From 10f3ae0e04d3c5e4240112b01f9d82c77f5b8f80 Mon Sep 17 00:00:00 2001 From: Nicolas Drebenstedt Date: Fri, 14 Jun 2024 15:15:20 +0200 Subject: [PATCH 1/3] add release pipeline to mex-template itself --- .github/workflows/release.yml | 85 +++++++++++++++++++++++++++++++++++ CHANGELOG.md | 1 + Makefile | 10 +++++ mex.bat | 14 ++++++ requirements.txt | 5 +++ 5 files changed, 115 insertions(+) create mode 100644 .github/workflows/release.yml create mode 100644 Makefile create mode 100644 mex.bat create mode 100644 requirements.txt diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..afd892a --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,85 @@ +name: Release + +run-name: bump ${{ inputs.version }} version by @${{ github.actor }} + +on: + workflow_dispatch: + inputs: + version: + type: choice + description: 'part of the project version to update' + options: + - major + - minor + - patch + required: true + +env: + PIP_NO_OPTION: on + PIP_NO_CLEAN: on + PIP_PREFER_BINARY: on + +permissions: + contents: write + packages: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false + +jobs: + release: + runs-on: ubuntu-latest + timeout-minutes: 10 + outputs: + tag: ${{ steps.release.outputs.tag }} + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Cache requirements + uses: actions/cache@v4 + env: + cache-name: cache-requirements + with: + path: ~/.cache/pip + key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }} + restore-keys: | + ${{ env.cache-name }}- + + - name: Setup python + uses: actions/setup-python@v5 + with: + python-version: 3.11 + + - name: Install requirements + run: make setup + + - name: Configure git + env: + SIGNING_KEY: ${{ secrets.SIGNING_KEY }} + SIGNING_PUB: ${{ secrets.SIGNING_PUB }} + run: | + {% raw -%} + eval "$(ssh-agent -s)" + install --directory ~/.ssh --mode 700 + base64 -d <<< '${{ secrets.SIGNING_KEY }}' > ~/.ssh/mex + base64 -d <<< '${{ secrets.SIGNING_PUB }}' > ~/.ssh/mex.pub + chmod 600 ~/.ssh/* + ssh-add ~/.ssh/mex + git config --local user.email ${{ vars.MEX_BOT_EMAIL }} + git config --local user.name ${{ vars.MEX_BOT_USER }} + git config --local gpg.format ssh + git config --local user.signingkey ~/.ssh/mex.pub + git config --local commit.gpgsign true + {%- endraw %} + + - name: Release new version + id: release + env: + GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} + run: | + pdm release ${{ inputs.version }} + echo "tag=$(git describe --abbrev=0 --tags)" >> "$GITHUB_OUTPUT" diff --git a/CHANGELOG.md b/CHANGELOG.md index bd06c4c..160f240 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - add hint to PR template to explain testing for template changes - configure sensible concurrency rules for all workflows - add distribution upload step to release pipeline +- add release pipeline to mex-template itself ### Changes diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..30cbeaf --- /dev/null +++ b/Makefile @@ -0,0 +1,10 @@ +.PHONY: all setup +all: setup + +LATEST = $(shell git describe --tags $(shell git rev-list --tags --max-count=1)) +PWD = $(shell pwd) + +setup: + # install meta requirements system-wide + @ echo installing requirements; \ + pip --disable-pip-version-check install --force-reinstall -r requirements.txt; \ diff --git a/mex.bat b/mex.bat new file mode 100644 index 0000000..ba47c28 --- /dev/null +++ b/mex.bat @@ -0,0 +1,14 @@ +@echo off + +set target=%1 + +if "%target%"=="install" goto install +echo invalid argument %target% +exit /b 1 + + +:install +@REM install meta requirements system-wide +echo installing requirements +pip --disable-pip-version-check install --force-reinstall -r requirements.txt +if %errorlevel% neq 0 exit /b %errorlevel% diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..bd9a68c --- /dev/null +++ b/requirements.txt @@ -0,0 +1,5 @@ +cruft==2.15.0 +mex-release @ git+https://github.com/robert-koch-institut/mex-release.git +pdm==2.15.4 +pre-commit==3.7.1 +wheel==0.43.0 From a20564a39859897339c118cdd71a2c1e8887938e Mon Sep 17 00:00:00 2001 From: Nicolas Drebenstedt Date: Fri, 14 Jun 2024 15:19:06 +0200 Subject: [PATCH 2/3] Add gh release distro --- .github/workflows/release.yml | 35 +++++++++++++++++++ .../.github/workflows/release.yml | 3 +- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index afd892a..22ef12b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -83,3 +83,38 @@ jobs: run: | pdm release ${{ inputs.version }} echo "tag=$(git describe --abbrev=0 --tags)" >> "$GITHUB_OUTPUT" + + distribute: + runs-on: ubuntu-latest + timeout-minutes: 10 + needs: release + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Cache requirements + uses: actions/cache@v4 + env: + cache-name: cache-requirements + with: + path: ~/.cache/pip + key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }} + restore-keys: | + ${{ env.cache-name }}- + + - name: Setup python + uses: actions/setup-python@v5 + with: + python-version: 3.11 + + - name: Install requirements + run: make setup + + - name: Build wheel and sdist distros and create a github release + env: + GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }} + PDM_CHECK_UPDATE: False + run: | + gh release create ${{ needs.release.outputs.tag }} --generate-notes --latest --verify-tag diff --git a/mex-{{ cookiecutter.project_name }}/.github/workflows/release.yml b/mex-{{ cookiecutter.project_name }}/.github/workflows/release.yml index 12b0d7d..1dbb6fb 100644 --- a/mex-{{ cookiecutter.project_name }}/.github/workflows/release.yml +++ b/mex-{{ cookiecutter.project_name }}/.github/workflows/release.yml @@ -113,6 +113,7 @@ jobs: {% raw %}key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }}{% endraw %} restore-keys: | {% raw %}${{ env.cache-name }}-{% endraw %} + - name: Setup python uses: actions/setup-python@v5 with: @@ -127,8 +128,8 @@ jobs: PDM_CHECK_UPDATE: False run: | {% raw -%} - pdm build --dest dist gh release create ${{ needs.release.outputs.tag }} --generate-notes --latest --verify-tag + pdm build --dest dist for filename in dist/*; do gh release upload ${{ needs.release.outputs.tag }} ${filename}; done From 9ee8ba7628580d0347b949960be0e91ca141235f Mon Sep 17 00:00:00 2001 From: Nicolas Drebenstedt Date: Fri, 14 Jun 2024 15:23:13 +0200 Subject: [PATCH 3/3] add cve --- .github/workflows/cve-scan.yml | 42 ++++++++++++++++++++++++++++++++++ CHANGELOG.md | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/cve-scan.yml diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml new file mode 100644 index 0000000..add92f0 --- /dev/null +++ b/.github/workflows/cve-scan.yml @@ -0,0 +1,42 @@ +name: CVE Scan + +on: + push: + pull_request: + types: + - opened + - reopened + - synchronize + schedule: + - cron: "14 3 * * 1-5" + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + scan: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Run trivy + uses: aquasecurity/trivy-action@master + with: + format: 'sarif' + list-all-pkgs: 'true' + output: 'trivy-results.sarif' + scan-ref: '.' + scan-type: 'fs' + severity: 'MEDIUM,HIGH,CRITICAL' + + - name: Publish results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' diff --git a/CHANGELOG.md b/CHANGELOG.md index 160f240..2887b6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,7 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - add hint to PR template to explain testing for template changes - configure sensible concurrency rules for all workflows - add distribution upload step to release pipeline -- add release pipeline to mex-template itself +- add release and cve pipelines to mex-template itself ### Changes