-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from DFE-Digital/composite-deploy-action
Composite deploy action
- Loading branch information
Showing
20 changed files
with
499 additions
and
59 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
* @dfe-digital/security-engineering |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Contribution guidelines | ||
|
||
If you’ve got an idea or suggestion you can [create a GitHub issue](https://github.com/DFE-Digital/splunk-app-packager/issues), or feel free to [raise a pull request](https://github.com/DFE-Digital/splunk-app-packager/compare). | ||
|
||
## Raising bugs | ||
|
||
When raising bugs please explain the issue in good detail and provide a guide to how to replicate it. | ||
|
||
When describing the bug it's useful to follow the format: | ||
|
||
- what you did | ||
- what you expected to happen | ||
- what actually happened |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
## Checklist | ||
Please tick off where applicable. Have you: | ||
- [ ] updated the version number in [pyproject.toml](pyproject.toml)? | ||
- [ ] updated the version number in [action.yml](https://github.com/DFE-Digital/splunk-app-packager/blob/composite-deploy-action/action.yml#L41)? | ||
- [ ] explained the change? | ||
- [ ] confirmed the PR checks have passed? | ||
|
||
## Explanation of change | ||
|
||
|
||
## Link to bug report or github issue |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
-- | ||
paths-ignore: | ||
- .github | ||
query-filters: | ||
- exclude: | ||
problems.severity: | ||
- Note # ignore notes when there's too much noise | ||
queries: | ||
- uses: security-experimental | ||
- uses: security-extended | ||
- uses: security-and-quality | ||
- uses: advanced-security/codeql-queries/python/suites/codeql-python.qls@main | ||
- uses: advanced-security/codeql-queries/javascript/suites/codeql-javascript.qls@main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
version: 2 | ||
updates: | ||
- package-ecosystem: "pip" | ||
directory: "/" | ||
schedule: | ||
interval: "weekly" | ||
commit-message: | ||
prefix: "Dependabot (python): " | ||
groups: | ||
pip: | ||
applies-to: version-updates | ||
patterns: | ||
- "*" | ||
pip-security: | ||
applies-to: security-updates | ||
patterns: | ||
- "*" | ||
- package-ecosystem: "github-actions" | ||
directory: "/" | ||
schedule: | ||
interval: "weekly" | ||
commit-message: | ||
prefix: "Dependabot (github actions): " | ||
groups: | ||
gh-actions: | ||
applies-to: version-updates | ||
patterns: | ||
- "*" | ||
gh-actions-security: | ||
applies-to: security-updates | ||
patterns: | ||
- "*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
name: "CodeQL" | ||
|
||
on: | ||
push: | ||
branches: ["main"] | ||
paths: | ||
- '*.py' | ||
pull_request: | ||
# The branches below must be a subset of the branches above | ||
types: [opened, reopened] | ||
paths: | ||
- '**.py' | ||
schedule: | ||
- cron: '0 8 * * *' | ||
workflow_dispatch: | ||
|
||
jobs: | ||
|
||
run-codeql: | ||
uses: DFE-Digital/github-actions/.github/workflows/reusable-workflow-sast.yml@master | ||
with: | ||
language: 'python' | ||
policy_action: 'break' | ||
queries: 'security-extended' | ||
config_file: '.github/codeql-config.yaml' | ||
secrets: | ||
CODEQL_APP_ID: ${{ secrets.CODEQL_APP_ID }} | ||
CODEQL_AUTHENTICATION_PRIVATE_KEY: ${{ secrets.CODEQL_AUTHENTICATION_PRIVATE_KEY }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
name: Flake8 | ||
|
||
on: | ||
push: | ||
branches: | ||
- 'main' | ||
paths: | ||
- '*.py' | ||
workflow_call: | ||
|
||
jobs: | ||
|
||
run-flake8: | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: read | ||
|
||
steps: | ||
- name: Checkout repo | ||
uses: actions/checkout@v4 | ||
|
||
- name: Setup python | ||
uses: actions/setup-python@v5 | ||
with: | ||
python-version: '3.x' | ||
|
||
- name: flake8 Lint | ||
uses: py-actions/flake8@v2 | ||
with: | ||
path: "src/splunk_app_packager" | ||
ignore: "E501,W503" | ||
plugins: "flake8-black" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
name: Publish Python 🐍 distribution 📦 to PyPI and TestPyPI | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
paths: | ||
- 'src/**' | ||
- 'pyproject.toml' | ||
- 'action.yml' | ||
|
||
jobs: | ||
tag-release-on-push: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: write | ||
outputs: | ||
new_tag: ${{ steps.bump-version.outputs.new_tag }} | ||
|
||
steps: | ||
|
||
- uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: '0' | ||
|
||
- name: Bump version and push tag | ||
id: bump-version | ||
uses: anothrNick/github-tag-action@1.70.0 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
WITH_V: false | ||
DEFAULT_BUMP: patch | ||
|
||
build: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
|
||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- name: Set up python | ||
uses: actions/setup-python@v5 | ||
with: | ||
python-version: '3.12.3' | ||
architecture: 'x64' | ||
cache: 'pip' | ||
|
||
- name: Install pypa/build | ||
run: python3 -m pip install build --user | ||
|
||
- name: Build binary wheel and source tarball | ||
run: python3 -m build | ||
|
||
- name: Store the packages | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: python-package-distributions | ||
path: dist/ | ||
|
||
publish-to-pypi: | ||
needs: [build] | ||
runs-on: ubuntu-latest | ||
environment: | ||
name: pypi | ||
url: https://pypi.org/p/splunk-app-packager | ||
permissions: | ||
contents: read | ||
id-token: write | ||
|
||
steps: | ||
- name: Download dists | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: python-package-distributions | ||
path: dist/ | ||
|
||
- name: Publish distribution 📦 to PyPI | ||
uses: pypa/gh-action-pypi-publish@release/v1 | ||
|
||
github-release: | ||
needs: [tag-release-on-push, publish-to-pypi] | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: write | ||
id-token: write | ||
|
||
steps: | ||
|
||
- name: Download all the dists | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: python-package-distributions | ||
path: dist/ | ||
|
||
- name: Sign the dists with Sigstore | ||
uses: sigstore/gh-action-sigstore-python@v2.1.1 | ||
with: | ||
inputs: >- | ||
./dist/*.tar.gz | ||
./dist/*.whl | ||
- name: Create GitHub Release | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
run: gh release create '${{ needs.tag-release-on-push.outputs.new_tag }}' --repo '${{ github.repository }}' --notes "" | ||
|
||
- name: Upload artifact signatures to GitHub Release | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
# Upload to GitHub Release using the `gh` CLI. | ||
# `dist/` contains the built packages, and the | ||
# sigstore-produced signatures and certificates. | ||
run: gh release upload '${{ github.ref_name }}' dist/** --repo '${{ github.repository }}' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
name: Verify tags are the same | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- main | ||
paths: | ||
- 'src/**' | ||
- 'pyproject.toml' | ||
- 'action.yml' | ||
|
||
jobs: | ||
verify-tags: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
|
||
steps: | ||
|
||
- uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: '0' | ||
|
||
- name: Check next git tag | ||
id: git-tag | ||
uses: anothrNick/github-tag-action@1.70.0 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
WITH_V: false | ||
DEFAULT_BUMP: patch | ||
DRY_RUN: true | ||
|
||
- name: Check pyproject tag | ||
id: pyproject-tag | ||
run: | | ||
echo py_version=$(grep version pyproject.toml | cut -d'"' -f2) >> $GITHUB_OUTPUT | ||
- name: Check action.yml tag | ||
id: action-tag | ||
run: | | ||
echo action_version=$(grep '==' action.yml | cut -d'=' -f3) >> $GITHUB_OUTPUT | ||
- name: Verify tags | ||
run: | | ||
if [ ${{ steps.git-tag.outputs.new_tag }} == ${{ steps.pyproject-tag.outputs.py_version }} ] && [ ${{ steps.pyproject-tag.outputs.py_version }} == ${{ steps.action-tag.outputs.action_version }} ] | ||
then | ||
echo "All tags are equal. Good to release." | ||
echo "Git Tag: ${{ steps.git-tag.outputs.new_tag }}" | ||
echo "pyproject.toml tag: ${{ steps.pyproject-tag.outputs.py_version }}" | ||
echo "action.yml tag: ${{ steps.action-tag.outputs.action_version }}" | ||
else | ||
echo "Tags aren't equal." | ||
echo "Git Tag: ${{ steps.git-tag.outputs.new_tag }}" | ||
echo "pyproject.toml tag: ${{ steps.pyproject-tag.outputs.py_version }}" | ||
echo "action.yml tag: ${{ steps.action-tag.outputs.action_version }}" | ||
exit 1 | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,3 +3,4 @@ DCAP_*.json | |
target/ | ||
venv/ | ||
__pycache__/ | ||
dist/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
MIT License | ||
|
||
Copyright (c) 2024 Crown Copyright (Department for Education) | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
Oops, something went wrong.