Chore(deps): Bump github/codeql-action from 2.22.8 to 3.24.3 #775
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: pipeline | |
on: | |
push: | |
branches: | |
- develop | |
- feat/* | |
- hotfix/* | |
- main | |
pull_request: | |
branches: | |
- develop | |
- feat/* | |
- hotfix/* | |
- main | |
env: | |
CONTAINER_NAME: ${{ github.repository }} | |
CONTAINER_REGISTRY_GHCR: ghcr.io | |
CONTAINER_REGISTRY_DOCKER_HUB: docker.io | |
CONTAINER_PLATFORMS: linux/amd64,linux/arm64/v8 | |
# https://github.com/docker/buildx/releases | |
BUILDX_VERSION: 0.11.2 | |
# https://nodejs.org/en/download/releases | |
NODE_VERSION: 18.17.1 | |
# https://github.com/helm/helm/releases | |
HELM_VERSION: 3.12.3 | |
# https://npmjs.com/package/snyk?activeTab=versions | |
SNYK_VERSION: 1.1221.0 | |
# https://github.com/oras-project/oras/releases | |
ORAS_VERSION: 1.1.0 | |
# https://github.com/rust-lang/rust/tags | |
RUST_VERSION: 1.72.0 | |
jobs: | |
init: | |
name: Init | |
runs-on: ubuntu-22.04 | |
outputs: | |
VERSION: ${{ steps.version.outputs.version }} | |
VERSION_FULL: ${{ steps.version.outputs.version_full }} | |
VERSION_WIN: ${{ steps.version.outputs.version_win }} | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
with: | |
# We need all Git history for "version.sh" | |
fetch-depth: 0 | |
# Ensure "version.sh" submodule are up-to-date | |
submodules: recursive | |
- name: Version | |
id: version | |
run: | | |
echo "version=$(bash cicd/version/version.sh -g . -c)" >> $GITHUB_OUTPUT | |
echo "version_full=$(bash cicd/version/version.sh -g . -c -m)" >> $GITHUB_OUTPUT | |
echo "version_win=$(bash cicd/version/version.sh -g . -c -w)" >> $GITHUB_OUTPUT | |
sast-creds: | |
name: SAST - Credentials | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
with: | |
# We need all Git history for testing credentials | |
fetch-depth: 0 | |
# Ensure all submodules up-to-date | |
submodules: recursive | |
- name: SAST - Credentials | |
uses: trufflesecurity/[email protected] | |
with: | |
base: ${{ github.event.repository.default_branch }} | |
extra_args: --only-verified | |
head: HEAD | |
path: . | |
build-helm: | |
name: Build Helm chart | |
needs: | |
- init | |
- sast-creds | |
- sast-semgrep | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Setup Helm | |
uses: azure/[email protected] | |
with: | |
version: v${{ env.HELM_VERSION }} | |
# Required for running "npx" CLI | |
- name: Setup Node | |
uses: actions/[email protected] | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Package Helm chart | |
run: | | |
cp README.md cicd/helm/private-gpt | |
helm package \ | |
--app-version ${{ needs.init.outputs.VERSION }} \ | |
--dependency-update \ | |
--destination helm-binaries \ | |
--version ${{ needs.init.outputs.VERSION }} \ | |
cicd/helm/private-gpt | |
- name: Cache Helm chart | |
uses: actions/[email protected] | |
with: | |
name: helm-chart | |
path: helm-binaries | |
- name: Render Helm chart locally | |
run: | | |
helm template \ | |
--output-dir .helm-template \ | |
--values test/helm/values.yaml \ | |
helm-binaries/private-gpt-${{ needs.init.outputs.VERSION }}.tgz | |
- name: Run SAST Snyk for Helm | |
# Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | |
continue-on-error: true | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | | |
npx --yes snyk@${{ env.SNYK_VERSION }} iac test \ | |
--sarif-file-output=snyk.sarif \ | |
--severity-threshold=medium \ | |
.helm-template | |
- name: Upload results to GitHub Security | |
uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: snyk.sarif | |
publish-helm: | |
name: Publish Helm chart | |
needs: | |
- build-helm | |
- build-images | |
- create-release | |
- init | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Download Helm chart | |
uses: actions/[email protected] | |
with: | |
name: helm-chart | |
path: helm-binaries | |
- name: Setup node | |
uses: actions/[email protected] | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Upload Helm chart to release | |
uses: actions/[email protected] | |
with: | |
script: | | |
github.rest.repos.uploadReleaseAsset({ | |
data: require("fs").readFileSync("helm-binaries/private-gpt-${{ needs.init.outputs.VERSION }}.tgz"), | |
name: "private-gpt-${{ needs.init.outputs.VERSION }}.tgz", | |
owner: context.repo.owner, | |
release_id: ${{ needs.create-release.outputs.RELEASE_ID }}, | |
repo: context.repo.repo, | |
}); | |
build-images: | |
name: Build & publish image "${{ matrix.src }}" | |
needs: | |
- init | |
- sast-creds | |
- sast-semgrep | |
runs-on: ubuntu-22.04 | |
permissions: | |
# Allow to write to GitHub Security | |
security-events: write | |
# Allow to write to GitHub Packages | |
packages: write | |
strategy: | |
fail-fast: false | |
matrix: | |
src: [conversation-api, conversation-ui] | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Configure Git | |
run: | | |
git config user.name "${{ github.actor }}" | |
git config user.email "${{ github.actor }}@users.noreply.github.com" | |
- name: Setup QEMU | |
id: setup-qemu | |
uses: docker/[email protected] | |
with: | |
platforms: ${{ env.CONTAINER_PLATFORMS }} | |
- name: Setup Docker Buildx | |
uses: docker/[email protected] | |
with: | |
version: v${{ env.BUILDX_VERSION }} | |
# Required for running "npx" CLI | |
- name: Setup Node | |
uses: actions/[email protected] | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Login to registry - GitHub | |
uses: docker/[email protected] | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY_GHCR }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Login to registry - Docker Hub | |
uses: docker/[email protected] | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY_DOCKER_HUB }} | |
username: clemlesne | |
password: ${{ secrets.DOCKER_HUB_PAT }} | |
- name: Container meta | |
id: meta | |
uses: docker/[email protected] | |
with: | |
images: | | |
${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }} | |
${{ env.CONTAINER_REGISTRY_DOCKER_HUB }}/${{ env.CONTAINER_NAME }} | |
flavor: | | |
prefix=${{ matrix.src }}- | |
tags: | | |
type=raw,value=latest,enable={{is_default_branch}} | |
type=ref,event=branch | |
type=ref,event=pr | |
type=schedule | |
type=schedule,pattern={{date 'YYYYMMDD'}} | |
type=semver,pattern={{version}},value=${{ needs.init.outputs.VERSION_FULL }} | |
type=sha | |
labels: | | |
org.opencontainers.image.documentation=https://github.com/${{ env.CONTAINER_NAME }} | |
org.opencontainers.image.vendor=${{ github.actor }} | |
- name: Store tag | |
id: tag | |
run: | | |
ref="${{ github.ref }}" | |
branch=$(echo "${ref#refs/heads/}" | sed 's/\//-/g') | |
tag=$(echo "${{ steps.meta.outputs.tags }}" | grep -m1 $branch) | |
echo "tag=$tag" >> $GITHUB_OUTPUT | |
- name: Build/push container | |
uses: docker/[email protected] | |
with: | |
build-args: | | |
VERSION=${{ needs.init.outputs.VERSION_FULL }} | |
cache-from: type=gha | |
cache-to: type=gha | |
context: src/${{ matrix.src }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: ${{ env.CONTAINER_PLATFORMS }} | |
provenance: true | |
push: true | |
sbom: true | |
tags: ${{ steps.meta.outputs.tags }} | |
- name: Run SAST Snyk on container image | |
# Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | |
continue-on-error: true | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | | |
npx --yes snyk@${{ env.SNYK_VERSION }} container test \ | |
--fail-on=upgradable \ | |
--file=src/${{ matrix.src }}/Dockerfile \ | |
--sarif-file-output=snyk.sarif \ | |
--severity-threshold=medium \ | |
${{ steps.tag.outputs.tag }} | |
- name: Upload results to GitHub Security | |
uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: snyk.sarif | |
sast-semgrep: | |
name: SAST - Semgrep | |
runs-on: ubuntu-22.04 | |
permissions: | |
# Allow to write to GitHub Security | |
security-events: write | |
container: | |
image: returntocorp/semgrep | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Run tests | |
# Semgrep can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security | |
continue-on-error: true | |
env: | |
SEMGREP_RULES: p/cwe-top-25 p/owasp-top-ten p/dockerfile | |
run: semgrep ci --sarif --output=semgrep.sarif | |
- name: Upload results to GitHub Security | |
uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: semgrep.sarif | |
publish-artifacthub-metadata: | |
name: Publish ArtifactHub metadata | |
# Only publish on non-scheduled default branch | |
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Setup ORAS | |
uses: oras-project/[email protected] | |
with: | |
version: ${{ env.ORAS_VERSION }} | |
- name: Login to registry - GitHub | |
uses: docker/[email protected] | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY_GHCR }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Login to registry - Docker Hub | |
uses: docker/[email protected] | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY_DOCKER_HUB }} | |
username: clemlesne | |
password: ${{ secrets.DOCKER_HUB_PAT }} | |
- name: Push to registry | |
run: | | |
oras push \ | |
${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }}:artifacthub.io \ | |
artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml \ | |
--config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml | |
oras push \ | |
${{ env.CONTAINER_REGISTRY_DOCKER_HUB }}/${{ env.CONTAINER_NAME }}:artifacthub.io \ | |
artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml \ | |
--config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml | |
create-release: | |
name: Create release | |
needs: | |
- init | |
- sast-creds | |
- sast-semgrep | |
permissions: | |
# Allow to create releases | |
contents: write | |
runs-on: ubuntu-22.04 | |
outputs: | |
RELEASE_ID: ${{ steps.create-release.outputs.result }} | |
# Only publish on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version | |
# if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Setup node | |
uses: actions/[email protected] | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Create release | |
id: create-release | |
uses: actions/[email protected] | |
with: | |
script: | | |
const isMain = context.ref == `refs/heads/main`; | |
const repoName = context.repo.repo; | |
console.log(isMain ? 'Creating release for default branch' : 'Creating release for non-default branch'); | |
const { data } = await github.rest.repos.createRelease({ | |
draft: true, | |
generate_release_notes: true, | |
name: `${repoName} v${{ needs.init.outputs.VERSION }}`, | |
owner: context.repo.owner, | |
prerelease: !isMain, | |
repo: repoName, | |
tag_name: 'v${{ needs.init.outputs.VERSION }}', | |
target_commitish: context.ref, | |
}); | |
return data.id | |
publish-release: | |
name: Publish release | |
permissions: | |
# Allow to write releases | |
contents: write | |
runs-on: ubuntu-22.04 | |
needs: | |
- create-release | |
- init | |
- publish-helm | |
# Only publish on non-scheduled default branch | |
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') | |
steps: | |
- name: publish release | |
id: publish-release | |
uses: actions/[email protected] | |
with: | |
script: | | |
github.rest.repos.updateRelease({ | |
draft: false, | |
owner: context.repo.owner, | |
release_id: ${{ needs.create-release.outputs.RELEASE_ID }}, | |
repo: context.repo.repo, | |
}); |