Nightly Run #132
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Nightly Run | |
on: | |
schedule: | |
# daily at 23:00 UTC | |
- cron: "0 23 * * *" | |
workflow_dispatch: | |
permissions: | |
contents: read | |
jobs: | |
github-release: | |
runs-on: [self-hosted, public, linux, x64] | |
environment: release | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.GH_PAT_SECRET }} | |
- name: Prepare Release | |
id: prepare_release | |
run: | | |
# grab latest release and tag to compare and decide to create a new one | |
create_release=true | |
latest_gh_release=$(curl -s "https://api.github.com/repos/${{ github.repository }}/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")') | |
latest_tag=$(git describe --abbrev=0 --tags) | |
if [ "$latest_gh_release" = "$latest_tag" ] | |
then | |
create_release=false | |
fi | |
echo "create_release=$create_release" >> "$GITHUB_OUTPUT" | |
echo "latest_release_version=$latest_gh_release" >> "$GITHUB_OUTPUT" | |
echo "version=$latest_tag" >> "$GITHUB_OUTPUT" | |
- name: Build GitHub Release changelog | |
if: steps.prepare_release.outputs.create_release == 'true' | |
id: build_github_release | |
uses: mikepenz/release-changelog-builder-action@81ca5f10b8c238cbc36e53691a39273636d7d1f6 # v3 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRET }} | |
with: | |
configuration: ".github/release-changelog-config.json" | |
fromTag: ${{ steps.prepare_release.outputs.latest_release_version }} | |
toTag: ${{ steps.prepare_release.outputs.version }} | |
- name: Create GitHub Release | |
if: steps.build_github_release.outputs.changelog != '' | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 | |
id: create_github_release | |
with: | |
tag_name: ${{ steps.prepare_release.outputs.version }} | |
name: ${{ steps.prepare_release.outputs.version }} | |
body: ${{ steps.build_github_release.outputs.changelog }} | |
- name: Update CHANGELOG.md | |
if: steps.build_github_release.outputs.changelog != '' | |
uses: stefanzweifel/changelog-updater-action@ab89eeba5adfbb4ebdaabf7f1a17d76eec6c59c9 # v1 | |
with: | |
latest-version: ${{ steps.prepare_release.outputs.version }} | |
release-notes: ${{ steps.build_github_release.outputs.changelog }} | |
- name: Commit updated CHANGELOG.md | |
if: steps.build_github_release.outputs.changelog != '' | |
uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5 | |
with: | |
commit_message: "chore: update release notes" | |
file_pattern: CHANGELOG.md | |
outputs: | |
upload_url: ${{ steps.create_github_release.outputs.upload_url }} | |
version: ${{ steps.prepare_release.outputs.version }} | |
build-release-artifacts: | |
strategy: | |
matrix: | |
include: | |
- os: macos-latest | |
name: darwin | |
suffix: '' | |
- os: ubuntu-latest | |
name: linux | |
suffix: '' | |
- os: windows-latest | |
name: windows | |
suffix: '.exe' | |
needs: [github-release] | |
if: needs.github-release.outputs.upload_url != '' | |
runs-on: ${{ matrix.os }} | |
permissions: | |
contents: write | |
env: | |
PYTHON_VERSION: "3.8" | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
- name: Install pipenv | |
run: | | |
python -m pip install --no-cache-dir --upgrade pipenv | |
- name: Install deps and run pyinstaller | |
run: | | |
pipenv sync | |
pipenv run pip install pyinstaller | |
- name: Build executable | |
run: pipenv run pyinstaller checkov.spec | |
- name: Windows - Test executable | |
if: matrix.os == 'windows-latest' | |
shell: bash | |
# make sure it doesn't crash | |
run: ./dist/checkov.exe -s -d tests/terraform/checks/resource/alicloud | |
- name: Windows - zip artifact | |
if: matrix.os == 'windows-latest' | |
run: tar.exe -a -c -f checkov.zip dist\\checkov.exe | |
- name: Linux/Mac - Test executable | |
if: matrix.os != 'windows-latest' | |
# make sure it doesn't crash | |
run: ./dist/checkov -s -d tests/terraform/checks/resource/alicloud | |
- name: Linux/Mac - zip artifact | |
if: matrix.os != 'windows-latest' | |
run: zip checkov.zip dist/checkov | |
- name: Upload Release Asset | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.github-release.outputs.upload_url }} | |
asset_path: checkov.zip | |
asset_name: checkov_${{ matrix.name }}_X86_64_${{ needs.github-release.outputs.version }}.zip | |
asset_content_type: application/zip | |
build-release-artifact-linux-arm: | |
needs: [ github-release ] | |
if: needs.github-release.outputs.upload_url != '' | |
runs-on: [self-hosted, public, linux, arm64] | |
container: | |
image: arm64v8/python:3.8 | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install pipenv | |
run: | | |
python -m pip install --no-cache-dir --upgrade pipenv | |
- name: Install deps and run pyinstaller | |
run: | | |
pipenv sync | |
pipenv run pip install pyinstaller | |
- name: Build executable | |
run: pipenv run pyinstaller checkov.spec | |
- name: zip artifact | |
run: | | |
apt-get update | |
apt install zip | |
zip checkov.zip dist/checkov | |
- name: Upload Release Asset | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.github-release.outputs.upload_url }} | |
asset_path: checkov.zip | |
asset_name: checkov_linux_arm64_${{ needs.github-release.outputs.version }}.zip | |
asset_content_type: application/zip |