ci: switch to standard workflow (#110)

miracum · Oct 24, 2023 · 2386ddc · 2386ddc
1 parent c0df4e7
commit 2386ddc
Show file tree

Hide file tree

Showing 10 changed files with 90 additions and 386 deletions.
diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -8,65 +8,66 @@ on:
   pull_request:
     branches: [master]
 
-# Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   build:
-    name: Build
-    runs-on: ubuntu-20.04
+    uses: miracum/.github/.github/workflows/standard-build.yaml@1dd4350bc909156d8af0f1997efcb0f3225dad85 # v1.1.0
     permissions:
-      packages: write
       contents: read
+      id-token: write
+      packages: write
+      pull-requests: write
+      actions: read
+      security-events: write
+    with:
+      enable-build-test-layer: true
+      enable-upload-test-image: true
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+
+  test:
+    runs-on: ubuntu-22.04
+    needs:
+      - build
+    permissions:
+      # for add Coverage PR Comment
       pull-requests: write
-    outputs:
-      image-tags: ${{ steps.container_meta.outputs.tags }}
-      image-version: ${{ steps.container_meta.outputs.version }}
-      image-digest: ${{ steps.build.outputs.digest }}
     steps:
-      - name: Container meta
-        id: container_meta
-        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4
+      - name: "Checkout code"
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
-          images: |
-            ghcr.io/${{ github.repository }}
+          persist-credentials: false
 
-      - name: Container meta for the unit test image
-        id: container_tests_meta
-        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4
+      - name: Download image
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        if: ${{ github.event_name == 'pull_request' }}
         with:
-          images: |
-            ghcr.io/${{ github.repository }}-tests
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2
+          name: container-image
+          path: /tmp
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2
+      - name: Load image
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          ls -lsa /tmp
+          docker load --input /tmp/image.tar
+          docker image ls
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
-        if: ${{ github.event_name != 'pull_request' }}
+      - name: Download test image
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          name: test-image
+          path: /tmp
 
-      # ran first to avoid pushing failing images when running on master.
-      - name: Run unit tests
-        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3
-        with:
-          push: false
-          load: true
-          tags: ${{ steps.container_tests_meta.outputs.tags }}
-          labels: ${{ steps.container_tests_meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          target: test
+      - name: Load test image
+        run: |
+          ls -lsa /tmp
+          docker load --input /tmp/image-test.tar
+          docker image ls
 
-      - name: Copy unit test coverage reports from container
+      - name: Copy unit test coverage reports from test container
         env:
-          UNIT_TEST_IMAGE: ${{ fromJson(steps.container_tests_meta.outputs.json).tags[0] }}
+          UNIT_TEST_IMAGE: ${{ fromJson(needs.build.outputs.test-image-meta-json).tags[0] }}
         run: |
           docker create --name=unit-test-container "${UNIT_TEST_IMAGE}"
           docker cp unit-test-container:/build/src/FhirPseudonymizer.Tests/coverage ./coverage
@@ -84,56 +85,14 @@ jobs:
           output: both
           thresholds: "50 50"
 
-      - name: Get platforms to build
-        id: platforms
-        run: |
-          if [ "$IS_PULL_REQUEST" == "true" ]; then
-            echo "{platforms}={linux/amd64}" >> "$GITHUB_OUTPUT"
-          else
-            # echo "{platforms}={linux/amd64,linux/arm64,linux/arm/v7}" >> "$GITHUB_OUTPUT"
-            # disabled multi-arch builds for now due to
-            # Error: buildx failed with: ERROR: failed to solve: mcr.microsoft.com/dotnet/nightly/aspnet:6.0.9-jammy-chiseled@sha256:e5288b0e7f80b278d8baa15e9f444ccb4cc0cd4caa6e9cc87782cbd2a3805a49:
-            # no match for platform in manifest sha256:e5288b0e7f80b278d8baa15e9f444ccb4cc0cd4caa6e9cc87782cbd2a3805a49: not found
-            echo "{platforms}={linux/amd64}" >> "$GITHUB_OUTPUT"
-          fi
-        env:
-          IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
-
-      - name: Build and push image
-        id: build
-        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3
-        with:
-          load: ${{ github.event_name == 'pull_request' }}
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.container_meta.outputs.tags }}
-          labels: ${{ steps.container_meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          platforms: ${{ steps.platforms.outputs.platforms }}
-
       - name: Add Coverage PR Comment
         uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0
         if: ${{ github.event_name == 'pull_request' }}
         with:
           recreate: true
           path: code-coverage-results.md
 
-      - name: Save container image as tar archives
-        if: ${{ github.event_name == 'pull_request' }}
-        env:
-          IMAGE: ${{ fromJson(steps.container_meta.outputs.json).tags[0] }}
-        run: |
-          docker save "$IMAGE" -o /tmp/image.tar
-
-      - name: Upload container image
-        if: ${{ github.event_name == 'pull_request' }}
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: container-image
-          path: |
-            /tmp/image.tar
-
-  run-iter8-tests:
+  iter8-test:
     name: run iter8 tests
     runs-on: ubuntu-22.04
     if: ${{ github.event_name == 'pull_request' }}
@@ -160,7 +119,7 @@ jobs:
         with:
           cluster_name: kind
 
-      - name: Download container images
+      - name: Download image
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: container-image
@@ -248,78 +207,29 @@ jobs:
           path: |
             kind-cluster-dump.txt
 
-  release:
-    needs: build
-    name: Release
-    runs-on: ubuntu-22.04
+  lint:
+    uses: miracum/.github/.github/workflows/standard-lint.yaml@1dd4350bc909156d8af0f1997efcb0f3225dad85 # v1.1.0
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
-    if: ${{ github.event_name != 'pull_request' }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
-        with:
-          # via <https://stackoverflow.com/questions/74744498/github-pushing-to-protected-branches-with-fine-grained-token/76550826#76550826>
-          persist-credentials: false
-
-      # Only required temporary: https://github.com/cycjimmy/semantic-release-action/issues/159
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
-        with:
-          node-version: 14
-
-      - name: Semantic Release
-        uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d # v3.4.2
-        with:
-          extra_plugins: |
-            [email protected]
-            [email protected]
-            @semantic-release/[email protected]
-        env:
-          GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
-
-  container-provenance:
-    if: ${{ startsWith(github.ref, 'refs/tags/') }}
-    needs:
-      - build
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write
-      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+      issues: write
+      security-events: write
+      actions: read
     with:
-      image: ghcr.io/${{ github.repository }}
-      digest: ${{ needs.build.outputs.image-digest }}
-      registry-username: ${{ github.actor }}
+      enable-validate-gradle-wrapper: false
+      codeql-languages: '["csharp"]'
+      enable-codeql: true
     secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
+      github-token: ${{ secrets.GITHUB_TOKEN }}
 
-  sign-images:
-    name: sign images
-    runs-on: ubuntu-22.04
-    if: ${{ github.event_name != 'pull_request' }}
+  release:
+    uses: miracum/.github/.github/workflows/standard-release.yaml@1dd4350bc909156d8af0f1997efcb0f3225dad85 # v1.1.0
     needs:
       - build
+      - test
     permissions:
-      contents: read
-      id-token: write
-      packages: write
-    steps:
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
-
-      # via <https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml>
-      - name: Sign image
-        env:
-          # <https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable>
-          TAGS: ${{ needs.build.outputs.image-tags }}
-          DIGEST: ${{ needs.build.outputs.image-digest }}
-        run: |
-          echo "${TAGS}" | xargs -I {} cosign sign --yes {}@"${DIGEST}"
+      contents: write
+      pull-requests: write
+      issues: write
+    secrets:
+      semantic-release-token: ${{ secrets.MIRACUM_BOT_SEMANTIC_RELEASE_TOKEN }}
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml