From 1fc6a96a2fc10335abc3543c717546e1e4ae4583 Mon Sep 17 00:00:00 2001 From: Fran Mulero Date: Wed, 29 Nov 2023 16:38:14 +0100 Subject: [PATCH] [bitnami/containers] Hardening CI workflow (#53242) Signed-off-by: Fran Mulero --- .github/workflows/ci-pipeline.yml | 90 ++++++++++++++----------------- 1 file changed, 41 insertions(+), 49 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 4a9398eded9f..4272158b0b49 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -8,57 +8,15 @@ on: # rebuild any PRs and main branch changes - main - bitnami:main permissions: {} -env: - CSP_API_URL: https://console.cloud.vmware.com - CSP_API_TOKEN: ${{ secrets.CSP_API_TESTING_TOKEN }} - VIB_PUBLIC_URL: https://cp.bromelia.vmware.com # Avoid concurrency over the same PR concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} jobs: - license-headers-linter: - runs-on: ubuntu-latest - name: License Headers Linter - permissions: - contents: read - pull-requests: write - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Checkout Repository - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - id: get-modified-files - name: 'Get modified files' - env: - DIFF_URL: "${{github.event.pull_request.diff_url}}" - TEMP_FILE: "${{runner.temp}}/pr-${{github.event.number}}.diff" - run: | - # This request doesn't consume API calls. - curl -Lkso $TEMP_FILE $DIFF_URL - files_changed="$(sed -nr 's/[\-\+]{3} [ab]\/(.*)/\1/p' $TEMP_FILE | sort | uniq)" - dockerfiles=() - while read -r file_changed; do - # Avoid removed files - if [[ -f "${file_changed}" ]]; then - dockerfiles+=("${file_changed}") - fi - done <<< "$(echo "$files_changed" | grep -oE ".*/Dockerfile$" | sort | uniq || true)" - if [[ ${#dockerfiles[@]} -gt 0 ]]; then - # There are modifications on dockerfiles - export dockerfiles_json=$(printf "%s\n" "${dockerfiles[@]}" | jq -R . | jq -cs .) - # Overwrite configuration file to analyze only changed dockerfiles - yq -i '. | .header.paths=env(dockerfiles_json)' .licenserc.yaml - echo "result=success" >> $GITHUB_OUTPUT - else - echo "result=skip" >> $GITHUB_OUTPUT - fi - - name: Check license Headers - uses: apache/skywalking-eyes/header@6b2529214f6b1ccee3ec92bb0adfeabf6f66f538 - if: ${{ steps.get-modified-files.outputs.result == 'success' }} get-containers: runs-on: ubuntu-latest name: Get modified containers + permissions: + pull-requests: read if: | github.event.pull_request.state != 'closed' && ( @@ -67,20 +25,20 @@ jobs: outputs: result: ${{ steps.get-containers.outputs.result }} containers: ${{ steps.get-containers.outputs.containers }} + dockerfiles: ${{ steps.get-containers.outputs.dockerfiles }} steps: - id: get-containers name: Get modified containers env: - DIFF_URL: "${{github.event.pull_request.diff_url}}" - TEMP_FILE: "${{runner.temp}}/pr-${{github.event.number}}.diff" + PULL_REQUEST_NUMBER: "${{ github.event.pull_request.number }}" + GITHUB_TOKEN: "${{ github.token }}" run: | - # This request doesn't consume API calls. - curl -Lkso $TEMP_FILE $DIFF_URL - files_changed="$(sed -nr 's/[\-\+]{3} [ab]\/(.*)/\1/p' $TEMP_FILE | sort | uniq)" + files_changed="$(gh api --paginate /repos/${GITHUB_REPOSITORY}/pulls/${PULL_REQUEST_NUMBER}/files | jq -r '.[] | .filename')" # Adding || true to avoid "Process exited with code 1" errors flavors=($(echo "$files_changed" | xargs dirname | grep -o "^bitnami/[^/]*/[^/]*/[^/]*" | sort | uniq || true)) assets=($(echo "$files_changed" | xargs dirname | sed -nr "s|bitnami/([^/]*)/.*|\1|p" | sort | uniq || true)) non_readme_files=$(echo "$files_changed" | grep -vc "\.md" || true) + dockerfiles=($(echo "$files_changed" | grep -oE ".*/Dockerfile$" | sort | uniq || true)) if [[ "$non_readme_files" -le "0" ]]; then # The only changes are .md files -> SKIP @@ -90,9 +48,39 @@ jobs: echo "result=skip" >> $GITHUB_OUTPUT else containers_json=$(printf "%s\n" "${flavors[@]}" | jq -R . | jq -cs .) + dockerfiles_json=$(printf "%s\n" "${dockerfiles[@]}" | jq -R . | jq -cs .) echo "result=ok" >> $GITHUB_OUTPUT echo "containers=${containers_json}" >> $GITHUB_OUTPUT + echo "dockerfiles=${dockerfiles_json}" >> $GITHUB_OUTPUT fi + license-headers-linter: + runs-on: ubuntu-latest + name: License Headers Linter + permissions: + contents: read + pull-requests: write + needs: get-containers + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + name: Checkout Repository + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - id: get-modified-files + name: 'Get modified files' + env: + DOCKERFILES: "${{ needs.get-containers.outputs.dockerfiles }}" + run: | + if [[ -n "${DOCKERFILES}" ]]; then + # Overwrite configuration file to analyze only changed dockerfiles + yq -i '. | .header.paths=env(DOCKERFILES)' .licenserc.yaml + echo "result=success" >> $GITHUB_OUTPUT + else + echo "result=skip" >> $GITHUB_OUTPUT + fi + - name: Check license Headers + uses: apache/skywalking-eyes/header@6b2529214f6b1ccee3ec92bb0adfeabf6f66f538 + if: ${{ steps.get-modified-files.outputs.result == 'success' }} vib-verify: runs-on: ubuntu-latest needs: get-containers @@ -103,6 +91,10 @@ jobs: name: VIB Verify permissions: contents: read + env: + CSP_API_URL: https://console.cloud.vmware.com + CSP_API_TOKEN: ${{ secrets.CSP_API_TESTING_TOKEN }} + VIB_PUBLIC_URL: https://cp.bromelia.vmware.com continue-on-error: false strategy: fail-fast: false