Include vereisten and maatregelen #59

Workflow file for this run

	name: continuous-integration

	on:
	push:
	branches:
	- main
	tags:
	- "v*"
	pull_request:
	branches:
	- "main"

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	env:
	REGISTRY: ghcr.io
	POETRY_CACHE_DIR: ~/.cache/pypoetry
	PIPX_BIN_DIR: /usr/local/bin
	IMAGE_NAME: ${{ github.repository }}
	PYTHON_VERSION: "3.12"

	jobs:
	lint:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Install poetry
	run: pipx install poetry

	- name: Set up Python ${{ env.PYTHON_VERSION }}
	uses: actions/setup-python@v5
	with:
	python-version: ${{ env.PYTHON_VERSION }}
	cache: "poetry"

	- name: Install dependencies
	run: poetry install

	- name: run ruff
	run: poetry run ruff check --output-format=github

	- name: Run format
	run: poetry run ruff format --check

	- name: Run pyright
	run: poetry run pyright

	security:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Install poetry
	run: pipx install poetry

	- name: Set up Python ${{ env.PYTHON_VERSION }}
	uses: actions/setup-python@v5
	with:
	python-version: ${{ env.PYTHON_VERSION }}
	cache: "poetry"

	- name: Install dependencies
	run: poetry install

	- name: check licenses used by project in pyproject.toml
	run: poetry run liccheck -s pyproject.toml

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	trivy-config: trivy.yaml
	scan-type: fs
	scan-ref: "."

	test-compose:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- run: docker compose build
	- run: docker compose down -v --remove-orphans
	- run: docker compose up -d

	test-local-backend:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Install poetry
	run: pipx install poetry

	- name: Set up Python ${{ env.PYTHON_VERSION }}
	uses: actions/setup-python@v5
	with:
	python-version: ${{ env.PYTHON_VERSION }}
	cache: "poetry"

	- name: Install dependencies
	run: poetry install

	- name: Run pytest
	run: TZ=UTC poetry run coverage run -m pytest

	- name: run coverage report
	run: poetry run coverage report

	- name: run coverage html
	run: poetry run coverage html

	- name: Upload code coverage report
	uses: actions/upload-artifact@v4
	with:
	name: codecoverage-${{ github.sha }}
	path: htmlcov/
	if-no-files-found: error
	overwrite: true

	- name: run coverage xml
	run: poetry run coverage xml

	- name: SonarCloud Scan
	if: github.actor != 'dependabot[bot]' && !env.ACT
	uses: SonarSource/sonarcloud-github-action@master
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

	build:
	needs: [test-local-backend, test-compose]
	if: ${{ !github.event.act }}
	runs-on: ubuntu-latest
	permissions:
	packages: write
	contents: read
	security-events: write
	actions: read
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: get commit hash
	id: get_commit_hash
	run: \|
	echo "commit_hash=$(git describe --tags)" >> "$GITHUB_OUTPUT"

	- name: Make changes to project to inject commit hash
	run: \|
	sed -i 's/VERSION: str = .*$/VERSION: str = "${{ steps.get_commit_hash.outputs.commit_hash }}"/g' task_registry/core/config.py


	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Extract metadata for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} #TODO(berry): fix on git labels multiple tags
	env:
	DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

	- name: print metadata
	run: \|
	echo "tags: ${{ steps.meta.outputs.tags }}"
	echo "labels: ${{ steps.meta.outputs.labels }}"
	echo "annotations: ${{ steps.meta.outputs.annotations }}"
	echo "hash: ${{ steps.get_commit_hash.outputs.commit_hash }}"

	- name: Build and push Docker image
	uses: docker/build-push-action@v6
	with:
	context: .
	file: ./Dockerfile
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	annotations: ${{ steps.meta.outputs.annotations }}
	platforms: linux/amd64,linux/arm64,darwin/amd64

	- name: Run Trivy vulnerability scanner sarif
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ steps.meta.outputs.tags }}
	scan-type: image
	exit-code: 0
	format: "sarif"
	output: "trivy-results.sarif"
	env:
	TRIVY_USERNAME: ${{ github.actor }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "trivy-results.sarif"

	- name: Extract metadata for Docker
	id: meta2
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} #TODO(berry): fix on git labels multiple tags
	flavor: \|
	latest=false
	env:
	DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

	- name: Run Trivy SBOM
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ steps.meta2.outputs.tags }}
	scan-type: image
	exit-code: 0
	format: "cyclonedx"
	output: "trivy-sbom.json"
	list-all-pkgs: "true"
	env:
	TRIVY_USERNAME: ${{ github.actor }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

	- name: Run Trivy license scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ steps.meta2.outputs.tags }}
	scan-type: image
	scanners: "license"
	exit-code: 0
	output: "trivy-license.json"
	env:
	TRIVY_USERNAME: ${{ github.actor }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

	- name: Upload SBOM & License
	uses: actions/upload-artifact@v4
	with:
	name: sbom-licence-${{ github.sha }}.json
	path: \|
	trivy-sbom.json
	trivy-license.json
	if-no-files-found: error
	overwrite: true

	deploy:
	runs-on: ubuntu-latest
	needs: [build]
	if: ${{ github.event_name == 'push' && !github.event.act}}
	permissions:
	actions: write
	steps:
	- name: Extract metadata for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: "" # make empty to get the correct tag
	flavor: \|
	latest=false

	- name: print metadata
	run: \|
	echo "tags: ${{ steps.meta.outputs.tags }}"

	- uses: actions/checkout@v4

	- name: Trigger deployment
	run: \|
	gh workflow run deploy.yml -f image_tag=${{ steps.meta.outputs.tags }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	notifyMattermost:
	runs-on: ubuntu-latest
	needs:
	[
	lint,
	security,
	test-local-backend,
	test-compose,
	build,
	]
	if: ${{ always() && contains(needs.*.result, 'failure') }}
	steps:
	- uses: mattermost/action-mattermost-notify@master
	if: github.event_name != 'pull_request' \|\| github.event.pull_request.draft == false
	with:
	MATTERMOST_WEBHOOK_URL: ${{ secrets.MM_WEBHOOK_URL }}
	MATTERMOST_CHANNEL: dev
	TEXT: \|
	${{ github.repository }} failed build @here :unamused:
	:rotating_light: [Pipeline](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) failed :fire:
	MATTERMOST_USERNAME: ${{ github.triggering_actor }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Include vereisten and maatregelen #59

Workflow file

Include vereisten and maatregelen #59

Jobs

Run details

Workflow file for this run