Skip to content

CI

CI #1564

Workflow file for this run

name: CI
on:
workflow_dispatch:
inputs:
release:
description: "Use 'major' for incompatible changes, 'minor' for new features, and 'patch' for fixes or 'no_release' to trigger the pipeline without doing a release."
type: choice
options:
- "no_release"
- "major"
- "minor"
- "patch"
required: true
default: "no_release"
push:
branches: [ main]
tags: ["v*"]
pull_request:
types:
- opened
- synchronize
- reopened
- closed
repository_dispatch:
schedule:
# rebuild image every sunday
- cron: "0 0 * * 0"
# Grants rights to push to the Github container registry.
# The main workflow has to set the permissions.
permissions:
contents: read
packages: write
id-token: write
pull-requests: write
jobs:
# sets the release kind when it wasn't triggered by an workflow dispatch
# this prevents us from having to pass down all labels, event_name, etc
# to init.yml
adapt_release:
runs-on: ubuntu-latest
outputs:
kind: ${{ steps.kind.outputs.kind}}
steps:
- name: "Debug"
run: |
echo "${{ github.event_name }}"
echo "${{ github.event.pull_request.merged }}"
echo "${{ github.event.pull_request.labels }}"
- name: "set KIND = no_release"
run: echo "KIND=no_release" >> $GITHUB_ENV
- name: "override KIND = ${{ inputs.release }}"
if: github.event_name == 'workflow_dispatch'
run: echo "KIND=${{ inputs.release }}" >> $GITHUB_ENV
- name: "override KIND = major"
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'major_release')
run: echo "KIND=major" >> $GITHUB_ENV
- name: "override KIND = minor"
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'minor_release')
run: echo "KIND=minor" >> $GITHUB_ENV
- name: "override KIND = patch"
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'patch_release')
run: echo "KIND=patch" >> $GITHUB_ENV
- id: kind
run: |
echo "kind=${{ env.KIND }}">> "$GITHUB_OUTPUT"
init:
needs: [adapt_release]
uses: ./.github/workflows/init.yaml
with:
release: ${{ needs.adapt_release.outputs.kind }}
unittests:
name: unit-tests
uses: ./.github/workflows/tests.yml
build:
needs: [unittests]
uses: ./.github/workflows/build.yml
linting:
uses: ./.github/workflows/linting.yml
functional:
needs: [build]
uses: ./.github/workflows/functional.yaml
container:
needs: [build, init, functional]
uses: ./.github/workflows/push-container.yml
secrets:
dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}}
cosign_key_opensight: ${{ secrets.COSIGN_KEY_OPENSIGHT }}
cosign_password_opensight: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }}
greenbone_bot_token: ${{ secrets.GREENBONE_BOT_TOKEN }}
greenbone_registry: ${{ vars.GREENBONE_REGISTRY }}
greenbone_registry_user: ${{ secrets.GREENBONE_REGISTRY_USER }}
greenbone_registry_token: ${{ secrets.GREENBONE_REGISTRY_TOKEN }}
greenbone_registry_replication_user: ${{ secrets.GREENBONE_REGISTRY_REPLICATION_USER }}
greenbone_registry_replication_token: ${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }}
mattermost_webhook_url: ${{ secrets.MATTERMOST_WEBHOOK_URL }}
with:
is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}}
is_version_tag: ${{needs.init.outputs.docker_build_is_version }}
container-testing:
name: container
needs: [init, build ]
uses: ./.github/workflows/push-container-testing.yml
secrets:
dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}}
with:
is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}}
is_version_tag: ${{needs.init.outputs.docker_build_is_version}}
container-oldstable:
name: container
needs: [init, build ]
uses: ./.github/workflows/push-container-oldstable.yml
secrets:
dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}}
with:
is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}}
is_version_tag: ${{needs.init.outputs.docker_build_is_version}}
release:
permissions:
contents: write
# we release after container build so that we can release on a closed pr as we don't push the release container yet
# instead it is pushed after the tag is created.
#
# For now we just don't use it as a dependency for releases which may is counter intuitive
needs: [container, init]
if: ( needs.init.outputs.release_kind == 'major' || needs.init.outputs.release_kind == 'minor' || needs.init.outputs.release_kind == 'patch' )
uses: ./.github/workflows/release.yml
with:
new_version: ${{ needs.init.outputs.release_new_version }}
latest_version: ${{ needs.init.outputs.release_latest_version }}
release_kind: ${{ needs.init.outputs.release_kind }}
release_ref: ${{ needs.init.outputs.release_ref }}
project: ${{ needs.init.outputs.release_project }}
repository: ${{ github.repository }}
secrets:
token: ${{ secrets.GREENBONE_BOT_TOKEN }}
name: ${{ secrets.GREENBONE_BOT }}
email: ${{ secrets.GREENBONE_BOT_MAIL }}
gpg_key: ${{ secrets.GPG_KEY }}
gpg_pass: ${{ secrets.GPG_PASSPHRASE }}
smoketests:
if: github.event_name != 'pull_request'
needs: [container, init]
uses: ./.github/workflows/smoketest.yaml
with:
docker_repo: ${{ github.repository }}
docker_tag: ${{needs.init.outputs.docker_test_tag}}
helm:
permissions:
packages: write
needs: [smoketests]
if: vars.IMAGE_REGISTRY != ''
uses: ./.github/workflows/push-helm-chart.yml
secrets:
user: ${{ secrets.GREENBONE_BOT }}
token: ${{ secrets.GITHUB_TOKEN }}
with:
registry: ${{ vars.IMAGE_REGISTRY }}