Skip to content

ci: use reusable workflow for semgrep #1868

ci: use reusable workflow for semgrep

ci: use reusable workflow for semgrep #1868

on:
push:
branches:
- "main"
- "develop"
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
pull_request:
branches:
- "**"
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
jobs:
meta:
runs-on: ubuntu-latest
outputs:
matrix_supportedSplunk: ${{ steps.matrix.outputs.supportedSplunk }}
steps:
- uses: actions/checkout@v4
- id: matrix
uses: splunk/addonfactory-test-matrix-action@v1
fossa-scan:
continue-on-error: true
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: run fossa anlyze and create report
run: |
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
fossa analyze --debug
fossa report attribution --format text > /tmp/THIRDPARTY
env:
FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
- name: upload THIRDPARTY file
uses: actions/upload-artifact@v4
with:
name: THIRDPARTY
path: /tmp/THIRDPARTY
- name: run fossa test
run: |
fossa test --debug
env:
FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
compliance-copyrights:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: apache/skywalking-eyes@v0.6.0
pre-commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.7"
- uses: pre-commit/action@v3.0.1
semgrep:
uses: splunk/sast-scanning/.github/workflows/sast-scan.yml@main
secrets:
SEMGREP_KEY: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}
test-splunk-unit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: true
- name: Install dependencies
run: |
curl -sSL https://install.python-poetry.org | python3 - --version 1.5.1
poetry install
poetry run pytest -v tests/unit
test-splunk-external:
runs-on: ubuntu-latest
needs:
- meta
- pre-commit
- fossa-scan
- compliance-copyrights
- test-splunk-unit
strategy:
fail-fast: false
matrix:
splunk: ${{ fromJson(needs.meta.outputs.matrix_supportedSplunk) }}
steps:
- uses: actions/checkout@v4
with:
submodules: true
- name: Setup for testing
run: |
pip install git+https://github.com/pixelb/crudini
mkdir test-results-${{ matrix.splunk.version }}
- name: Test
run: |
export SPLUNK_APP_PACKAGE=./tests/e2e/addons/TA_fiction_indextime
export SPLUNK_ADDON=TA_fiction_indextime
export SPLUNK_APP_ID=TA_fiction_indextime
export SPLUNK_VERSION=${{ matrix.splunk.version }}
export SPLUNK_HEC_TOKEN="9b741d03-43e9-4164-908b-e09102327d22"
echo $SPLUNK_VERSION
docker compose -f "docker-compose-ci.yml" build
SPLUNK_PASSWORD=Chang3d! docker compose -f docker-compose-ci.yml up --abort-on-container-exit
docker volume ls
- name: Collect Results
run: |
docker volume ls
docker container create --name dummy \
-v pytest-splunk-addon_results:/work/test-results \
registry.access.redhat.com/ubi7/ubi
docker cp dummy:/work/test-results/test.xml test-results-${{ matrix.splunk.version }}
- uses: actions/upload-artifact@v4
if: always()
with:
name: splunk ${{ matrix.splunk.version }} external test artifacts
path: |
test-results-${{ matrix.splunk.version }}
test-splunk-matrix:
needs:
- meta
- pre-commit
- fossa-scan
- compliance-copyrights
- test-splunk-unit
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
splunk: ${{ fromJson(needs.meta.outputs.matrix_supportedSplunk) }}
test-marker: [
"splunk_connection_docker",
"splunk_app_fiction",
"splunk_app_broken",
"splunk_app_cim_fiction",
"splunk_app_cim_broken",
"splunk_fiction_indextime",
"splunk_fiction_indextime_broken",
"splunk_fiction_indextime_wrong_hec_token",
"splunk_setup_fixture",
"splunk_app_req",
"splunk_app_req_broken",
"splunk_cim_model_ipv6_regex",
]
steps:
- uses: actions/checkout@v4
with:
submodules: true
- uses: actions/setup-python@v5
with:
python-version: 3.7
- run: |
curl -sSL https://install.python-poetry.org | python3 - --version 1.5.1
poetry install
poetry run pytest -v --splunk-version=${{ matrix.splunk.version }} -m docker -m ${{ matrix.test-marker }} tests/e2e
publish:
needs:
- test-splunk-external
- test-splunk-matrix
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# Very Important semantic-release won't trigger a tagged
# build if this is not set false
submodules: false
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: "3.7"
- uses: actions/download-artifact@v4
with:
name: THIRDPARTY
- name: Update Notices
run: cp -f THIRDPARTY NOTICE
- name: Install Poetry
run: |
curl -sSL https://install.python-poetry.org | python3 - --version 1.5.1
- id: semantic
uses: splunk/semantic-release-action@v1.3
with:
git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
extra_plugins: |
semantic-release-replace-plugin
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}
- if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
run: |
poetry build
poetry publish -n -u ${{ secrets.PYPI_USERNAME }} -p ${{ secrets.PYPI_TOKEN }}