PR from pipelines to main for commit e68cf5e #281
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Merge Check - Highflame Python | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| branches: | |
| - "main" | |
| merge_group: | |
| types: | |
| - checks_requested | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref }} | |
| cancel-in-progress: true | |
| env: | |
| PR_CHECK_PREFIX: "feat:|fix:|devops:|Merge|Revert|build\\(deps\\)|\\[Snyk\\]|Bump" | |
| GH_SEC_REPORT: false | |
| TRIVY_SEVERITY: "HIGH,CRITICAL" | |
| TRIVY_REPORT_FILE: "trivy-scan-result" | |
| jobs: | |
| highflame-commit-check: | |
| permissions: | |
| contents: 'read' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| persist-credentials: false | |
| - name: Get the last commit message | |
| id: commit_message | |
| run: |- | |
| COMMIT_MESSAGE=$(git show -s --format=%s) | |
| echo "message=${COMMIT_MESSAGE}" >> ${GITHUB_OUTPUT} | |
| - name: Commit Message Check | |
| shell: bash | |
| env: | |
| COMMIT_MESSAGE: "${{ steps.commit_message.outputs.message }}" | |
| run: |- | |
| CLEAN_COMMIT_MESSAGE=$(echo '${{ env.COMMIT_MESSAGE }}' | sed "s|\"||g") | |
| if [[ "${CLEAN_COMMIT_MESSAGE}" =~ ^(${{ env.PR_CHECK_PREFIX }}) ]]; then | |
| echo "Commit message is valid....!" | |
| else | |
| echo "Commit message does not contain required keywords....!" | |
| exit 1 | |
| fi | |
| highflame-lint-check: | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| runs-on: ubuntu-24.04 | |
| env: | |
| PY_VER: 3.12.0 | |
| PY_LINT_CFG: .flake8 | |
| LINT_REPORT_FILE: lint-report | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Python Version | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PY_VER }} | |
| cache: 'pip' | |
| - name: Lint Check | |
| shell: bash | |
| run: |- | |
| pip install flake8 | |
| flake8 . --config=${{ env.PY_LINT_CFG }} --output-file=${{ env.LINT_REPORT_FILE }}.json | |
| - name: Upload Lint Report | |
| if: ${{ always() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.LINT_REPORT_FILE }} | |
| path: ${{ env.LINT_REPORT_FILE }}.json | |
| retention-days: 1 | |
| - name: Check If File Exists | |
| id: check_lint_report | |
| run: |- | |
| if [[ -f "${{ env.LINT_REPORT_FILE }}.json" ]] ; then | |
| echo "lint_report=true" >> ${GITHUB_OUTPUT} | |
| fi | |
| outputs: | |
| lint_report: ${{ steps.check_lint_report.outputs.lint_report }} | |
| highflame-trivy-scan: | |
| permissions: | |
| contents: 'read' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: true | |
| - name: Manual Trivy Setup | |
| uses: aquasecurity/setup-trivy@v0.2.5 | |
| with: | |
| cache: true | |
| version: ${{ env.TRIVY_VER }} | |
| - name: Trivy Scan - Text Security Report | |
| id: trivy_scan_txt | |
| if: ${{ env.GH_SEC_REPORT == 'false' }} | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| continue-on-error: true | |
| with: | |
| ignore-unfixed: true | |
| skip-setup-trivy: true | |
| scan-type: "fs" | |
| cache: "false" | |
| format: "table" | |
| output: "${{ env.TRIVY_REPORT_FILE }}.txt" | |
| severity: "${{ env.TRIVY_SEVERITY }}" | |
| exit-code: 1 | |
| - name: Upload Report - Text Security Report | |
| if: ${{ env.GH_SEC_REPORT == 'false' && steps.trivy_scan_txt.outcome == 'failure' }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: "${{ env.TRIVY_REPORT_FILE }}" | |
| path: "${{ env.TRIVY_REPORT_FILE }}.txt" | |
| if-no-files-found: error | |
| retention-days: 1 | |
| - name: Trivy Scan - GitHub Security Report | |
| id: trivy_scan_sec | |
| if: ${{ env.GH_SEC_REPORT == 'true' }} | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| ignore-unfixed: true | |
| skip-setup-trivy: true | |
| scan-type: "fs" | |
| cache: "false" | |
| format: "sarif" | |
| output: "${{ env.TRIVY_REPORT_FILE }}.sarif" | |
| severity: "${{ env.TRIVY_SEVERITY }}" | |
| timeout: "${{ env.TRIVY_TIMEOUT }}" | |
| exit-code: 1 | |
| - name: Upload Report - GitHub Security Report | |
| if: ${{ env.GH_SEC_REPORT == 'true' && steps.trivy_scan_sec.outcome == 'failure' }} | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "${{ env.TRIVY_REPORT_FILE }}.sarif" | |
| - name: Failing the Job | |
| if: ${{ steps.trivy_scan_txt.outcome == 'failure' || steps.trivy_scan_sec.outcome == 'failure' }} | |
| shell: bash | |
| run: |- | |
| echo "Vulnerabilities Found.....!" | |
| exit 1 | |
| highflame-build-check: | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Validate Package Version | |
| env: | |
| PY_VER_FILE: "pyproject.toml" | |
| shell: bash | |
| run: |- | |
| export RELEASE_VERSION="1.1.1" | |
| if [[ -f ${{ env.PY_VER_FILE }} ]] ; then | |
| sed -i "s|^version = \".*\"|version = \"${RELEASE_VERSION}\"|g" ${{ env.PY_VER_FILE }} | |
| cat ${{ env.PY_VER_FILE }} | |
| echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ${{ env.PY_VER_FILE }}" | |
| else | |
| echo "File not found ${{ env.PY_VER_FILE }}" | |
| exit 1 | |
| fi | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PY_VER }} | |
| cache: 'pip' | |
| - name: Install Dependencies | |
| shell: bash | |
| run: |- | |
| pip install build | |
| - name: Build Package | |
| shell: bash | |
| run: |- | |
| python -m build |