CI #1483
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
workflow_dispatch: | |
inputs: | |
release: | |
description: "Use 'major' for incompatible changes, 'minor' for new features, and 'patch' for fixes or 'no_release' to trigger the pipeline without doing a release." | |
type: choice | |
options: | |
- "no_release" | |
- "major" | |
- "minor" | |
- "patch" | |
required: true | |
default: "no_release" | |
push: | |
branches: [ main] | |
tags: ["v*"] | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
- closed | |
repository_dispatch: | |
schedule: | |
# rebuild image every sunday | |
- cron: "0 0 * * 0" | |
# Grants rights to push to the Github container registry. | |
# The main workflow has to set the permissions. | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
pull-requests: write | |
jobs: | |
# sets the release kind when it wasn't triggered by an workflow dispatch | |
# this prevents us from having to pass down all labels, event_name, etc | |
# to init.yml | |
adapt_release: | |
runs-on: ubuntu-latest | |
outputs: | |
kind: ${{ steps.kind.outputs.kind}} | |
steps: | |
- name: "Debug" | |
run: | | |
echo "${{ github.event_name }}" | |
echo "${{ github.event.pull_request.merged }}" | |
echo "${{ github.event.pull_request.labels }}" | |
- name: "set KIND = no_release" | |
run: echo "KIND=no_release" >> $GITHUB_ENV | |
- name: "override KIND = ${{ inputs.release }}" | |
if: github.event_name == 'workflow_dispatch' | |
run: echo "KIND=${{ inputs.release }}" >> $GITHUB_ENV | |
- name: "override KIND = major" | |
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'major_release') | |
run: echo "KIND=major" >> $GITHUB_ENV | |
- name: "override KIND = minor" | |
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'minor_release') | |
run: echo "KIND=minor" >> $GITHUB_ENV | |
- name: "override KIND = patch" | |
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'patch_release') | |
run: echo "KIND=patch" >> $GITHUB_ENV | |
- id: kind | |
run: | | |
echo "kind=${{ env.KIND }}">> "$GITHUB_OUTPUT" | |
init: | |
needs: [adapt_release] | |
uses: ./.github/workflows/init.yaml | |
with: | |
release: ${{ needs.adapt_release.outputs.kind }} | |
unittests: | |
name: unit-tests | |
uses: ./.github/workflows/tests.yml | |
build: | |
needs: [unittests] | |
uses: ./.github/workflows/build.yml | |
linting: | |
uses: ./.github/workflows/linting.yml | |
functional: | |
needs: [build] | |
uses: ./.github/workflows/functional.yaml | |
container: | |
needs: [build, init, functional] | |
uses: ./.github/workflows/push-container.yml | |
secrets: | |
dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }} | |
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}} | |
cosign_key_opensight: ${{ secrets.COSIGN_KEY_OPENSIGHT }} | |
cosign_password_opensight: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }} | |
greenbone_registry: ${{ vars.GREENBONE_REGISTRY }} | |
greenbone_registry_user: ${{ secrets.GREENBONE_REGISTRY_USER }} | |
greenbone_registry_token: ${{ secrets.GREENBONE_REGISTRY_TOKEN }} | |
mattermost_webhook_url: ${{ secrets.MATTERMOST_WEBHOOK_URL }} | |
with: | |
is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}} | |
is_version_tag: ${{needs.init.outputs.docker_build_is_version }} | |
container-testing: | |
name: container | |
needs: [init, build ] | |
uses: ./.github/workflows/push-container-testing.yml | |
secrets: | |
dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }} | |
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}} | |
with: | |
is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}} | |
is_version_tag: ${{needs.init.outputs.docker_build_is_version}} | |
container-oldstable: | |
name: container | |
needs: [init, build ] | |
uses: ./.github/workflows/push-container-oldstable.yml | |
secrets: | |
dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }} | |
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}} | |
with: | |
is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}} | |
is_version_tag: ${{needs.init.outputs.docker_build_is_version}} | |
release: | |
permissions: | |
contents: write | |
# we release after container build so that we can release on a closed pr as we don't push the release container yet | |
# instead it is pushed after the tag is created. | |
# | |
# For now we just don't use it as a dependency for releases which may is counter intuitive | |
needs: [container, init] | |
if: ( needs.init.outputs.release_kind == 'major' || needs.init.outputs.release_kind == 'minor' || needs.init.outputs.release_kind == 'patch' ) | |
uses: ./.github/workflows/release.yml | |
with: | |
new_version: ${{ needs.init.outputs.release_new_version }} | |
latest_version: ${{ needs.init.outputs.release_latest_version }} | |
release_kind: ${{ needs.init.outputs.release_kind }} | |
release_ref: ${{ needs.init.outputs.release_ref }} | |
project: ${{ needs.init.outputs.release_project }} | |
repository: ${{ github.repository }} | |
secrets: | |
token: ${{ secrets.GREENBONE_BOT_TOKEN }} | |
name: ${{ secrets.GREENBONE_BOT }} | |
email: ${{ secrets.GREENBONE_BOT_MAIL }} | |
gpg_key: ${{ secrets.GPG_KEY }} | |
gpg_pass: ${{ secrets.GPG_PASSPHRASE }} | |
smoketests: | |
if: github.event_name != 'pull_request' | |
needs: [container, init] | |
uses: ./.github/workflows/smoketest.yaml | |
with: | |
docker_repo: ${{ github.repository }} | |
docker_tag: ${{needs.init.outputs.docker_test_tag}} | |
helm: | |
permissions: | |
packages: write | |
needs: [smoketests] | |
if: vars.IMAGE_REGISTRY != '' | |
uses: ./.github/workflows/push-helm-chart.yml | |
secrets: | |
user: ${{ secrets.GREENBONE_BOT }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
registry: ${{ vars.IMAGE_REGISTRY }} |