Run SAST checks in CI #5820
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Build, test and push InvenTree docker image | |
# This workflow runs under any of the following conditions: | |
# | |
# - Push to the master branch | |
# - Publish release | |
# | |
# The following actions are performed: | |
# | |
# - Check that the version number matches the current branch or tag | |
# - Build the InvenTree docker image | |
# - Run suite of unit tests against the build image | |
# - Push the compiled, tested image to dockerhub | |
name: Docker | |
on: | |
release: | |
types: [published] | |
push: | |
branches: | |
- "master" | |
pull_request: | |
branches: | |
- "master" | |
permissions: | |
contents: read | |
jobs: | |
paths-filter: | |
permissions: | |
contents: read # for dorny/paths-filter to fetch a list of changed files | |
pull-requests: read # for dorny/paths-filter to read pull requests | |
name: Filter | |
runs-on: ubuntu-latest | |
outputs: | |
docker: ${{ steps.filter.outputs.docker }} | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # [email protected] | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # [email protected] | |
id: filter | |
with: | |
filters: | | |
docker: | |
- .github/workflows/docker.yaml | |
- contrib/container/** | |
- src/backend/InvenTree/InvenTree/settings.py | |
- src/backend/requirements.txt | |
- tasks.py | |
# Build the docker image | |
build: | |
needs: paths-filter | |
if: needs.paths-filter.outputs.docker == 'true' || github.event_name == 'release' || github.event_name == 'push' | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
python_version: "3.11" | |
runs-on: ubuntu-latest # in the future we can try to use alternative runners here | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # [email protected] | |
- name: Set Up Python ${{ env.python_version }} | |
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # [email protected] | |
with: | |
python-version: ${{ env.python_version }} | |
- name: Version Check | |
run: | | |
pip install --require-hashes -r contrib/dev_reqs/requirements.txt | |
python3 .github/scripts/version_check.py | |
echo "git_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
echo "git_commit_date=$(git show -s --format=%ci)" >> $GITHUB_ENV | |
- name: Test Docker Image | |
id: test-docker | |
run: | | |
docker build . --target production --tag inventree-test -f contrib/container/Dockerfile | |
docker run --rm inventree-test invoke --version | |
docker run --rm inventree-test invoke --list | |
docker run --rm inventree-test gunicorn --version | |
docker run --rm inventree-test pg_dump --version | |
docker run --rm inventree-test test -f /home/inventree/init.sh | |
docker run --rm inventree-test test -f /home/inventree/tasks.py | |
docker run --rm inventree-test test -f /home/inventree/gunicorn.conf.py | |
docker run --rm inventree-test test -f /home/inventree/src/backend/requirements.txt | |
docker run --rm inventree-test test -f /home/inventree/src/backend/InvenTree/manage.py | |
- name: Build Docker Image | |
# Build the development docker image (using docker-compose.yml) | |
run: docker compose --project-directory . -f contrib/container/dev-docker-compose.yml build --no-cache | |
- name: Update Docker Image | |
run: | | |
docker compose --project-directory . -f contrib/container/dev-docker-compose.yml run inventree-dev-server invoke install | |
docker compose --project-directory . -f contrib/container/dev-docker-compose.yml run inventree-dev-server invoke update | |
docker compose --project-directory . -f contrib/container/dev-docker-compose.yml run inventree-dev-server invoke setup-dev | |
docker compose --project-directory . -f contrib/container/dev-docker-compose.yml up -d | |
docker compose --project-directory . -f contrib/container/dev-docker-compose.yml run inventree-dev-server invoke wait | |
- name: Check Data Directory | |
# The following file structure should have been created by the docker image | |
run: | | |
test -d data | |
test -d data/env | |
test -d data/pgdb | |
test -d data/media | |
test -d data/static | |
test -d data/plugins | |
test -f data/config.yaml | |
test -f data/plugins.txt | |
test -f data/secret_key.txt | |
- name: Run Unit Tests | |
run: | | |
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> contrib/container/docker.dev.env | |
docker compose --project-directory . -f contrib/container/dev-docker-compose.yml run --rm inventree-dev-server invoke test --disable-pty | |
- name: Run Migration Tests | |
run: | | |
docker compose --project-directory . -f contrib/container/dev-docker-compose.yml run --rm inventree-dev-server invoke test --migrations | |
- name: Clean up test folder | |
run: | | |
rm -rf InvenTree/_testfolder | |
- name: Set up QEMU | |
if: github.event_name != 'pull_request' | |
uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # [email protected] | |
- name: Set up Docker Buildx | |
if: github.event_name != 'pull_request' | |
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # [email protected] | |
- name: Set up cosign | |
if: github.event_name != 'pull_request' | |
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # [email protected] | |
- name: Check if Dockerhub login is required | |
id: docker_login | |
run: | | |
if [ -z "${{ secrets.DOCKER_USERNAME }}" ]; then | |
echo "skip_dockerhub_login=true" >> $GITHUB_ENV | |
else | |
echo "skip_dockerhub_login=false" >> $GITHUB_ENV | |
fi | |
- name: Login to Dockerhub | |
if: github.event_name != 'pull_request' && steps.docker_login.outputs.skip_dockerhub_login != 'true' | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # [email protected] | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Log into registry ghcr.io | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # [email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract Docker metadata | |
if: github.event_name != 'pull_request' | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # [email protected] | |
with: | |
images: | | |
inventree/inventree | |
ghcr.io/${{ github.repository }} | |
- name: Push Docker Images | |
id: push-docker | |
if: github.event_name != 'pull_request' | |
uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # [email protected] | |
with: | |
context: . | |
file: ./contrib/container/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
sbom: true | |
provenance: false | |
target: production | |
tags: ${{ env.docker_tags }} | |
build-args: | | |
commit_hash=${{ env.git_commit_hash }} | |
commit_date=${{ env.git_commit_date }} |