets.GH_TOKEN }}'