This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: lightweight-check | |
| on: | |
| workflow_call: | |
| secrets: | |
| GH_TOKEN_ADMIN: | |
| description: Github admin token | |
| required: true | |
| SA_GH_USER_NAME: | |
| description: GPG signature username | |
| required: true | |
| SA_GH_USER_EMAIL: | |
| description: GPG signature user email | |
| required: true | |
| SA_GPG_PRIVATE_KEY: | |
| description: GPG signature private key | |
| required: true | |
| SA_GPG_PASSPHRASE: | |
| description: GPG signature passphrase | |
| required: true | |
| SEMGREP_PUBLISH_TOKEN: | |
| description: Semgrep token | |
| required: true | |
| AWS_ACCESS_KEY_ID: | |
| description: AWS access key id | |
| required: true | |
| AWS_DEFAULT_REGION: | |
| description: AWS default region | |
| required: true | |
| AWS_SECRET_ACCESS_KEY: | |
| description: AWS secret access key | |
| required: true | |
| VT_API_KEY: | |
| description: Virustotal api key | |
| required: true | |
| SPL_COM_USER: | |
| description: username to splunk.com | |
| required: true | |
| SPL_COM_PASSWORD: | |
| description: password to splunk.com | |
| required: true | |
| FOSSA_API_KEY: | |
| description: API token for FOSSA app | |
| required: true | |
| permissions: | |
| contents: read | |
| packages: read | |
| concurrency: | |
| # allows for running this workflow simultaneously with main `resable-build-test-release.yml | |
| group: ${{ github.head_ref || github.run_id }}-lightweight | |
| cancel-in-progress: true | |
| jobs: | |
| get-called-sha: | |
| name: Get called SHA | |
| runs-on: ubuntu-latest | |
| outputs: | |
| sha: ${{ steps.get-sha.outputs.caller-sha }} | |
| steps: | |
| - name: Repo checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: splunk/addonfactory-workflow-addon-release | |
| ref: fix/lightweight-workflow-ADDON-66448 | |
| - id: get-sha | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/_called-wf-sha | |
| with: | |
| GH_TOKEN_ADMIN: ${{ secrets.GH_TOKEN_ADMIN }} | |
| validate-pr-title: | |
| name: Validate PR title | |
| runs-on: ubuntu-latest | |
| needs: get-called-sha | |
| if: ${{ github.event_name == 'pull_request' }} | |
| permissions: | |
| contents: read | |
| packages: read | |
| pull-requests: read | |
| statuses: write | |
| steps: | |
| - uses: jenseng/dynamic-uses@v1 | |
| with: | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/validate-pr-title@${{ needs.get-called-sha.outputs.sha }} | |
| with: | |
| '{ "GITHUB_TOKEN": "${{ github.token }}" }' | |
| meta: | |
| name: Prepare metadata | |
| runs-on: ubuntu-latest | |
| outputs: | |
| sc4s: ${{ steps.meta.outputs.sc4s }} | |
| needs: get-called-sha | |
| steps: | |
| - name: Run meta preparation | |
| id: meta | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/meta@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| SA_GH_USER_NAME: ${{ secrets.SA_GH_USER_NAME }} | |
| SA_GH_USER_EMAIL: ${{ secrets.SA_GH_USER_EMAIL }} | |
| SA_GPG_PRIVATE_KEY: ${{ secrets.SA_GPG_PRIVATE_KEY }} | |
| SA_GPG_PASSPHRASE: ${{ secrets.SA_GPG_PASSPHRASE }} | |
| fossa-scan: | |
| name: FOSSA scan | |
| runs-on: ubuntu-latest | |
| needs: get-called-sha | |
| steps: | |
| - name: Run FOSSA scan | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/fossa-scan@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} | |
| fossa-test: | |
| name: FOSSA test | |
| runs-on: ubuntu-latest | |
| needs: | |
| - fossa-scan | |
| - get-called-sha | |
| steps: | |
| - name: Run FOSSA test | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/fossa-test@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} | |
| compliance-copyrights: | |
| name: Compliance copyrights | |
| runs-on: ubuntu-latest | |
| needs: get-called-sha | |
| steps: | |
| - uses: jenseng/dynamic-uses@v1 | |
| with: | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/compliance-copyrights@${{ needs.get-called-sha.outputs.sha }} | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| needs: get-called-sha | |
| steps: | |
| - name: Run linting checks | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/lint@fix/lightweight-workflow-ADDON-66448 | |
| review-secrets: | |
| name: Review secrets | |
| runs-on: ubuntu-latest | |
| needs: get-called-sha | |
| steps: | |
| - name: Run secrets review | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/review-secrets@fix/lightweight-workflow-ADDON-66448 | |
| semgrep: | |
| name: Semgrep security check | |
| runs-on: ubuntu-latest | |
| needs: get-called-sha | |
| steps: | |
| - name: Run semgrep | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/semgrep@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| SEMGREP_PUBLISH_TOKEN: ${{ secrets.SEMGREP_PUBLISH_TOKEN }} | |
| test-inventory: | |
| name: Test inventory | |
| runs-on: ubuntu-latest | |
| outputs: | |
| unit: ${{ steps.test-inventory.outputs.unit }} | |
| ucc_modinput_functional: ${{ steps.test-inventory.outputs.ucc_modinput_functional}} | |
| modinput_functional: ${{ steps.test-inventory.outputs.modinput_functional}} | |
| requirement_test: ${{ steps.test-inventory.outputs.requirement_test }} | |
| needs: get-called-sha | |
| steps: | |
| - name: Run test inventory check | |
| id: test-inventory | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/test-inventory@fix/lightweight-workflow-ADDON-66448 | |
| # Two separate unit test jobs needed as jobs that depend on unit-test success can't proceed | |
| # if any matrix job fails. Currently python 3.9 may fail as it's not supported in all TAs. | |
| # TODO: group these jobs into the matrix once python 3.9 is supported | |
| run-unit-tests-3_7: | |
| name: Unit tests 3.7 | |
| if: ${{ needs.test-inventory.outputs.unit == 'true' }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test-inventory | |
| - get-called-sha | |
| permissions: | |
| actions: read | |
| deployments: read | |
| contents: read | |
| packages: read | |
| statuses: read | |
| checks: write | |
| steps: | |
| - name: Run unit tests for python 3.7 | |
| id: unit-tests-3_7 | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/unit-tests@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| python_version: '3.7' | |
| GH_TOKEN_ADMIN: ${{ secrets.GH_TOKEN_ADMIN }} | |
| run-unit-tests-3_9: | |
| name: Unit tests 3.9 | |
| if: ${{ needs.test-inventory.outputs.unit == 'true' }} | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| needs: | |
| - test-inventory | |
| - get-called-sha | |
| permissions: | |
| actions: read | |
| deployments: read | |
| contents: read | |
| packages: read | |
| statuses: read | |
| checks: write | |
| steps: | |
| - name: Run unit tests for python 3.9 | |
| id: unit-tests-3_9 | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/unit-tests@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| python_version: '3.9' | |
| GH_TOKEN_ADMIN: ${{ secrets.GH_TOKEN_ADMIN }} | |
| build: | |
| name: Build python-${{ matrix.python-version }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test-inventory | |
| - meta | |
| - compliance-copyrights | |
| - lint | |
| - review-secrets | |
| - semgrep | |
| - run-unit-tests-3_7 | |
| - fossa-scan | |
| - get-called-sha | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: | |
| - "3.7" | |
| - "3.9" | |
| if: ${{ !cancelled() && (needs.run-unit-tests-3_7.result == 'success' || needs.run-unit-tests-3_7.result == 'skipped') }} | |
| permissions: | |
| contents: write | |
| packages: read | |
| steps: | |
| - name: Run build | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/build@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| python_version: ${{ matrix.python-version }} | |
| SA_GH_USER_NAME: ${{ secrets.SA_GH_USER_NAME }} | |
| SA_GH_USER_EMAIL: ${{ secrets.SA_GH_USER_EMAIL }} | |
| SA_GPG_PRIVATE_KEY: ${{ secrets.SA_GPG_PRIVATE_KEY }} | |
| SA_GPG_PASSPHRASE: ${{ secrets.SA_GPG_PASSPHRASE }} | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| ucc_modinput_functional: ${{ needs.test-inventory.outputs.ucc_modinput_functional}} | |
| modinput_functional: ${{ needs.test-inventory.outputs.modinput_functional}} | |
| virustotal: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| - get-called-sha | |
| if: ${{ !cancelled() && needs.build.result == 'success' }} | |
| steps: | |
| - name: Run VirusTotal check | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/virustotal@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| VT_API_KEY: ${{ secrets.VT_API_KEY }} | |
| run-requirements-unit-tests: | |
| name: Requirements unit tests | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| - test-inventory | |
| - get-called-sha | |
| if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.requirement_test == 'true' }} | |
| permissions: | |
| actions: read | |
| deployments: read | |
| contents: read | |
| packages: read | |
| statuses: read | |
| checks: write | |
| steps: | |
| - name: Run requirements unit tests | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/requirements-unit-tests@fix/lightweight-workflow-ADDON-66448 | |
| appinspect-cli: | |
| name: AppInspect CLI ${{ matrix.tags }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| - get-called-sha | |
| if: ${{ !cancelled() && needs.build.result == 'success' }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| tags: | |
| - "cloud" | |
| - "appapproval" | |
| - "deprecated_feature" | |
| - "developer_guidance" | |
| - "future" | |
| - "self-service" | |
| - "splunk_appinspect" | |
| - "manual" | |
| steps: | |
| - name: Run appinspect CLI | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/appinspect-cli@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| matrix_tags: ${{ matrix.tags }} | |
| artifact-registry: | |
| name: Artifact registry | |
| runs-on: ubuntu-latest | |
| needs: | |
| - virustotal | |
| - meta | |
| - get-called-sha | |
| if: ${{ !cancelled() && needs.virustotal.result == 'success' && needs.meta.result == 'success' }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Run artifact registry | |
| uses: splunk/addonfactory-workflow-addon-release/.github/actions/artifact-registry@fix/lightweight-workflow-ADDON-66448 | |
| with: | |
| sc4s: ${{ needs.meta.outputs.sc4s }} |