summaryrefslogtreecommitdiffstats
path: root/.github/workflows/gerrit-verify.yaml
blob: 91849215af0ff6f6bf39fd7365fd5fc9183c70ba (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
---
name: Call Gerrit Verify

# yamllint disable-line rule:truthy
on:
  workflow_dispatch:
    inputs:
      GERRIT_BRANCH:
        description: "Branch that change is against"
        required: true
        type: string
      GERRIT_CHANGE_ID:
        description: "The ID for the change"
        required: true
        type: string
      GERRIT_CHANGE_NUMBER:
        description: "The Gerrit number"
        required: true
        type: string
      GERRIT_CHANGE_URL:
        description: "URL to the change"
        required: true
        type: string
      GERRIT_EVENT_TYPE:
        description: "Type of Gerrit event"
        required: true
        type: string
      GERRIT_PATCHSET_NUMBER:
        description: "The patch number for the change"
        required: true
        type: string
      GERRIT_PATCHSET_REVISION:
        description: "The revision sha"
        required: true
        type: string
      GERRIT_PROJECT:
        description: "Project in Gerrit"
        required: true
        type: string
      GERRIT_REFSPEC:
        description: "Gerrit refspec of change"
        required: true
        type: string
    secrets:
      GERRIT_SSH_PRIVKEY:
        description: "SSH Key for the authorized user account"
        required: true

concurrency:
  # yamllint disable-line rule:line-length
  group: gerrit-verify-${{ github.workflow }}-${{ github.event.inputs.GERRIT_BRANCH}}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }}
  cancel-in-progress: true

jobs:
  prepare:
    runs-on: ubuntu-latest
    steps:
      - name: Clear votes
        # yamllint disable-line rule:line-length
        uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
        with:
          host: ${{ vars.GERRIT_SERVER }}
          username: ${{ vars.GERRIT_SSH_USER }}
          key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
          known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
          gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
          gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
          vote-type: clear
          comment-only: true
      - name: Allow replication
        run: sleep 10s

  actionlint:
    needs: prepare
    runs-on: ubuntu-latest
    steps:
      - name: Gerrit Checkout
        # yamllint disable-line rule:line-length
        uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
        with:
          gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
          gerrit-project: ${{ inputs.GERRIT_PROJECT }}
          gerrit-url: ${{ vars.GERRIT_URL }}
          delay: "0s"
      - name: Download actionlint
        id: get_actionlint
        # yamllint disable-line rule:line-length
        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
        shell: bash
      - name: Check workflow files
        run: ${{ steps.get_actionlint.outputs.executable }} -color
        shell: bash

  # run pre-commit tox env separately to get use of more parallel processing
  pre-commit:
    needs: prepare
    runs-on: ubuntu-latest
    steps:
      - name: Gerrit Checkout
        # yamllint disable-line rule:line-length
        uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
        with:
          gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
          gerrit-project: ${{ inputs.GERRIT_PROJECT }}
          gerrit-url: ${{ vars.GERRIT_URL }}
          delay: "0s"
      # yamllint disable-line rule:line-length
      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
        with:
          python-version: "3.11"
      - name: Run static analysis and format checkers
        run: pipx run pre-commit run --all-files --show-diff-on-failure

  checkov-scan:
    needs: prepare
    runs-on: ubuntu-latest
    steps:
      - name: Gerrit Checkout
        # yamllint disable-line rule:line-length
        uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
        with:
          gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
          gerrit-project: ${{ inputs.GERRIT_PROJECT }}
          gerrit-url: ${{ vars.GERRIT_URL }}
          delay: "0s"
          submodules: "true"
      - name: Checkov GitHub Action
        uses: bridgecrewio/checkov-action@v12
        with:
          output_format: cli,sarif
          output_file_path: console,results.sarif

  vote:
    if: ${{ always() }}
    needs: [prepare, actionlint, pre-commit, checkov-scan]
    runs-on: ubuntu-latest
    steps:
      - name: Get conclusion
        uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3
      - name: Set vote
        # yamllint disable-line rule:line-length
        uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
        with:
          host: ${{ vars.GERRIT_SERVER }}
          username: ${{ vars.GERRIT_SSH_USER }}
          key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
          known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
          gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
          gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
          vote-type: ${{ env.WORKFLOW_CONCLUSION }}
          comment-only: true