-
-
Notifications
You must be signed in to change notification settings - Fork 0
338 lines (337 loc) · 11.2 KB
/
walter-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
# This file is maintained by Walter CI, and may be rewritten.
# https://github.com/piotr-yuxuan/walter-ci
#
# You are free to remove this project from Walter CI realm by opening
# a PR. You may also create another workflow besides this one.
name: Walter CI
'on':
repository_dispatch: null
workflow_dispatch:
inputs:
walter-version:
description: Walter bin version
required: false
type: string
push:
branches: '**'
schedule:
- cron: 28 6,18 * * *
concurrency:
group: walter-ci
cancel-in-progress: true
env:
GIT_ASKPASS: ${HOME}/.walter-ci/bin/askpass.sh
GIT_AUTHOR_EMAIL: ${{ secrets.WALTER_GIT_EMAIL }}
GIT_AUTHOR_NAME: ${{ secrets.WALTER_AUTHOR_NAME }}
GIT_COMMITTER_EMAIL: ${{ secrets.WALTER_GIT_EMAIL }}
GIT_COMMITTER_NAME: ${{ secrets.WALTER_AUTHOR_NAME }}
GIT_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
WALTER_VERSION: ${{ github.event.inputs.walter-version }}
jobs:
security-sarif-clojure:
runs-on: ubuntu-latest
name: 'Security: clojure,clj-holmes'
steps:
- uses: actions/checkout@main
- uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
with:
output-type: sarif
output-file: clj-holmes.sarif
fail-on-result: 'false'
- run: cat clj-holmes.sarif
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: clj-holmes.sarif
wait-for-processing: true
security-policy:
runs-on: ubuntu-latest
name: 'Security: policy'
needs:
- security-nvd
- security-sarif-clojure
- security-sarif-terraform
- security-sarif-trivy
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: |-
walter security-policy \
--current-version $(awk '{$1=$1};1' < ./resources/*.version) \
--current-commit $(git rev-parse HEAD)
- run: git add .
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Security policy for version $(awk '{$1=$1};1' < ./resources/*.version)"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
security-nvd:
runs-on: ubuntu-latest
name: 'Security: clojure,nvd'
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/cache@8f1e2e02865c42348f9baddbbaafb1841dce610a
with:
path: ~/.m2/repository
key: ${{ runner.os }}-nvd-${{ hashFiles('**/project.clj') }}
restore-keys: ${{ runner.os }}-maven-
- run: git rm "./doc/Known vulnerabilities.txt"
continue-on-error: true
- run: clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' :as nvd
- run: clojure -Tnvd nvd.task/check :classpath '"'"$(lein with-profile -user,-dev classpath)"'"'
continue-on-error: true
- run: bb "$HOME/.walter-ci/cut-nvd.clj" ./target/nvd/dependency-check-report.csv
continue-on-error: true
- run: cp ./target/nvd/dependency-check-report.csv ./doc/known-vulnerabilities.csv
- run: git add ./doc/known-vulnerabilities.csv
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Update known vulnerabilities"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
clj-kondo:
runs-on: ubuntu-latest
name: clj-kondo, a linter for Clojure
steps:
- uses: actions/checkout@main
- uses: DeLaGuardo/setup-clj-kondo@afc83dbbf4e7e32e04649e29dbf30668d30e9e3e
with:
version: 2022.04.08
- run: clj-kondo --lint src --config '{:output {:pattern "::warning file={{filename}},line={{row}},col={{col}}::{{message}}"}}'
continue-on-error: true
conform-repository:
runs-on: ubuntu-latest
name: Conform GitHub repository
env:
WALTER_ACTOR: ${{ secrets.WALTER_ACTOR }}
WALTER_GITHUB_PASSWORD: ${{ secrets.WALTER_GITHUB_PASSWORD }}
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: walter conform-repository
- run: git add .github/CODEOWNERS.yml
continue-on-error: true
- run: git add .github/FUNDING.yml
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Conform repository"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
update-gitignore:
runs-on: ubuntu-latest
name: Update .gitignore
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: walter update-git-ignore
- run: git add .gitignore
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Update .gitignore"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
detect-secrets:
runs-on: ubuntu-latest
name: 'Security: secrets'
steps:
- uses: actions/checkout@main
- uses: reviewdog/action-detect-secrets@c29dcff1bd0ac2e4ea528311abac6fdd2d8bb13a
with:
github_token: ${{ secrets.github_token }}
fail_on_error: false
security-sarif-terraform:
runs-on: ubuntu-latest
name: 'Security: tfsec'
steps:
- uses: actions/checkout@main
- uses: aquasecurity/tfsec-sarif-action@9b703869c5108700605056134506e274ef6e9bd3
with:
sarif_file: tfsec.sarif
- run: cat tfsec.sarif
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
wait-for-processing: true
list-licenses:
runs-on: ubuntu-latest
name: List dependency licenses
steps:
- run: git rm "./doc/Licenses.csv"
continue-on-error: true
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: lein with-profile uberjar licenses :csv > ./doc/licences.csv
- run: sort -o ./doc/licences.csv{,}
continue-on-error: true
- run: awk -i inplace 'BEGINFILE{print "Library name,Version,License name"}{print}' ./doc/licences.csv
- run: git add ./doc/licences.csv
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "List dependency licences"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
ns-sort:
runs-on: ubuntu-latest
name: Sort namespace forms
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: lein help
- run: lein ns-sort
- run: git add .
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Sort namespace forms"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
idiomatic-code:
runs-on: ubuntu-latest
name: Idiomatic code
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: clojure -M:lint/idiom -- --replace
- run: git add .
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "More idiomatic code"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
security-sarif-trivy:
runs-on: ubuntu-latest
name: 'Security: general,clojure'
env:
TRIVY_CACHE_DIR: ${HOME}/.trivy-cache-dir
needs: []
permissions:
security-events: write
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: lein uberjar
- run: lein with-profile uberjar pom
- uses: aquasecurity/trivy-action@master
continue-on-error: true
with:
scan-type: fs
scan-ref: .
cache-dir: ${TRIVY_CACHE_DIR}
security-checks: vuln,config
output: trivy-results.sarif
ignore-unfixed: false
format: sarif
- run: cat trivy-results.sarif
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
wait-for-processing: true
update-dependencies:
runs-on: ubuntu-latest
name: Update dependency versions
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- run: lein ancient upgrade :no-tests :all :recursive :check-clojure :allow-qualified
- run: lein with-profile +walter/kaocha,+kaocha run -m kaocha.runner --skip-meta :slow --skip-meta :perf
- run: git add .
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Update dependency versions"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase
code-coverage:
runs-on: ubuntu-latest
name: Code coverage
steps:
- uses: piotr-yuxuan/walter-ci@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/cache@8f1e2e02865c42348f9baddbbaafb1841dce610a
with:
path: ~/.m2/repository
key: ${{ runner.os }}-perf-${{ hashFiles('**/project.clj') }}
restore-keys: ${{ runner.os }}-maven-
- run: git rm ./doc/code-coverage/
continue-on-error: true
- run: lein with-profile +walter/kaocha,+kaocha run -m kaocha.runner --plugin cloverage --cov-output ./doc/code-coverage --skip-meta :slow --skip-meta :perf --cov-text --cov-html
- run: git add ./doc/code-coverage/**.{txt,css,html}
continue-on-error: true
- run: git diff --staged --exit-code
continue-on-error: true
id: diff
- run: git commit --message "Update code coverage"
if: steps.diff.outcome == 'failure'
- name: git push
run: walter retry
if: steps.diff.outcome == 'failure'
env:
WALTER_TRY: git push
WALTER_BEFORE_RETRY: git pull --rebase