Added CI/CD stuff

dmotte · Nov 25, 2023 · 4090872 · 4090872
1 parent d79e0a6
commit 4090872
Show file tree

Hide file tree

Showing 7 changed files with 203 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
diff --git a/.github/workflows/cicd-with-script.yml b/.github/workflows/cicd-with-script.yml
@@ -0,0 +1,54 @@
+---
+name: cicd-with-script
+
+on:
+  workflow_call:
+    inputs:
+      path: { type: string, required: false, default: "" }
+      args: { type: string, required: false, default: "" }
+      env: { type: string, required: false, default: ">/dev/null" }
+    secrets:
+      secret01: { required: false }
+      secret02: { required: false }
+      secret03: { required: false }
+      secret04: { required: false }
+      secret05: { required: false }
+
+jobs:
+  prettier:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dmotte/misc/actions/invoke-cicd-script@main
+        with: { path: scripts/cicd/generic-prettier.sh }
+
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dmotte/misc/actions/invoke-cicd-script@main
+        with: { path: scripts/cicd/generic-shellcheck.sh }
+
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dmotte/misc/actions/invoke-cicd-script@main
+        with: { path: scripts/cicd/generic-trivy.sh }
+
+  specific:
+    runs-on: ubuntu-latest
+    if: inputs.path != ''
+    needs: [prettier, shellcheck, trivy]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dmotte/misc/actions/invoke-cicd-script@main
+        with:
+          path: ${{ inputs.path }}
+          args: ${{ inputs.args }}
+          env: ${{ inputs.env }}
+          secret01: ${{ secrets.secret01 }}
+          secret02: ${{ secrets.secret02 }}
+          secret03: ${{ secrets.secret03 }}
+          secret04: ${{ secrets.secret04 }}
+          secret05: ${{ secrets.secret05 }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,12 @@
+---
+name: main
+
+on:
+  push: # All branches and tags
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  job:
+    uses: dmotte/misc/.github/workflows/cicd-with-script.yml@main
diff --git a/actions/invoke-cicd-script/action.yml b/actions/invoke-cicd-script/action.yml
@@ -0,0 +1,70 @@
+---
+name: invoke-cicd-script
+description: invoke-cicd-script
+
+inputs:
+  path:
+    description: Path of the script to invoke
+    required: true
+  args:
+    description: Arguments to be passed to the script, separated by spaces
+    required: false
+    default: ""
+  env:
+    description: Environment variables to be passed to the script
+    required: false
+    default: ">/dev/null"
+  secret01: { description: Secret, required: false, default: "" }
+  secret02: { description: Secret, required: false, default: "" }
+  secret03: { description: Secret, required: false, default: "" }
+  secret04: { description: Secret, required: false, default: "" }
+  secret05: { description: Secret, required: false, default: "" }
+
+runs:
+  using: composite
+  steps:
+    - id: invocation
+      shell: bash
+      env:
+        # Cron expression that triggered the workflow (if any)
+        CICD_CRON_EXPR: ${{ github.event.schedule }}
+        CICD_SECRET01: ${{ inputs.secret01 }}
+        CICD_SECRET02: ${{ inputs.secret02 }}
+        CICD_SECRET03: ${{ inputs.secret03 }}
+        CICD_SECRET04: ${{ inputs.secret04 }}
+        CICD_SECRET05: ${{ inputs.secret05 }}
+      run: |
+        set -ex
+
+        # Name of the Git ref that triggered the workflow (if any)
+        export CICD_GIT_REF="$GITHUB_REF"
+        # Path of the file in which to write the output variables
+        export CICD_OUTPUT="$GITHUB_OUTPUT"
+        # Path of the file in which to write the Markdown summary
+        export CICD_SUMMARY="$GITHUB_STEP_SUMMARY"
+
+        export ${{ inputs.env }}
+
+        bash \
+          "$(realpath "${{ github.action_path }}/../../${{ inputs.path }}")" \
+          ${{ inputs.args }}
+
+    - uses: actions/upload-artifact@v3
+      if: steps.invocation.outputs.artifact-name != ''
+      with:
+        name: ${{ steps.invocation.outputs.artifact-name }}
+        path: ${{ steps.invocation.outputs.artifact-path }}
+        if-no-files-found: error
+
+    - uses: softprops/action-gh-release@v1
+      # Note: this requires the contents:write permission to work
+      # Note: if the release already exists, this step just uploads the assets
+      if: steps.invocation.outputs.release-name != ''
+      with:
+        name: ${{ steps.invocation.outputs.release-name }}
+        tag_name: ${{ steps.invocation.outputs.release-tag-name }}
+        draft: ${{ steps.invocation.outputs.release-draft }}
+        prerelease: ${{ steps.invocation.outputs.release-prerelease }}
+        files: ${{ steps.invocation.outputs.release-files }}
+        fail_on_unmatched_files: true
+        generate_release_notes: true
diff --git a/scripts/cicd/generic-prettier.sh b/scripts/cicd/generic-prettier.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+# shellcheck source=/dev/null
+. "$(dirname "$0")/../fetch-and-check.sh"
+
+echo "::group::$0: Preparation"
+    if ! command -v npm; then
+        bash <(fetch_and_check \
+            'https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh' \
+            '69da4f89f430cd5d6e591c2ccfa2e9e3ad55564ba60f651f00da85e04010c640')
+        # shellcheck source=/dev/null
+        . ~/.nvm/nvm.sh
+        nvm install --lts
+    fi
+    npm --version
+
+    npm install -g prettier
+    npx prettier --version
+echo '::endgroup::'
+
+npx prettier -c .
diff --git a/scripts/cicd/generic-shellcheck.sh b/scripts/cicd/generic-shellcheck.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+echo "::group::$0: Preparation"
+    if ! command -v shellcheck; then
+        sudo apt-get update; sudo apt-get install -y shellcheck
+    fi
+    shellcheck --version
+echo '::endgroup::'
+
+# shellcheck disable=SC2046
+shellcheck $(find . -name \*.sh)
diff --git a/scripts/cicd/generic-trivy.sh b/scripts/cicd/generic-trivy.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+# shellcheck source=/dev/null
+. "$(dirname "$0")/../fetch-and-check.sh"
+
+codename="$(grep VERSION_CODENAME /etc/os-release | cut -d= -f2)"
+
+echo "::group::$0: Preparation"
+    if ! command -v trivy; then
+        sudo apt-get update; sudo apt-get install -y gnupg
+        fetch_and_check \
+            'https://aquasecurity.github.io/trivy-repo/deb/public.key' \
+            '51ca5d1384095c462099add67e46b028e0df0ff741c0f95ad30f561c4fad1ad4' | \
+            sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/trivy.gpg
+        echo "deb https://aquasecurity.github.io/trivy-repo/deb $codename main" | \
+            sudo tee /etc/apt/sources.list.d/trivy.list
+        sudo apt-get update; sudo apt-get install -y trivy
+    fi
+    trivy --version
+echo '::endgroup::'
+
+trivy fs --exit-code=1 .