-
Notifications
You must be signed in to change notification settings - Fork 0
145 lines (143 loc) · 5.5 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: build-containers
run-name: Building service containers
on:
push:
env:
BASE_IMAGE: cccs/assemblyline-v4-service-base:4.5.stable
REGISTRY: ghcr.io
PUSH_REGISTRY: ghcr.io
BASE_TAG: 4.5.0.stable
MANIFEST_REGISTRY: ghcr.io/
jobs:
discover-services:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Discover directories with Dockerfiles
id: services
run: |
echo "services=$(find . -type f -name Dockerfile | xargs -n 1 dirname | uniq | cut -d '/' -f 2 | grep -v 'TEMPLATE' | grep -v 'al-service-with-py11' | jq -R -s -c 'split("\n")[:-1]')" >> "$GITHUB_OUTPUT"
- name: Print services with Dockerfiles
run: |
echo "Services with Dockerfiles: ${{ steps.services.outputs.services }}"
outputs:
services: ${{ steps.services.outputs.services }}
build-containers:
needs: discover-services
runs-on: ubuntu-latest
if: needs.discover-services.outputs.services != '[]'
strategy:
matrix:
service: ${{ fromJson(needs.discover-services.outputs.services) }}
permissions:
contents: read
packages: write
defaults:
run:
working-directory: ${{ matrix.service }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Authorize to GitHub Packages
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Authorize to Github Docker Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login docker.pkg.github.com -u ${{ github.actor }} --password-stdin
- name: Build container
run: |
make build
- name: Check service was changed in the commit
id: check-service-changed
run: |
git diff --quiet ${{ github.event.before }} ${{ github.event.after }} -- .
echo exit-code=$? >> $GITHUB_OUTPUT
shell: bash {0}
continue-on-error: true
# Tests based on real examples, not suitable to keep in the public repo
- name: Checkout repository with test samples
if: steps.check-service-changed.outputs.exit-code != 0 && matrix.service == 'ASTGrep'
uses: actions/checkout@v4
with:
repository: kam193/unsafe-examples
path: ASTGrep/tmp/
# sparse-checkout: |
# dangerous_examples/*
# sparse-checkout-cone-mode: false
persist-credentials: false
ssh-key: ${{ secrets.UNSAFE_SAMPLES_SSH }}
clean: false
- name: Link the test samples
if: steps.check-service-changed.outputs.exit-code != 0 && matrix.service == 'ASTGrep'
run: |
cd tests
ln -s ../tmp/dangerous_examples/ dangerous_examples
- name: Install test dependencies
if: steps.check-service-changed.outputs.exit-code != 0
run: |
sudo apt-get install -y libfuzzy-dev
make test-dependencies
- name: Run tests
if: steps.check-service-changed.outputs.exit-code != 0
run: |
make test
- name: Check if the current version has already been pushed
id: check-if-pushed
run: |
export GHCR_TOKEN=$(echo ${{ secrets.GITHUB_TOKEN }} | base64)
export TAG=$BASE_TAG$(cat VERSION)
echo manifest=$(curl -s -H "Authorization: Bearer ${GHCR_TOKEN}" https://ghcr.io/v2/kam193/$(make print)/manifests/$TAG | grep "manifest unknown") >> $GITHUB_OUTPUT
- name: Push container
if: steps.check-if-pushed.outputs.manifest
run: |
make push
echo "ghcr.io/kam193/$(make print):$BASE_TAG$(cat VERSION)" > tag.txt
cat VERSION > version.txt
- name: Upload artifact
if: steps.check-if-pushed.outputs.manifest
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
with:
name: ${{ matrix.service }}
path: |
${{ matrix.service }}/tag.txt
${{ matrix.service }}/version.txt
release:
needs: build-containers
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Download artifacts
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427
with:
path: ./artifacts
- name: Gain release info
run: |
for service in $(ls -1 ./artifacts); do
output=$(cat ./artifacts/$service/tag.txt)
echo "## $service $BASE_TAG$(cat ./artifacts/$service/version.txt)" >> release_text.md
echo "Uploaded image: \`$output\`" >> release_text.md
done
- name: Check if anything to release
id: check-if-release
run: |
if [[ ! -s "release_text.md" ]]; then
echo "release=false" >> $GITHUB_OUTPUT
else
echo "This is an automated release. Following new service versions were uploaded." > release_body.md
cat release_text.md >> release_body.md
echo "release=true" >> $GITHUB_OUTPUT
echo "CURRENT_DATE=$(date +'%Y-%m-%d--%H-%M')" >> $GITHUB_ENV
fi
- name: Release changes
if: steps.check-if-release.outputs.release == 'true'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5
with:
name: Release on ${{ env.CURRENT_DATE }}
bodyFile: release_body.md
makeLatest: true
tag: release-${{ env.CURRENT_DATE }}
generateReleaseNotes: true