-
Notifications
You must be signed in to change notification settings - Fork 2
158 lines (150 loc) · 4.72 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Continuous Integration
on:
pull_request:
branches: ["**"]
push:
branches: ["main"]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs:
checks:
name: Check for code errors
runs-on: ubuntu-latest
strategy:
matrix:
# Glue Pythonshell supports only Python 3.9.
# Glue ETL supports only Python 3.10.
python-version: ["3.9", "3.10"]
steps:
- uses: actions/[email protected]
- name: Set up Python ${{ matrix.python-version }}
uses: actions/[email protected]
with:
python-version: ${{ matrix.python-version }}
- name: Install Poetry Action
uses: snok/[email protected]
- name: Set up Virtualenv Cache
uses: actions/[email protected]
with:
path: .venv
key: ${{ runner.os }}-python${{ matrix.python-version }}-${{ hashFiles('poetry.lock') }}
restore-keys: ${{ runner.os }}-python${{ matrix.python-version }}-
- name: Install Python Dependencies
run: |
poetry check --lock
poetry install
- name: Lint code using ruff
run: |
poetry run ruff format . --check
poetry run ruff check .
- name: Check type annotations using mypy
run: MYPYPATH=src poetry run mypy .
- name: Check if requirements.txt is up-to-date
run: |
poetry export --with=test --output docker/requirements.txt
git diff --exit-code
- name: Run tests that do not need the Glue container
run: poetry run pytest test/test_*.py
- name: Build python packages
run: poetry build
tests:
name: Run tests in Glue container
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
checks: write
steps:
- uses: actions/[email protected]
with:
fetch-depth: 0
- name: Diffset
id: diffset
uses: softprops/[email protected]
with:
base: main
glue_files: |
**/*.py
docker/*
pyproject.toml
- name: Build and run tests in container
if: steps.diffset.outputs.glue_files
run: USER_ID=$(id -u) TARGET=coverage docker compose --file docker/docker-compose.yml run --rm glue-utils -c "pytest -p no:cacheprovider --junitxml=test-results/results.xml --cov=glue_utils --cov-report=xml"
- name: Generate test report
uses: dorny/[email protected]
if: steps.diffset.outputs.glue_files
with:
name: Test Results
path: test-results/results.xml
reporter: java-junit
fail-on-error: false
- name: SonarCloud Scan
if: steps.diffset.outputs.glue_files
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
trivy:
name: Check dependencies for vulnerabilities
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
continue-on-error: true
with:
scan-type: "fs"
scan-ref: "."
output: "trivy.txt"
hide-progress: true
- name: Publish Trivy output to Summary
run: |
if [[ -s trivy.txt ]]; then
{
echo "### Trivy"
echo "<details><summary>Click to expand</summary>"
echo ""
echo '```'
cat trivy.txt
echo '```'
echo "</details>"
} >> "$GITHUB_STEP_SUMMARY"
fi
dockerfile:
name: Check Dockerfile
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Validate Dockerfile using hadolint
uses: hadolint/[email protected]
with:
dockerfile: docker/Dockerfile
checkmake:
name: Check Makefile
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Check Makefile for errors
uses: Uno-Takashi/checkmake-action@main
checkov:
name: Run Checkov
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/[email protected]
- name: Check code using Checkov
uses: bridgecrewio/checkov-action@master
with:
directory: .
quiet: true
output_format: cli,sarif
output_file_path: console,checkov.sarif
- name: Upload SARIF results
if: success() || failure()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: checkov.sarif