build(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the minors-and-patches group #8
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CI - PR | |
| on: # yamllint disable-line rule:truthy | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - 'README.md' | |
| pull_request_target: | |
| branches: | |
| - master | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| env: | |
| ENVIRONMENT: "dev" | |
| jobs: | |
| sdlc_scan: | |
| name: SDLC Scan | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Run SDLC Scan | |
| id: sdlc | |
| run: | | |
| echo Run SDLC Scan | |
| echo "::warning::Must implement a SDLC scan mechanism." | |
| shell: bash | |
| pre-commit: | |
| name: Pre-Commit | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run Pre-Commit Checks | |
| uses: j178/prek-action@9d6a3097e0c1865ecce00cfb89fe80f2ee91b547 # v1.0.12 | |
| env: | |
| SKIP: "pytest, uv-export" | |
| secret: | |
| needs: | |
| - pre-commit | |
| name: Secret Scanning | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: GitGuardian scan | |
| id: secret | |
| uses: GitGuardian/ggshield/actions/secret@1ed9bbc4eda6459a090b80efb4cfcc4112693a38 # v1.46.0 | |
| env: | |
| GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
| GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
| GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| continue-on-error: true | |
| - name: Check status of potentially failing step and issue warning | |
| if: steps.secret.outcome == 'failure' | |
| run: | | |
| echo "::error::The previous step detected potential secrets in the code. Please review the scan report above." | |
| shell: bash | |
| code_build: | |
| needs: | |
| - pre-commit | |
| name: Build & Unit Test | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-22.04, ubuntu-22.04-arm, ubuntu-24.04, ubuntu-24.04-arm] | |
| python-version: ["3.10"] | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install UV | |
| uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| version: 0.9.18 | |
| - name: Setup Python ${{ matrix.python-version }} | |
| id: setup-python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install dependencies | |
| run: | | |
| uv sync --all-extras --dev --frozen | |
| shell: bash | |
| - name: Pytest - Run Unit Test | |
| id: test | |
| run: | | |
| uv run playwright install --with-deps | |
| uv run pytest -m "not e2e" | |
| shell: bash | |
| - name: Minimize UV cache | |
| run: | | |
| uv cache prune --ci | |
| shell: bash | |
| code_scan: | |
| needs: | |
| - pre-commit | |
| - sdlc_scan | |
| name: Vulnerabilities Scan | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-24.04, ubuntu-24.04-arm] | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install UV | |
| uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| version: 0.9.18 | |
| - name: Set up Python | |
| id: setup-python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.10" | |
| - name: Install dependencies for scanning | |
| run: | | |
| echo "Using requirements.txt for ease of compatibility." | |
| uv venv .venv --python 3.10 | |
| uv pip install --no-cache-dir -r requirements.txt | |
| shell: bash | |
| - name: Run SAST Scan | |
| id: sast | |
| run: | | |
| echo Run SAST | |
| echo "::warning::Must implement a code scanning mechanism." | |
| shell: bash | |
| - name: Run SCA Scan | |
| id: sca | |
| run: | | |
| echo Run SCA | |
| echo "::warning::Must implement a dependencies scanning mechanism." | |
| shell: bash | |
| docker_build: | |
| needs: | |
| - code_build | |
| name: Container Build | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| image-tag: ${{ steps.image-tag.outputs.image-tag }} | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up QEMU | |
| id: qemu | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - name: Login to GHCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker meta | |
| id: docker_meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| with: | |
| images: | | |
| ghcr.io/${{ github.repository }} | |
| flavor: | | |
| latest=auto | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}},priority=100 | |
| type=ref,event=branch,priority=100 | |
| type=raw,value=gha-${{ github.run_id }},enable=${{github.event_name == 'pull_request'}},priority=200 | |
| type=raw,value=nightly-${{ github.run_id }},enable=${{github.event_name == 'schedule'}},priority=200 | |
| type=ref,event=pr,priority=200 | |
| type=ref,event=tag,priority=200 | |
| type=sha,value={{sha}},enable={{is_default_branch}},priority=300 | |
| - name: Docker Build | |
| id: build_image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| platforms: | | |
| linux/amd64 | |
| context: . | |
| file: ./Dockerfile | |
| builder: ${{ steps.buildx.outputs.name }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| push: true | |
| tags: ${{ steps.docker_meta.outputs.tags }} | |
| labels: ${{ steps.docker_meta.outputs.labels }} | |
| build-args: | | |
| BUILDKIT_INLINE_CACHE=1 | |
| GIT_COMMIT=${{ github.sha }} | |
| REPO_URL=${{ github.server_url }}/${{ github.repository }} | |
| - name: Find the primary image tag we just pushed, and output it | |
| id: image-tag | |
| run: | | |
| # shellcheck disable=SC2086 | |
| echo "image-tag=${{ steps.docker_meta.outputs.version }}" >> $GITHUB_OUTPUT | |
| shell: bash | |
| docker_smoke: | |
| needs: | |
| - docker_build | |
| name: Container Smoke Test | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Login to GHCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Pull and Run Container | |
| run: | | |
| IMAGE_URI="ghcr.io/${{ github.repository }}:${{ needs.docker_build.outputs.image-tag }}" | |
| docker pull "$IMAGE_URI" | |
| docker run --detach --publish 8000:8000 --name insecure-bank-corp-smoke "$IMAGE_URI" | |
| shell: bash | |
| - name: Wait for Healthcheck | |
| id: smoke | |
| run: | | |
| timeout=60 | |
| start_time=$(date +%s) | |
| while true; do | |
| current_time=$(date +%s) | |
| if [ $((current_time - start_time)) -gt $timeout ]; then | |
| echo "Timeout waiting for container to be healthy" | |
| docker logs insecure-bank-corp-smoke | |
| exit 1 | |
| fi | |
| status=$(docker inspect --format='{{.State.Health.Status}}' insecure-bank-corp-smoke) | |
| if [ "$status" == "healthy" ]; then | |
| echo "Container is healthy" | |
| exit 0 | |
| fi | |
| if [ "$status" == "unhealthy" ]; then | |
| echo "Container is unhealthy" | |
| docker logs insecure-bank-corp-smoke | |
| exit 1 | |
| fi | |
| echo "Waiting for healthcheck... ($((current_time - start_time))s)" | |
| sleep 2 | |
| done | |
| shell: bash | |
| - name: Check status of potentially failing step and issue warning | |
| if: steps.smoke.outcome == 'failure' | |
| run: | | |
| echo "::error::The previous step detected potential failure in the code. Please review the report above." | |
| exit 1 | |
| shell: bash | |
| docker_scan: | |
| needs: | |
| - docker_build | |
| name: Container Vulnerability Scan | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Run Container Scan | |
| id: container | |
| run: | | |
| echo Run Container Scan | |
| echo "::warning::Must implement a container scanning mechanism." | |
| shell: bash | |
| gating: | |
| needs: | |
| - code_scan | |
| - docker_scan | |
| - docker_smoke | |
| - secret | |
| name: Gating | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Run Gating Check | |
| run: | | |
| echo Run Gating Check | |
| shell: bash | |
| deploy: | |
| needs: | |
| - gating | |
| name: Deploy to dev | |
| uses: ./.github/workflows/cd.yml | |
| with: | |
| env: "dev" | |
| image-tag: ${{ needs.docker_build.outputs.image-tag }} | |
| secrets: | |
| TS_OAUTH_CLIENT_ID: ${{ secrets.TS_OAUTH_CLIENT_ID }} | |
| TS_OAUTH_CLIENT_SECRET: ${{ secrets.TS_OAUTH_CLIENT_SECRET }} | |
| DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} | |
| DEPLOY_USER: ${{ secrets.DEPLOY_USER }} | |
| DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} | |
| CF_TUNNEL_TOKEN: ${{ secrets.CF_TUNNEL_TOKEN }} |