Skip to content

CI/CD

CI/CD #455

Workflow file for this run

name: CI/CD
on:
push:
branches:
- 'main*'
- 'devel-*'
tags:
- '*'
pull_request:
schedule:
- cron: '10 9 * * *'
workflow_dispatch:
permissions: {}
jobs:
dependencies:
name: Test python/requirements.txt
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check requirements.txt
run: |
(diff -w <(grep -v -e "python_version > '3.7'" -e "python_version == '3.8'" -e "python_version > '3.8'" python/requirements.txt | sed -e "s/;.*//") python/requirements-3.7.txt || true) | (! grep -e "^<")
(diff -w <(grep -v -e "python_version <= '3.7'" -e "python_version > '3.8'" python/requirements.txt | sed -e "s/;.*//") python/requirements-3.8.txt || true) | (! grep -e "^<")
(diff -w <(grep -v -e "python_version <= '3.7'" -e "python_version == '3.8'" python/requirements.txt | sed -e "s/;.*//") python/requirements-post-3.8.txt || true) | (! grep -e "^<")
shell: bash
- name: Check for dependency updates
continue-on-error: true
run: |
pip install tox
tox
git diff --exit-code
shell: bash
test-mac:
name: "Test macOS"
uses: "./.github/workflows/test-os.yml"
with:
os: '["macos-13", "macos-14", "macos-15"]'
python-version: '["3.10", "3.11", "3.12", "3.13", "installed"]'
include: >
[
{"os": "macos-13", "python-version": "3.8"},
{"os": "macos-13", "python-version": "3.9"},
]
test-lnx:
name: "Test Ubuntu"
uses: "./.github/workflows/test-os.yml"
with:
os: '["ubuntu-20.04", "ubuntu-22.04", "ubuntu-24.04"]'
python-version: '["3.9", "3.10", "3.11", "3.12", "3.13", "installed"]'
include: >
[
{"os": "ubuntu-20.04", "python-version": "3.7"},
{"os": "ubuntu-20.04", "python-version": "3.8"},
{"os": "ubuntu-22.04", "python-version": "3.8"},
]
test-win:
name: "Test Windows"
uses: "./.github/workflows/test-os.yml"
with:
os: '["windows-2019", "windows-2022"]'
python-version: '["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]'
include: '[{"os": "windows-2022", "python-version": "installed"}]'
publish:
name: "Publish"
needs: [test-mac, test-lnx, test-win]
# we run the action from this branch whenever we can (when it runs in our repo's context)
if: >
! cancelled() &&
github.event.sender.login != 'dependabot[bot]' &&
( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository )
uses: "./.github/workflows/publish.yml"
permissions:
checks: write
pull-requests: write
security-events: write
config-deploy:
name: Configure Deployment
needs: [test-mac, test-lnx, test-win]
# do not build or deploy on forked repositories
if: github.repository_owner == 'step-security'
runs-on: ubuntu-latest
outputs:
image: ${{ steps.action.outputs.image }}
image-exists: ${{ steps.image.outputs.exists }}
image-version: ${{ steps.action.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Extract action image and version
# we deploy from a specific commit on master (the one that mentions a new version the first time)
# so we need to tell docker/metadata-action to extract docker tags from that version
id: action
run: |
image=$(grep -A 10 "^runs:" action.yml | grep -E "^\s+image:\s" | sed -E -e "s/^\s+image:\s*'//" -e "s/docker:\/\///" -e "s/'\s*$//")
version=$(cut -d : -f 2 <<< "$image")
echo "image=$image" >>$GITHUB_OUTPUT
echo "version=$version" >>$GITHUB_OUTPUT
shell: bash
- name: Check action image existence
id: image
env:
DOCKER_CLI_EXPERIMENTAL: enabled
run: |
if docker manifest inspect '${{ steps.action.outputs.image }}'
then
echo "exists=true" >>$GITHUB_OUTPUT
fi
shell: bash
deploy:
name: Deploy to GitHub
needs: [publish, config-deploy]
# do not build or deploy on forked repositories
if: github.repository_owner == 'step-security'
runs-on: ubuntu-latest
permissions:
packages: write
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.build.outputs.digest }}
should_push: ${{ steps.check_conditions.outputs.should_push }}
steps:
- name: Docker meta
id: docker-meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/step-security/publish-unit-test-result-action
flavor: |
latest=false
prefix=v
tags: |
type=sha
type=ref,event=tag
type=semver,pattern={{major}},value=${{ needs.config-deploy.outputs.image-version }}
type=semver,pattern={{major}}.{{minor}},value=${{ needs.config-deploy.outputs.image-version }}
type=semver,pattern={{version}},value=${{ needs.config-deploy.outputs.image-version }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Check Conditions
id: check_conditions
run: |
should_push_value='false'
if [[ '${{ github.event_name }}' == 'push' ]]; then
if [[ ${{ startsWith(github.ref, 'refs/heads/main') }} && '${{ needs.config-deploy.outputs.image-exists }}' != 'true' ]]; then
should_push_value='true'
fi
fi
echo "should_push=$should_push_value" >> "$GITHUB_OUTPUT"
- name: Build and push Docker image
uses: docker/build-push-action@v6
id: build
with:
tags: ${{ steps.docker-meta.outputs.tags }}
labels: ${{ steps.docker-meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
pull: true
# deploy image actions from commits pushed to main and
# deploy Dockerfile actions from pushed version tags (no major versions)
push: ${{ steps.check_conditions.outputs.should_push }}
- name: Output image
id: image
env:
IMAGE_REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
run: |
# NOTE: Set the image as an output because the `env` context is not
# available to the inputs of a reusable workflow call.
image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
echo "image=$image_name" >> "$GITHUB_OUTPUT"
provenance:
needs: [deploy]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: ${{ needs.deploy.outputs.should_push == 'true' }}
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.deploy.outputs.image }}
digest: ${{ needs.deploy.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
event_file:
name: "Event File"
runs-on: ubuntu-latest
steps:
- name: Upload
uses: actions/upload-artifact@v4
with:
name: Event File
path: ${{ github.event_path }}