add signing to action #3679
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
# only run tests for pull requests cause no file has to be changed without review | |
# open -> open the pull request | |
# synchronize -> push to branch of pull request | |
on: | |
pull_request: | |
types: [opened, synchronize] | |
jobs: | |
test: | |
uses: ./.github/workflows/testing.yml | |
build-docs: | |
runs-on: ubuntu-22.04 | |
strategy: | |
matrix: | |
python-version: ["3.10"] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
cache: "pip" | |
- name: Install dependencies | |
run: | | |
sudo apt-get update && sudo apt-get -y install pandoc | |
pip install --upgrade pip wheel | |
pip install .[doc] | |
- name: build docs | |
run: | | |
cd doc | |
sphinx-apidoc -fT -o source/module_reference ../logprep | |
make clean html | |
code-quality: | |
runs-on: ubuntu-22.04 | |
strategy: | |
matrix: | |
python-version: ["3.10"] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: azure/[email protected] | |
with: | |
version: "latest" | |
id: install | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
cache: "pip" | |
- name: Get changed python files | |
id: changed-files | |
uses: tj-actions/changed-files@v41 | |
with: | |
files: | | |
**/*.py | |
- name: Install dependencies | |
run: | | |
pip install --upgrade pip wheel | |
pip install .[dev] | |
- name: check black formating | |
run: | | |
black --check --diff --config ./pyproject.toml . | |
- name: lint helm charts | |
run: | | |
helm lint --strict ./charts/logprep | |
- name: lint changed and added files | |
if: steps.changed-files.outputs.all_changed_files | |
run: | | |
pylint --rcfile=.pylintrc --fail-under 9.5 ${{ steps.changed-files.outputs.all_changed_files }} | |
- name: Run tests and collect coverage | |
run: pytest tests/unit --cov=logprep --cov-report=xml | |
- name: Upload coverage reports to Codecov with GitHub Action | |
uses: codecov/codecov-action@v2 | |
containerbuild: | |
strategy: | |
fail-fast: false | |
matrix: | |
python-version: ["3.10", "3.11", "3.12"] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build image and export to Docker | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
load: true | |
build-args: | | |
LOGPREP_VERSION=dev | |
PYTHON_VERSION=${{ matrix.python-version }} | |
tags: | | |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} | |
- name: Ensure logprep is available in image | |
run: | | |
docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version | |
# This step will build the image again, but every layer will already be cached, so it is nearly instantaneous. | |
- name: Push image | |
uses: docker/build-push-action@v6 | |
id: build-and-push | |
with: | |
context: . | |
push: true | |
build-args: | | |
LOGPREP_VERSION=dev | |
PYTHON_VERSION=${{ matrix.python-version }} | |
tags: | | |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} | |
# To avoid the trivy-db becoming outdated, we save the cache for one day | |
- name: Get date | |
id: date | |
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT | |
- name: Restore trivy cache | |
uses: actions/cache@v4 | |
with: | |
path: cache/db | |
key: trivy-cache-${{ steps.date.outputs.date }} | |
restore-keys: | |
trivy-cache- | |
- name: Scan image using Trivy | |
uses: aquasecurity/[email protected] | |
env: | |
TRIVY_CACHE_DIR: ./cache | |
with: | |
scan-type: image | |
image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} | |
trivy-config: trivy.yaml | |
# Trivy-db uses `0600` permissions. | |
# But `action/cache` use `runner` user by default | |
# So we need to change the permissions before caching the database. | |
- name: Change permissions for trivy.db | |
run: sudo chmod 0644 ./cache/db/trivy.db | |
- name: Install Cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.4.1' | |
- name: Sign image with a key | |
run: | | |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@{{ DIGEST }} | |
env: | |
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
DIGEST: ${{ steps.build-and-push.outputs.digest }} |