Skip to content

Nightly Run

Nightly Run #1

Workflow file for this run

name: Nightly Run
on:
schedule:
# daily at 23:00 UTC
- cron: "0 23 * * *"
workflow_dispatch:
permissions:
contents: read
jobs:
github-release:
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
fetch-depth: 0
token: ${{ secrets.GH_PAT_SECRET }}
- name: Prepare Release
id: prepare_release
run: |
# grab latest release and tag to compare and decide to create a new one
create_release=true
latest_gh_release=$(curl -s "https://api.github.com/repos/${{ github.repository }}/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")')
latest_tag=$(git describe --abbrev=0 --tags)
if [ "$latest_gh_release" = "$latest_tag" ]
then
create_release=false
fi
echo "create_release=$create_release" >> "$GITHUB_OUTPUT"
echo "latest_release_version=$latest_gh_release" >> "$GITHUB_OUTPUT"
echo "version=$latest_tag" >> "$GITHUB_OUTPUT"
- name: Build GitHub Release changelog
if: steps.prepare_release.outputs.create_release == 'true'
id: build_github_release
uses: mikepenz/release-changelog-builder-action@81ca5f10b8c238cbc36e53691a39273636d7d1f6 # v3
env:
GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRET }}
with:
configuration: ".github/release-changelog-config.json"
fromTag: ${{ steps.prepare_release.outputs.latest_release_version }}
toTag: ${{ steps.prepare_release.outputs.version }}
- name: Create GitHub Release
if: steps.build_github_release.outputs.changelog != ''
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
id: create_github_release
with:
tag_name: ${{ steps.prepare_release.outputs.version }}
name: ${{ steps.prepare_release.outputs.version }}
body: ${{ steps.build_github_release.outputs.changelog }}
- name: Update CHANGELOG.md
if: steps.build_github_release.outputs.changelog != ''
uses: stefanzweifel/changelog-updater-action@ab89eeba5adfbb4ebdaabf7f1a17d76eec6c59c9 # v1
with:
latest-version: ${{ steps.prepare_release.outputs.version }}
release-notes: ${{ steps.build_github_release.outputs.changelog }}
- name: Commit updated CHANGELOG.md
if: steps.build_github_release.outputs.changelog != ''
uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5
with:
commit_message: "chore: update release notes"
file_pattern: CHANGELOG.md
outputs:
upload_url: ${{ steps.create_github_release.outputs.upload_url }}
version: ${{ steps.prepare_release.outputs.version }}
build-release-artifacts:
strategy:
matrix:
include:
- os: macos-latest
name: darwin
suffix: ''
- os: ubuntu-latest
name: linux
suffix: ''
- os: windows-latest
name: windows
suffix: '.exe'
needs: [github-release]
if: needs.github-release.outputs.upload_url != ''
runs-on: ${{ matrix.os }}
permissions:
contents: write
env:
PYTHON_VERSION: "3.8"
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install deps and run pyinstaller
run: |
pipenv sync
pipenv run pip install pyinstaller
- name: Build executable
run: pipenv run pyinstaller checkov.spec
- name: Windows - Test executable
if: matrix.os == 'windows-latest'
shell: bash
# make sure it doesn't crash
run: ./dist/checkov.exe -s -d tests/terraform/checks/resource/alicloud
- name: Windows - zip artifact
if: matrix.os == 'windows-latest'
run: tar.exe -a -c -f checkov.zip dist\\checkov.exe
- name: Linux/Mac - Test executable
if: matrix.os != 'windows-latest'
# make sure it doesn't crash
run: ./dist/checkov -s -d tests/terraform/checks/resource/alicloud
- name: Linux/Mac - zip artifact
if: matrix.os != 'windows-latest'
run: zip checkov.zip dist/checkov
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.github-release.outputs.upload_url }}
asset_path: checkov.zip
asset_name: checkov_${{ matrix.name }}_X86_64_${{ needs.github-release.outputs.version }}.zip
asset_content_type: application/zip
build-release-artifact-linux-arm:
needs: [ github-release ]
if: needs.github-release.outputs.upload_url != ''
runs-on: [self-hosted, public, linux, arm64]
container:
image: arm64v8/python:3.8
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install deps and run pyinstaller
run: |
pipenv sync
pipenv run pip install pyinstaller
- name: Build executable
run: pipenv run pyinstaller checkov.spec
- name: zip artifact
run: |
apt-get update
apt install zip
zip checkov.zip dist/checkov
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.github-release.outputs.upload_url }}
asset_path: checkov.zip
asset_name: checkov_linux_arm64_${{ needs.github-release.outputs.version }}.zip
asset_content_type: application/zip