diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 260d1e7d..1cf6b4c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,7 +153,7 @@ jobs: - name: Determine version (NBGV) id: nbgv - uses: dotnet/nbgv@071d632702496c9f570398fbf453c6545c2cf2f0 # node24 (unreleased past v0.5.1; pin SHA until v0.5.2 ships) + uses: dotnet/nbgv@81f7c98786b56d9fa30c96223e7147d9bb582ff7 # node24 (unreleased past v0.5.1; pin SHA until v0.5.2 ships) with: setAllVars: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a59cb3e6..0a07c0bf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,37 +1,37 @@ -name: CodeQL - -on: - push: - branches: [main] - pull_request: - branches: [main] - schedule: - - cron: '0 6 * * 1' - -permissions: - security-events: write - contents: read - -jobs: - analyze: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Setup .NET - uses: actions/setup-dotnet@v5 - with: - global-json-file: global.json - - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: csharp - - - name: Build - run: dotnet build --configuration Release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '0 6 * * 1' + +permissions: + security-events: write + contents: read + +jobs: + analyze: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Setup .NET + uses: actions/setup-dotnet@v5 + with: + global-json-file: global.json + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4.35.5 + with: + languages: csharp + + - name: Build + run: dotnet build --configuration Release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4.35.5 diff --git a/.github/workflows/containers.yml b/.github/workflows/containers.yml index c443fcfd..6a38b8b1 100644 --- a/.github/workflows/containers.yml +++ b/.github/workflows/containers.yml @@ -1,131 +1,131 @@ -name: Container Images - -on: - push: - branches: [main] - tags: - - "v*" - workflow_dispatch: - -env: - REGISTRY: ghcr.io - -jobs: - publish: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - id-token: write - attestations: write - strategy: - fail-fast: false - matrix: - include: - - component: gateway - dockerfile: deploy/docker/Dockerfile.gateway - - component: daemon - dockerfile: deploy/docker/Dockerfile.daemon - - component: tui - dockerfile: deploy/docker/Dockerfile.tui - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Set up Docker Buildx - shell: bash - run: | - docker buildx version - docker buildx create --name jdai-builder --use || docker buildx use jdai-builder - docker buildx inspect --bootstrap - - - name: Normalize image name - id: image - shell: bash - run: | - owner="${GITHUB_REPOSITORY_OWNER,,}" - echo "name=${{ env.REGISTRY }}/${owner}/jd.ai-${{ matrix.component }}" >> "$GITHUB_OUTPUT" - - - name: Login to GHCR - uses: docker/login-action@v4 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata - id: meta - uses: docker/metadata-action@v6 - with: - images: ${{ steps.image.outputs.name }} - tags: | - type=sha - type=raw,value=latest,enable={{is_default_branch}} - type=ref,event=tag - - - name: Build and push - id: build - uses: docker/build-push-action@v7 - with: - context: . - file: ${{ matrix.dockerfile }} - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Generate SBOM - uses: anchore/sbom-action@v0 - with: - image: ${{ steps.image.outputs.name }}@${{ steps.build.outputs.digest }} - format: spdx-json - output-file: sbom-${{ matrix.component }}.spdx.json - - - name: Upload SBOM artifact - uses: actions/upload-artifact@v7 - with: - name: sbom-${{ matrix.component }} - path: sbom-${{ matrix.component }}.spdx.json - - - name: Attest SBOM to image - uses: actions/attest-sbom@v4 - continue-on-error: true - with: - subject-name: ${{ steps.image.outputs.name }} - subject-digest: ${{ steps.build.outputs.digest }} - sbom-path: sbom-${{ matrix.component }}.spdx.json - - helm-lint: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Install Helm - shell: bash - run: | - set -euo pipefail - HELM_VERSION="v3.19.0" - ARCHIVE="helm-${HELM_VERSION}-linux-amd64.tar.gz" - URL="https://get.helm.sh/${ARCHIVE}" - for attempt in 1 2 3; do - if curl -fsSL --retry 3 --retry-delay 2 "$URL" -o "$ARCHIVE"; then - break - fi - if [ "$attempt" -eq 3 ]; then - echo "Failed to download Helm from $URL after retries." - exit 1 - fi - sleep $((attempt * 5)) - done - tar -xzf "$ARCHIVE" - sudo mv linux-amd64/helm /usr/local/bin/helm - helm version --short - - - name: Helm lint - run: helm lint deploy/helm/jdai - - - name: Helm template (dry-run) - run: helm template jdai deploy/helm/jdai --debug > /dev/null - +name: Container Images + +on: + push: + branches: [main] + tags: + - "v*" + workflow_dispatch: + +env: + REGISTRY: ghcr.io + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + attestations: write + strategy: + fail-fast: false + matrix: + include: + - component: gateway + dockerfile: deploy/docker/Dockerfile.gateway + - component: daemon + dockerfile: deploy/docker/Dockerfile.daemon + - component: tui + dockerfile: deploy/docker/Dockerfile.tui + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Set up Docker Buildx + shell: bash + run: | + docker buildx version + docker buildx create --name jdai-builder --use || docker buildx use jdai-builder + docker buildx inspect --bootstrap + + - name: Normalize image name + id: image + shell: bash + run: | + owner="${GITHUB_REPOSITORY_OWNER,,}" + echo "name=${{ env.REGISTRY }}/${owner}/jd.ai-${{ matrix.component }}" >> "$GITHUB_OUTPUT" + + - name: Login to GHCR + uses: docker/login-action@v4.1.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v6 + with: + images: ${{ steps.image.outputs.name }} + tags: | + type=sha + type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=tag + + - name: Build and push + id: build + uses: docker/build-push-action@v7 + with: + context: . + file: ${{ matrix.dockerfile }} + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + image: ${{ steps.image.outputs.name }}@${{ steps.build.outputs.digest }} + format: spdx-json + output-file: sbom-${{ matrix.component }}.spdx.json + + - name: Upload SBOM artifact + uses: actions/upload-artifact@v7 + with: + name: sbom-${{ matrix.component }} + path: sbom-${{ matrix.component }}.spdx.json + + - name: Attest SBOM to image + uses: actions/attest-sbom@v4 + continue-on-error: true + with: + subject-name: ${{ steps.image.outputs.name }} + subject-digest: ${{ steps.build.outputs.digest }} + sbom-path: sbom-${{ matrix.component }}.spdx.json + + helm-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Install Helm + shell: bash + run: | + set -euo pipefail + HELM_VERSION="v3.19.0" + ARCHIVE="helm-${HELM_VERSION}-linux-amd64.tar.gz" + URL="https://get.helm.sh/${ARCHIVE}" + for attempt in 1 2 3; do + if curl -fsSL --retry 3 --retry-delay 2 "$URL" -o "$ARCHIVE"; then + break + fi + if [ "$attempt" -eq 3 ]; then + echo "Failed to download Helm from $URL after retries." + exit 1 + fi + sleep $((attempt * 5)) + done + tar -xzf "$ARCHIVE" + sudo mv linux-amd64/helm /usr/local/bin/helm + helm version --short + + - name: Helm lint + run: helm lint deploy/helm/jdai + + - name: Helm template (dry-run) + run: helm template jdai deploy/helm/jdai --debug > /dev/null + diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 61d6b5b0..e4dcb564 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -37,7 +37,7 @@ jobs: - name: Determine version (NBGV) id: nbgv - uses: dotnet/nbgv@071d632702496c9f570398fbf453c6545c2cf2f0 # node24 (unreleased past v0.5.1; pin SHA until v0.5.2 ships) + uses: dotnet/nbgv@81f7c98786b56d9fa30c96223e7147d9bb582ff7 # node24 (unreleased past v0.5.1; pin SHA until v0.5.2 ships) with: setAllVars: true