Set basic project config correctly #3
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- 'v*' | |
pull_request: | |
branches: | |
- 'main' | |
env: | |
REGISTRY: ghcr.io | |
POETRY_CACHE_DIR: ~/.cache/pypoetry | |
IMAGE_NAME: ${{ github.repository }} | |
PYTHON_VERSION: "3.11" | |
jobs: | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Dump GitHub context | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: echo "$GITHUB_CONTEXT" | |
- uses: actions/checkout@v4 | |
- name: Set up Python ${{ env.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
cache: "poetry" | |
- name: Install poetry | |
run: pipx install poetry | |
- name: Install dependencies | |
run: poetry install | |
- name: run ruff | |
run: poetry run ruff check --output-format=github | |
- name: run format | |
run: poetry run ruff format --check | |
- name: run pyright | |
run: poetry run pyright | |
security: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python ${{ env.PYTHON_VERSION }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
cache: "poetry" | |
- name: Install poetry | |
run: pipx install poetry | |
- name: Install dependencies | |
run: poetry install | |
- name: Generate SBOM | |
run: poetry run cyclonedx-py poetry > sbom.json | |
- name: Generace licenses file | |
run: | | |
poetry run pip-licenses --order=license --format=json --with-description > licenses.txt | |
- name: Upload SBOM and licenses | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "sbom-licenses-${{ github.GITHUB_SHA }}.json" | |
path: | | |
sbom.json | |
licenses.txt | |
if-no-files-found: error | |
overwrite: true | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
trivy-config: trivy.yaml | |
test: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
python-version: ["3.10", "3.11", "3.12"] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
cache: "poetry" | |
- name: Install poetry | |
run: pipx install poetry | |
- name: Install dependencies | |
run: poetry install | |
- name: run pytest | |
run: poetry run coverage run -m pytest | |
- name: run coverage | |
run: poetry run coverage report | |
- name: run coverage | |
run: poetry run coverage html | |
- name: Upload code coverage report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "codecoverage-${{ github.GITHUB_SHA }}" | |
path: htmlcov/ | |
if-no-files-found: error | |
overwrite: true | |
build: | |
needs: test | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Log in to the Container registry | |
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Extract metadata for Docker | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
- name: Build and push Docker image | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
push: ${{ github.event_name != 'pull_request' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: linux/amd64,linux/arm64,darwin/amd64 | |
- name: Check image for vulnerabilities | |
uses: docker/scout-action@v3 | |
with: | |
command: quickview,cves |