ci(SECURITY): bypass disputed 70612 jinja2 cve #1040
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: pi_portal-github-workflow-push | |
# Begin Cookiecutter Template Content{% raw %} | |
on: | |
push: | |
schedule: | |
- cron: "0 6 * * 1" | |
workflow_dispatch: | |
# secrets: | |
# SLACK_WEBHOOK: | |
# description: "Optional, enables Slack notifications." | |
# required: false | |
jobs: | |
configuration: | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-00-generic-read_json_file.yml@main | |
with: | |
JSON_FILE_PATH: ".github/config/workflows/workflow-push.json" | |
start: | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-00-generic-notification.yml@main | |
with: | |
NOTIFICATION_EMOJI: ":vertical_traffic_light:" | |
NOTIFICATION_MESSAGE: "Workflow has started!" | |
commit_lint: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-rev_range_command.yml@main | |
with: | |
COMMAND: | | |
poetry run cz check --rev-range "${PUSHED_COMMIT_REV_RANGE}" | |
COMMAND_NAME: "Commit Message Lint" | |
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }} | |
REV_RANGE: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_commitizen_rev_range }} | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
commit_spell_check: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-rev_range_command.yml@main | |
with: | |
COMMAND: | | |
CICD_COMMIT_MESSAGES_FILE="$(mktemp XXXXXXXX.git_history_file)" | |
git log --pretty=format:%s "${PUSHED_COMMIT_REV_RANGE}" > "${CICD_COMMIT_MESSAGES_FILE}" | |
poetry run pre-commit run --hook-stage manual spelling-vale-synchronize | |
poetry run pre-commit run --hook-stage commit-msg spelling-commit-message --commit-msg-filename "${CICD_COMMIT_MESSAGES_FILE}" | |
COMMAND_NAME: "Commit Message Spelling" | |
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }} | |
REV_RANGE: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_commit_spelling_rev_range }} | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
container: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
strategy: | |
fail-fast: true | |
matrix: | |
python-version: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_versions }} | |
max-parallel: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-40-compose-run_cached_commands.yml@main | |
with: | |
BUILD_ARG_ENV_FILE_CONTENT: | | |
#!/bin/bash | |
export BUILD_ARG_PYTHON_VERSION="${{ matrix.python-version }}" | |
export DOCKER_USER_UID="$(id -u)" | |
export DOCKER_USER_GID="$(id -g)" | |
COMMANDS: | | |
dev security-bandit | |
dev security-safety | |
dev fmt | |
dev lint | |
dev coverage | |
dev types | |
COMPOSE_BUILDX_CACHE_KEY: "pi_portal-${{ matrix.python-version }}" | |
COMPOSE_MOUNTED_CACHE_FOLDER: ".pre-commit" | |
COMPOSE_MOUNTED_CACHE_KEY_FILE: ".pre-commit-config.yaml" | |
COMPOSE_SERVICE_NAME: "pi_portal" | |
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
PRE_COMMAND: bash .github/scripts/job-40-prebuild.sh "${{ matrix.python-version }}" | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
dockerfile_lint: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml@main | |
with: | |
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
PRECOMMIT_HOOK_ID: "lint-dockerfile" | |
PRECOMMIT_HOOK_NAME: "Dockerfile Linting" | |
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }} | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
json_schema_lint: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml@main | |
with: | |
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
PRECOMMIT_HOOK_ID: "check-jsonschema" | |
PRECOMMIT_HOOK_NAME: "Workflow Config JSON Schema Linting" | |
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }} | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
security: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-10-generic-security_scan_credentials.yml@main | |
with: | |
EXTRA_BINARY_ARGS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_trufflehog_extra_scan_args }} | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
markdown_links: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-30-generic-markdown_links.yml@main | |
with: | |
CONFIG_FILE: ".github/config/actions/gaurav-nelson-github-action-markdown-link-check.json" | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
markdown_lint: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml@main | |
with: | |
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
PRECOMMIT_HOOK_ID: "lint-markdown" | |
PRECOMMIT_HOOK_NAME: "Markdown Linting" | |
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }} | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
markdown_spelling: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml@main | |
with: | |
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
PRE_HOOK_COMMAND: poetry run pre-commit run --hook-stage=manual "spelling-vale-synchronize" | |
PRECOMMIT_HOOK_ID: "spelling-markdown" | |
PRECOMMIT_HOOK_NAME: "Markdown Spelling" | |
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }} | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
pre-commit_hooks: | |
needs: [configuration] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-50-poetry-test_basic_precommit_hooks.yml@main | |
with: | |
CHECK_CREDENTIALS: true | |
CHECK_TOML: true | |
CHECK_WORKFLOW: true | |
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }} | |
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} | |
create_release: | |
permissions: | |
contents: write | |
needs: [commit_lint, commit_spell_check, configuration, container, dockerfile_lint, json_schema_lint, markdown_links, markdown_lint, markdown_spelling, pre-commit_hooks, security, start] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-99-poetry-create_release.yml@main | |
with: | |
JSON_APPENDED_CONTENT: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_extra_release_content) }} | |
build_filebeat: | |
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }} | |
needs: [configuration, create_release] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-generic-build_artifact.yml@main | |
with: | |
ARTIFACT_NAME: build-stage-1-filebeat | |
ARTIFACT_FOLDERS: packaging/filebeat/dist | |
BUILD_COMMAND: bash .github/scripts/job-95-package-filebeat.sh | |
REQUIRES_BUILDX: true | |
REQUIRES_QEMU: true | |
WORKFLOW_NAME: "release" | |
build_pi_portal: | |
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }} | |
needs: [configuration, create_release] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-generic-build_artifact.yml@main | |
with: | |
ARTIFACT_NAME: build-stage-1-pi_portal | |
ARTIFACT_FOLDERS: dist | |
BUILD_COMMAND: poetry build | |
REQUIRES_POETRY: true | |
WORKFLOW_NAME: "release" | |
build_packages_for_debian: | |
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }} | |
needs: [build_filebeat, build_pi_portal, configuration, create_release] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
strategy: | |
fail-fast: true | |
matrix: | |
debian: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_debian_distributions }} | |
max-parallel: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-generic-build_artifact.yml@main | |
with: | |
ARTIFACT_NAME: build-stage-2-debian-${{ matrix.debian.name }} | |
ARTIFACT_FOLDERS: | | |
packaging/debian/dist | |
DEPENDENT_ARTIFACT_NAME_PATTERN: build-stage-1-* | |
BUILD_COMMAND: | | |
export PACKAGING_DEBIAN_VERSION="${{ matrix.debian.name }}" | |
export PACKAGING_PYTHON_VERSION="${{ matrix.debian.python_version }}" | |
bash .github/scripts/job-95-package-debian.sh | |
REQUIRES_BUILDX: true | |
REQUIRES_POETRY: true | |
REQUIRES_QEMU: true | |
VERBOSE_NOTIFICATIONS: true | |
WORKFLOW_NAME: "release" | |
build_docker_images: | |
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }} | |
needs: [build_packages_for_debian, configuration, create_release] | |
secrets: | |
ENV_SECRET_1: ${{ secrets.GITHUB_TOKEN }} | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-generic-build_artifact.yml@main | |
with: | |
ARTIFACT_NAME: build-stage-3-docker-manifest | |
ARTIFACT_FOLDERS: | | |
packaging/docker/dist | |
DEPENDENT_ARTIFACT_NAME_PATTERN: build-stage-2-debian-bookworm | |
BUILD_COMMAND: | | |
export PACKAGING_IMAGE_NAME="pi-portal/pi-portal" | |
export PACKAGING_REGISTRY_NAME="ghcr.io" | |
bash .github/scripts/job-95-package-docker.sh | |
REQUIRES_BUILDX: true | |
REQUIRES_QEMU: true | |
VERBOSE_NOTIFICATIONS: true | |
WORKFLOW_NAME: "release" | |
attach_artifacts: | |
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }} | |
needs: [build_docker_images, configuration, create_release] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-99-generic-attach_artifact_to_release.yml@main | |
with: | |
ARTIFACT_NAME_PATTERN: build-stage-* | |
RELEASE_CONTEXT: ${{ needs.create_release.outputs.RELEASE_CONTEXT }} | |
UPLOAD_FOLDERS: | | |
dist | |
packaging/filebeat/dist | |
packaging/debian/dist | |
packaging/docker/dist | |
VERBOSE_NOTIFICATIONS: true | |
WORKFLOW_NAME: "release" | |
success: | |
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE != 'true' }} | |
needs: [configuration, create_release] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-00-generic-notification.yml@main | |
with: | |
NOTIFICATION_EMOJI: ":checkered_flag:" | |
NOTIFICATION_MESSAGE: "Workflow has completed successfully!" | |
success_release: | |
needs: [configuration, attach_artifacts] | |
secrets: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
uses: cicd-tools-org/cicd-tools/.github/workflows/job-00-generic-notification.yml@main | |
with: | |
NOTIFICATION_EMOJI: ":checkered_flag:" | |
NOTIFICATION_MESSAGE: "Release workflow has completed successfully!" | |
WORKFLOW_NAME: "release" |