build #2857
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: build | |
| on: # yamllint disable-line rule:truthy | |
| merge_group: | |
| types: | |
| - checks_requested | |
| pull_request: | |
| push: | |
| branches: | |
| - "**" | |
| tags: | |
| - v*.*.* | |
| repository_dispatch: | |
| # Respond to rebuild requests. See: https://github.com/cisagov/action-apb/ | |
| types: | |
| - apb | |
| schedule: | |
| - cron: 0 10 * * * # everyday at 10am | |
| workflow_dispatch: | |
| inputs: | |
| image-tag: | |
| default: dispatch | |
| description: Tag to apply to pushed images | |
| required: true | |
| remote-shell: | |
| default: "false" | |
| description: Debug with remote shell | |
| required: true | |
| # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, | |
| # nounset, errexit, and pipefail. The `-x` will print all commands as they are | |
| # run. Please see the GitHub Actions documentation for more information: | |
| # https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs | |
| defaults: | |
| run: | |
| shell: bash -Eueo pipefail -x {0} | |
| env: | |
| IMAGE_NAME: cisagov/example | |
| PIP_CACHE_DIR: ~/.cache/pip | |
| PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit | |
| RUN_TMATE: ${{ secrets.RUN_TMATE }} | |
| TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers | |
| TERRAFORM_DOCS_REPO_DEPTH: 1 | |
| TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git | |
| jobs: | |
| diagnostics: | |
| name: Run diagnostics | |
| # This job does not need any permissions | |
| permissions: {} | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Note that a duplicate of this step must be added at the top of | |
| # each job. | |
| - name: Apply standard cisagov job preamble | |
| uses: cisagov/action-job-preamble@v1 | |
| with: | |
| check_github_status: "true" | |
| # This functionality is poorly implemented and has been | |
| # causing problems due to the MITM implementation hogging or | |
| # leaking memory. As a result we disable it by default. If | |
| # you want to temporarily enable it, simply set | |
| # monitor_permissions equal to "true". | |
| # | |
| # TODO: Re-enable this functionality when practical. See | |
| # cisagov/skeleton-generic#207 for more details. | |
| monitor_permissions: "false" | |
| output_workflow_context: "true" | |
| # Use a variable to specify the permissions monitoring | |
| # configuration. By default this will yield the | |
| # configuration stored in the cisagov organization-level | |
| # variable, but if you want to use a different configuration | |
| # then simply: | |
| # 1. Create a repository-level variable with the name | |
| # ACTIONS_PERMISSIONS_CONFIG. | |
| # 2. Set this new variable's value to the configuration you | |
| # want to use for this repository. | |
| # | |
| # Note in particular that changing the permissions | |
| # monitoring configuration *does not* require you to modify | |
| # this workflow. | |
| permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} | |
| lint: | |
| # Checks out the source and runs pre-commit hooks. Detects coding errors | |
| # and style deviations. | |
| name: Lint sources | |
| needs: | |
| - diagnostics | |
| permissions: | |
| # actions/checkout needs this to fetch code | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Apply standard cisagov job preamble | |
| uses: cisagov/action-job-preamble@v1 | |
| with: | |
| # This functionality is poorly implemented and has been | |
| # causing problems due to the MITM implementation hogging or | |
| # leaking memory. As a result we disable it by default. If | |
| # you want to temporarily enable it, simply set | |
| # monitor_permissions equal to "true". | |
| # | |
| # TODO: Re-enable this functionality when practical. See | |
| # cisagov/skeleton-generic#207 for more details. | |
| monitor_permissions: "false" | |
| # Use a variable to specify the permissions monitoring | |
| # configuration. By default this will yield the | |
| # configuration stored in the cisagov organization-level | |
| # variable, but if you want to use a different configuration | |
| # then simply: | |
| # 1. Create a repository-level variable with the name | |
| # ACTIONS_PERMISSIONS_CONFIG. | |
| # 2. Set this new variable's value to the configuration you | |
| # want to use for this repository. | |
| # | |
| # Note in particular that changing the permissions | |
| # monitoring configuration *does not* require you to modify | |
| # this workflow. | |
| permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} | |
| - id: setup-env | |
| uses: cisagov/setup-env-github-action@develop | |
| - uses: actions/checkout@v4 | |
| - id: setup-python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ steps.setup-env.outputs.python-version }} | |
| # We need the Go version and Go cache location for the actions/cache step, | |
| # so the Go installation must happen before that. | |
| - id: setup-go | |
| uses: actions/setup-go@v5 | |
| with: | |
| # There is no expectation for actual Go code so we disable caching as | |
| # it relies on the existence of a go.sum file. | |
| cache: false | |
| go-version: ${{ steps.setup-env.outputs.go-version }} | |
| - id: go-cache | |
| name: Lookup Go cache directory | |
| run: | | |
| echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT | |
| - uses: actions/cache@v4 | |
| env: | |
| BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ | |
| py${{ steps.setup-python.outputs.python-version }}-\ | |
| go${{ steps.setup-go.outputs.go-version }}-\ | |
| packer${{ steps.setup-env.outputs.packer-version }}-\ | |
| tf${{ steps.setup-env.outputs.terraform-version }}- | |
| with: | |
| key: ${{ env.BASE_CACHE_KEY }}\ | |
| ${{ hashFiles('**/requirements-test.txt') }}-\ | |
| ${{ hashFiles('**/requirements.txt') }}-\ | |
| ${{ hashFiles('**/.pre-commit-config.yaml') }} | |
| # Note that the .terraform directory IS NOT included in the | |
| # cache because if we were caching, then we would need to use | |
| # the `-upgrade=true` option. This option blindly pulls down the | |
| # latest modules and providers instead of checking to see if an | |
| # update is required. That behavior defeats the benefits of caching. | |
| # so there is no point in doing it for the .terraform directory. | |
| path: | | |
| ${{ env.PIP_CACHE_DIR }} | |
| ${{ env.PRE_COMMIT_CACHE_DIR }} | |
| ${{ steps.go-cache.outputs.dir }} | |
| restore-keys: | | |
| ${{ env.BASE_CACHE_KEY }} | |
| - uses: hashicorp/setup-packer@v3 | |
| with: | |
| version: ${{ steps.setup-env.outputs.packer-version }} | |
| - uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ steps.setup-env.outputs.terraform-version }} | |
| - name: Install go-critic | |
| env: | |
| PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic | |
| PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} | |
| run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} | |
| - name: Install goimports | |
| env: | |
| PACKAGE_URL: golang.org/x/tools/cmd/goimports | |
| PACKAGE_VERSION: ${{ steps.setup-env.outputs.goimports-version }} | |
| run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} | |
| - name: Install gosec | |
| env: | |
| PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec | |
| PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} | |
| run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} | |
| - name: Install staticcheck | |
| env: | |
| PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck | |
| PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} | |
| run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} | |
| # TODO: https://github.com/cisagov/skeleton-generic/issues/165 | |
| # We are temporarily using @mcdonnnj's forked branch of terraform-docs | |
| # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745 | |
| # is approved. This temporary fix will allow for ATX header support when | |
| # terraform-docs is run during linting. | |
| - name: Clone ATX headers branch from terraform-docs fork | |
| run: | | |
| git clone \ | |
| --branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \ | |
| --depth $TERRAFORM_DOCS_REPO_DEPTH \ | |
| --single-branch \ | |
| $TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs | |
| - name: Build and install terraform-docs binary | |
| run: | | |
| go build \ | |
| -C /tmp/terraform-docs \ | |
| -o $(go env GOPATH)/bin/terraform-docs | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip setuptools wheel | |
| pip install --upgrade --requirement requirements-test.txt | |
| - name: Set up pre-commit hook environments | |
| run: pre-commit install-hooks | |
| - name: Run pre-commit on all files | |
| run: pre-commit run --all-files | |
| - name: Setup tmate debug session | |
| uses: mxschmitt/action-tmate@v3 | |
| if: env.RUN_TMATE | |
| prepare: | |
| # Generate Docker image metadata using the docker/metadata-action GitHub Action. | |
| name: Prepare build variables | |
| needs: | |
| - diagnostics | |
| outputs: | |
| labels: ${{ steps.generate-metadata.outputs.labels }} | |
| tags: ${{ steps.generate-metadata.outputs.tags }} | |
| permissions: | |
| # actions/checkout needs this to fetch code | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Apply standard cisagov job preamble | |
| uses: cisagov/action-job-preamble@v1 | |
| with: | |
| # This functionality is poorly implemented and has been | |
| # causing problems due to the MITM implementation hogging or | |
| # leaking memory. As a result we disable it by default. If | |
| # you want to temporarily enable it, simply set | |
| # monitor_permissions equal to "true". | |
| # | |
| # TODO: Re-enable this functionality when practical. See | |
| # cisagov/skeleton-docker#224 for more details. | |
| monitor_permissions: "false" | |
| # Use a variable to specify the permissions monitoring | |
| # configuration. By default this will yield the | |
| # configuration stored in the cisagov organization-level | |
| # variable, but if you want to use a different configuration | |
| # then simply: | |
| # 1. Create a repository-level variable with the name | |
| # ACTIONS_PERMISSIONS_CONFIG. | |
| # 2. Set this new variable's value to the configuration you | |
| # want to use for this repository. | |
| # | |
| # Note in particular that changing the permissions | |
| # monitoring configuration *does not* require you to modify | |
| # this workflow. | |
| permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} | |
| - uses: actions/checkout@v4 | |
| - id: generate-metadata | |
| name: Generate Docker image metadata | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ${{ env.IMAGE_NAME }} | |
| ghcr.io/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=edge | |
| type=raw,event=workflow_dispatch,value=${{ github.event.inputs.image-tag }} | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=ref,event=tag | |
| type=schedule | |
| type=semver,pattern={{major}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{version}} | |
| type=sha | |
| - name: Setup tmate debug session | |
| uses: mxschmitt/action-tmate@v3 | |
| if: github.event.inputs.remote-shell == 'true' || env.RUN_TMATE | |
| build: | |
| # Builds a single test image for the native platform. This image is saved | |
| # as an artifact and loaded by the test job. | |
| name: Build test image | |
| needs: | |
| - diagnostics | |
| - prepare | |
| permissions: | |
| # actions/checkout needs this to fetch code | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Apply standard cisagov job preamble | |
| uses: cisagov/action-job-preamble@v1 | |
| with: | |
| # This functionality is poorly implemented and has been | |
| # causing problems due to the MITM implementation hogging or | |
| # leaking memory. As a result we disable it by default. If | |
| # you want to temporarily enable it, simply set | |
| # monitor_permissions equal to "true". | |
| # | |
| # TODO: Re-enable this functionality when practical. See | |
| # cisagov/skeleton-docker#224 for more details. | |
| monitor_permissions: "false" | |
| # Use a variable to specify the permissions monitoring | |
| # configuration. By default this will yield the | |
| # configuration stored in the cisagov organization-level | |
| # variable, but if you want to use a different configuration | |
| # then simply: | |
| # 1. Create a repository-level variable with the name | |
| # ACTIONS_PERMISSIONS_CONFIG. | |
| # 2. Set this new variable's value to the configuration you | |
| # want to use for this repository. | |
| # | |
| # Note in particular that changing the permissions | |
| # monitoring configuration *does not* require you to modify | |
| # this workflow. | |
| permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Create dist directory | |
| run: mkdir -p dist | |
| - name: Build image | |
| id: docker_build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| cache-from: type=gha | |
| # We use the max mode to cache all layers which includes ones from | |
| # intermediate steps. This will provide us the potential for more cache hits | |
| # and thus better build times. It is also the suggested setting per the | |
| # documentation: | |
| # https://docs.docker.com/build/ci/github-actions/cache/#cache-backend-api | |
| cache-to: type=gha,mode=max | |
| labels: ${{ needs.prepare.outputs.labels }} | |
| outputs: type=docker,dest=dist/image.tar | |
| # Uncomment the following option if you are building an image for use | |
| # on Google Cloud Run or AWS Lambda. The current default image output | |
| # is unable to run on either. Please see the following issue for more | |
| # information: https://github.com/docker/buildx/issues/1533 | |
| # provenance: false | |
| tags: ${{ env.IMAGE_NAME }}:latest # not to be pushed | |
| # For a list of pre-defined annotation keys and value types see: | |
| # https://github.com/opencontainers/image-spec/blob/master/annotations.md | |
| - name: Compress image | |
| run: gzip dist/image.tar | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist | |
| path: dist | |
| - name: Setup tmate debug session | |
| uses: mxschmitt/action-tmate@v3 | |
| if: env.RUN_TMATE | |
| test: | |
| # Executes tests on the single-platform image created in the "build" job. | |
| name: Test image | |
| needs: | |
| - diagnostics | |
| - build | |
| permissions: | |
| # actions/checkout needs this to fetch code | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Apply standard cisagov job preamble | |
| uses: cisagov/action-job-preamble@v1 | |
| with: | |
| # This functionality is poorly implemented and has been | |
| # causing problems due to the MITM implementation hogging or | |
| # leaking memory. As a result we disable it by default. If | |
| # you want to temporarily enable it, simply set | |
| # monitor_permissions equal to "true". | |
| # | |
| # TODO: Re-enable this functionality when practical. See | |
| # cisagov/skeleton-docker#224 for more details. | |
| monitor_permissions: "false" | |
| # Use a variable to specify the permissions monitoring | |
| # configuration. By default this will yield the | |
| # configuration stored in the cisagov organization-level | |
| # variable, but if you want to use a different configuration | |
| # then simply: | |
| # 1. Create a repository-level variable with the name | |
| # ACTIONS_PERMISSIONS_CONFIG. | |
| # 2. Set this new variable's value to the configuration you | |
| # want to use for this repository. | |
| # | |
| # Note in particular that changing the permissions | |
| # monitoring configuration *does not* require you to modify | |
| # this workflow. | |
| permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} | |
| - id: setup-env | |
| uses: cisagov/setup-env-github-action@develop | |
| - uses: actions/checkout@v4 | |
| - id: setup-python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ steps.setup-env.outputs.python-version }} | |
| - name: Cache testing environments | |
| uses: actions/cache@v4 | |
| env: | |
| BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ | |
| py${{ steps.setup-python.outputs.python-version }}- | |
| with: | |
| key: ${{ env.BASE_CACHE_KEY }}\ | |
| ${{ hashFiles('**/requirements-test.txt') }}-\ | |
| ${{ hashFiles('**/requirements.txt') }} | |
| path: ${{ env.PIP_CACHE_DIR }} | |
| restore-keys: | | |
| ${{ env.BASE_CACHE_KEY }} | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip setuptools wheel | |
| pip install --upgrade --requirement requirements-test.txt | |
| - name: Download docker image artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist | |
| path: dist | |
| - name: Load docker image | |
| run: docker load < dist/image.tar.gz | |
| - name: Run tests | |
| env: | |
| RELEASE_TAG: ${{ github.event.release.tag_name }} | |
| run: pytest --runslow | |
| - name: Setup tmate debug session | |
| uses: mxschmitt/action-tmate@v3 | |
| if: env.RUN_TMATE | |
| build-push-all: | |
| # Builds the final set of images for each of the platforms specified in the | |
| # "platforms" input for the docker/build-push-action Action. These images | |
| # are tagged with the Docker tags calculated in the "prepare" job and | |
| # pushed to Docker Hub and the GitHub Container Registry. The contents of | |
| # README.md are pushed as the image's description to Docker Hub. This job | |
| # is skipped when the triggering event is a pull request. | |
| if: github.event_name != 'pull_request' | |
| name: Build and push all platforms | |
| needs: | |
| - diagnostics | |
| - lint | |
| - prepare | |
| - test | |
| permissions: | |
| # actions/checkout needs this to fetch code | |
| contents: read | |
| # When Dependabot creates a PR it requires this permission in | |
| # order to push Docker images to ghcr.io. | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Apply standard cisagov job preamble | |
| uses: cisagov/action-job-preamble@v1 | |
| with: | |
| # This functionality is poorly implemented and has been | |
| # causing problems due to the MITM implementation hogging or | |
| # leaking memory. As a result we disable it by default. If | |
| # you want to temporarily enable it, simply set | |
| # monitor_permissions equal to "true". | |
| # | |
| # TODO: Re-enable this functionality when practical. See | |
| # cisagov/skeleton-docker#224 for more details. | |
| monitor_permissions: "false" | |
| # Use a variable to specify the permissions monitoring | |
| # configuration. By default this will yield the | |
| # configuration stored in the cisagov organization-level | |
| # variable, but if you want to use a different configuration | |
| # then simply: | |
| # 1. Create a repository-level variable with the name | |
| # ACTIONS_PERMISSIONS_CONFIG. | |
| # 2. Set this new variable's value to the configuration you | |
| # want to use for this repository. | |
| # | |
| # Note in particular that changing the permissions | |
| # monitoring configuration *does not* require you to modify | |
| # this workflow. | |
| permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push platform images to registries | |
| id: docker_build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| cache-from: type=gha | |
| # We use the max mode to cache all layers which includes ones from | |
| # intermediate steps. This will provide us the potential for more cache hits | |
| # and thus better build times. It is also the suggested setting per the | |
| # documentation: | |
| # https://docs.docker.com/build/ci/github-actions/cache/#cache-backend-api | |
| cache-to: type=gha,mode=max | |
| labels: ${{ needs.prepare.outputs.labels }} | |
| platforms: | | |
| linux/amd64 | |
| linux/arm/v6 | |
| linux/arm/v7 | |
| linux/arm64 | |
| linux/ppc64le | |
| linux/s390x | |
| # Uncomment the following option if you are building an image for use | |
| # on Google Cloud Run or AWS Lambda. The current default image output | |
| # is unable to run on either. Please see the following issue for more | |
| # information: https://github.com/docker/buildx/issues/1533 | |
| # provenance: false | |
| push: true | |
| tags: ${{ needs.prepare.outputs.tags }} | |
| # For a list of pre-defined annotation keys and value types see: | |
| # https://github.com/opencontainers/image-spec/blob/master/annotations.md | |
| - name: Setup tmate debug session | |
| uses: mxschmitt/action-tmate@v3 | |
| if: env.RUN_TMATE | |
| update-dockerhub: | |
| if: ${{ github.ref_name == 'develop' && github.event_name == 'push' }} | |
| name: Update the description for the image on Docker Hub | |
| needs: | |
| - diagnostics | |
| - build-push-all | |
| permissions: | |
| # actions/checkout needs this to fetch code | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Apply standard cisagov job preamble | |
| uses: cisagov/action-job-preamble@v1 | |
| with: | |
| # This functionality is poorly implemented and has been | |
| # causing problems due to the MITM implementation hogging or | |
| # leaking memory. As a result we disable it by default. If | |
| # you want to temporarily enable it, simply set | |
| # monitor_permissions equal to "true". | |
| # | |
| # TODO: Re-enable this functionality when practical. See | |
| # cisagov/skeleton-docker#224 for more details. | |
| monitor_permissions: "false" | |
| # Use a variable to specify the permissions monitoring | |
| # configuration. By default this will yield the | |
| # configuration stored in the cisagov organization-level | |
| # variable, but if you want to use a different configuration | |
| # then simply: | |
| # 1. Create a repository-level variable with the name | |
| # ACTIONS_PERMISSIONS_CONFIG. | |
| # 2. Set this new variable's value to the configuration you | |
| # want to use for this repository. | |
| # | |
| # Note in particular that changing the permissions | |
| # monitoring configuration *does not* require you to modify | |
| # this workflow. | |
| permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} | |
| - name: Checkout the repository | |
| uses: actions/checkout@v4 | |
| - name: Update the Docker Hub description | |
| uses: peter-evans/dockerhub-description@v4 | |
| with: | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| readme-filepath: README.md | |
| repository: ${{ env.IMAGE_NAME }} | |
| short-description: ${{ github.event.repository.description }} | |
| username: ${{ secrets.DOCKER_USERNAME }} |