diff options
| author |   Jessica Wagantall <jwagantall@linuxfoundation.org> | 2024-09-25 13:17:55 -0700 |
|---|---|---|
| committer | Jessica Wagantall <jwagantall@linuxfoundation.org> | 2024-09-25 13:17:55 -0700 |
| commit | c8e2b3383830395bb4bc37371a9c6119a316cb53 (patch) | |
| tree | 41a192c691972f27fbed7e1ab07774cd8aa68213 | |
| parent | 2dbf14888235bf6140fe2e041e8681e15a725314 (diff) | |
CI: Add test (silent) checkov scan as part of the verify process
Issue-ID: CIMAN-33
Change-Id: I70b171824acb913f67fd28c119bfbcbc1cc1e470
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
| -rw-r--r-- | .github/workflows/gerrit-verify.yaml | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/.github/workflows/gerrit-verify.yaml b/.github/workflows/gerrit-verify.yaml new file mode 100644 index 0000000000..91849215af --- /dev/null +++ b/.github/workflows/gerrit-verify.yaml @@ -0,0 +1,151 @@ +--- +name: Call Gerrit Verify + +# yamllint disable-line rule:truthy +on: + workflow_dispatch: + inputs: + GERRIT_BRANCH: + description: "Branch that change is against" + required: true + type: string + GERRIT_CHANGE_ID: + description: "The ID for the change" + required: true + type: string + GERRIT_CHANGE_NUMBER: + description: "The Gerrit number" + required: true + type: string + GERRIT_CHANGE_URL: + description: "URL to the change" + required: true + type: string + GERRIT_EVENT_TYPE: + description: "Type of Gerrit event" + required: true + type: string + GERRIT_PATCHSET_NUMBER: + description: "The patch number for the change" + required: true + type: string + GERRIT_PATCHSET_REVISION: + description: "The revision sha" + required: true + type: string + GERRIT_PROJECT: + description: "Project in Gerrit" + required: true + type: string + GERRIT_REFSPEC: + description: "Gerrit refspec of change" + required: true + type: string + secrets: + GERRIT_SSH_PRIVKEY: + description: "SSH Key for the authorized user account" + required: true + +concurrency: + # yamllint disable-line rule:line-length + group: gerrit-verify-${{ github.workflow }}-${{ github.event.inputs.GERRIT_BRANCH}}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }} + cancel-in-progress: true + +jobs: + prepare: + runs-on: ubuntu-latest + steps: + - name: Clear votes + # yamllint disable-line rule:line-length + uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8 + with: + host: ${{ vars.GERRIT_SERVER }} + username: ${{ vars.GERRIT_SSH_USER }} + key: ${{ secrets.GERRIT_SSH_PRIVKEY }} + known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} + gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} + gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} + vote-type: clear + comment-only: true + - name: Allow replication + run: sleep 10s + + actionlint: + needs: prepare + runs-on: ubuntu-latest + steps: + - name: Gerrit Checkout + # yamllint disable-line rule:line-length + uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9 + with: + gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }} + gerrit-project: ${{ inputs.GERRIT_PROJECT }} + gerrit-url: ${{ vars.GERRIT_URL }} + delay: "0s" + - name: Download actionlint + id: get_actionlint + # yamllint disable-line rule:line-length + run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) + shell: bash + - name: Check workflow files + run: ${{ steps.get_actionlint.outputs.executable }} -color + shell: bash + + # run pre-commit tox env separately to get use of more parallel processing + pre-commit: + needs: prepare + runs-on: ubuntu-latest + steps: + - name: Gerrit Checkout + # yamllint disable-line rule:line-length + uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9 + with: + gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }} + gerrit-project: ${{ inputs.GERRIT_PROJECT }} + gerrit-url: ${{ vars.GERRIT_URL }} + delay: "0s" + # yamllint disable-line rule:line-length + - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + with: + python-version: "3.11" + - name: Run static analysis and format checkers + run: pipx run pre-commit run --all-files --show-diff-on-failure + + checkov-scan: + needs: prepare + runs-on: ubuntu-latest + steps: + - name: Gerrit Checkout + # yamllint disable-line rule:line-length + uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9 + with: + gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }} + gerrit-project: ${{ inputs.GERRIT_PROJECT }} + gerrit-url: ${{ vars.GERRIT_URL }} + delay: "0s" + submodules: "true" + - name: Checkov GitHub Action + uses: bridgecrewio/checkov-action@v12 + with: + output_format: cli,sarif + output_file_path: console,results.sarif + + vote: + if: ${{ always() }} + needs: [prepare, actionlint, pre-commit, checkov-scan] + runs-on: ubuntu-latest + steps: + - name: Get conclusion + uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3 + - name: Set vote + # yamllint disable-line rule:line-length + uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8 + with: + host: ${{ vars.GERRIT_SERVER }} + username: ${{ vars.GERRIT_SSH_USER }} + key: ${{ secrets.GERRIT_SSH_PRIVKEY }} + known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }} + gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }} + gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }} + vote-type: ${{ env.WORKFLOW_CONCLUSION }} + comment-only: true |