fix(ci): clean up CI warnings and deprecations #352
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "CI" | |
| permissions: | |
| contents: read | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: '47 5 * * 0' | |
| env: | |
| python_version: "3.13" | |
| defaults: | |
| run: | |
| shell: 'bash --noprofile --norc -Eeuo pipefail {0}' | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: 'false' | |
| - name: Bootstrap repository | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| python-version: ${{ env.python_version }} | |
| - name: Lint | |
| run: task -v lint | |
| test: | |
| name: Test | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| # Necessary for hooks to succeed during tests for commits/schedule | |
| if: github.event_name != 'pull_request' | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: 'false' | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| # Necessary for hooks to succeed during tests for PRs | |
| if: github.event_name == 'pull_request' | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| fetch-depth: 0 | |
| persist-credentials: 'false' | |
| - name: Bootstrap repository | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| python-version: ${{ env.python_version }} | |
| - name: Validate the repo | |
| run: task -v validate | |
| - name: Install license compliance tool | |
| run: | | |
| mkdir "${RUNNER_TEMP}/bin" | |
| # Install grant via curl until official Docker image is available | |
| # See: https://github.com/anchore/grant/issues/222 | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin" | |
| chmod +x "${RUNNER_TEMP}/bin/grant" | |
| echo "${RUNNER_TEMP}/bin" | tee -a "${GITHUB_PATH}" | |
| - name: Run the tests | |
| run: task -v test | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run SBOM generation | |
| run: task -v sbom | |
| - name: Upload SBOM artifacts | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: sbom-files | |
| path: | | |
| sbom.*.json | |
| if-no-files-found: error | |
| - name: Check license compliance | |
| run: task -v license-check | |
| - name: Upload license check results | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: license-check-results | |
| path: license-check.json | |
| if-no-files-found: error | |
| - name: Run vulnerability scan | |
| run: task -v vulnscan | |
| - name: Upload vulnerability scan results | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: vuln-scan-results | |
| path: vulns.json | |
| if-no-files-found: error | |
| windows-smoke-test: | |
| name: Windows Smoke Test | |
| runs-on: windows-latest | |
| steps: | |
| # Note: no checkout step. The cookiecutter template directory contains | |
| # characters (pipe, quotes) that are illegal on NTFS, so we cannot check | |
| # out the repo on Windows. Instead, cookiecutter fetches the template | |
| # directly from the remote branch. | |
| - name: Setup uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| python-version: ${{ env.python_version }} | |
| # No checkout in this job (NTFS-illegal chars in template dir), so disable cache | |
| enable-cache: false | |
| ignore-empty-workdir: true | |
| - name: Install Task | |
| uses: go-task/setup-task@v2 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate project from template | |
| shell: bash | |
| env: | |
| RUN_POST_HOOK: 'true' | |
| SKIP_GIT_PUSH: 'true' | |
| TEMPLATE_REF: ${{ github.event.pull_request.head.sha || github.sha }} | |
| run: | | |
| git config --global user.name "CI Automation" | |
| git config --global user.email "ci@zenable.io" | |
| # The template directory name contains NTFS-illegal characters | |
| # (double quotes, pipe). Use extract_template_zip.py to safely | |
| # extract and rename only the top-level template dir. | |
| zipUrl="https://github.com/${{ github.repository }}/archive/${TEMPLATE_REF}.zip" | |
| scriptUrl="https://raw.githubusercontent.com/${{ github.repository }}/${TEMPLATE_REF}/scripts/extract_template_zip.py" | |
| tmpdir=$(mktemp -d) | |
| curl -fsSL "$zipUrl" -o "$tmpdir/template.zip" | |
| curl -fsSL "$scriptUrl" -o "$tmpdir/extract_template_zip.py" | |
| repoDir=$(python3 "$tmpdir/extract_template_zip.py" "$tmpdir/template.zip" "$tmpdir/src") | |
| uvx --with gitpython cookiecutter "$repoDir" --no-input \ | |
| project_name="ci-test-project" \ | |
| --output-dir "$RUNNER_TEMP" | |
| - name: Verify generated project | |
| shell: pwsh | |
| run: | | |
| $project = Join-Path $env:RUNNER_TEMP "ci-test-project" | |
| # Verify the project directory was created | |
| if (-not (Test-Path $project)) { | |
| Write-Error "Project directory not found at $project" | |
| exit 1 | |
| } | |
| # Verify key files exist | |
| $requiredFiles = @( | |
| "pyproject.toml", | |
| "Taskfile.yml", | |
| "Dockerfile", | |
| "CLAUDE.md", | |
| ".github/project.yml", | |
| ".github/workflows/ci.yml" | |
| ) | |
| foreach ($file in $requiredFiles) { | |
| $filePath = Join-Path $project $file | |
| if (-not (Test-Path $filePath)) { | |
| Write-Error "Required file missing: $file" | |
| exit 1 | |
| } | |
| } | |
| # Verify no unrendered cookiecutter variables remain | |
| $pattern = '\{\{\s*cookiecutter\.' | |
| $matches = Get-ChildItem -Path $project -Recurse -File -Exclude '.git' | | |
| Where-Object { $_.FullName -notmatch '[\\/]\.git[\\/]' } | | |
| Select-String -Pattern $pattern | |
| if ($matches) { | |
| Write-Error "Unrendered cookiecutter variables found:" | |
| $matches | ForEach-Object { Write-Error $_.ToString() } | |
| exit 1 | |
| } | |
| # Verify git repo was initialized and has a commit | |
| $gitDir = Join-Path $project ".git" | |
| if (-not (Test-Path $gitDir)) { | |
| Write-Error "Git repository not initialized" | |
| exit 1 | |
| } | |
| Push-Location $project | |
| $commitCount = git rev-list --count HEAD 2>$null | |
| Pop-Location | |
| if ($commitCount -lt 1) { | |
| Write-Error "No commits found in generated project" | |
| exit 1 | |
| } | |
| Write-Host "Windows smoke test passed: project generated and verified successfully" | |
| - name: Setup WSL with Docker | |
| shell: bash | |
| run: | | |
| wsl --install -d Ubuntu-24.04 --no-launch | |
| wsl -d Ubuntu-24.04 -u root -- bash -ec " | |
| apt-get update -qq | |
| apt-get install -y -qq curl ca-certificates >/dev/null | |
| curl -fsSL https://get.docker.com | sh -s -- --quiet | |
| service docker start | |
| " | |
| # Create docker wrappers that route to WSL's Docker. | |
| # - .bat for Task's mvdan/sh (Go's exec.LookPath needs a Windows extension) | |
| # - bash script for Git Bash steps | |
| mkdir -p "$HOME/bin" | |
| printf '@wsl -d Ubuntu-24.04 -u root -- docker %%*\r\n' > "$HOME/bin/docker.bat" | |
| cat > "$HOME/bin/docker" << 'WRAPPER' | |
| #!/bin/bash | |
| exec wsl -d Ubuntu-24.04 -u root -- docker "$@" | |
| WRAPPER | |
| chmod +x "$HOME/bin/docker" | |
| echo "$HOME/bin" >> "$GITHUB_PATH" | |
| - name: Initialize generated project | |
| shell: bash | |
| run: | | |
| cd "$RUNNER_TEMP/ci-test-project" | |
| task -v init | |
| - name: Run unit tests | |
| shell: bash | |
| # Integration tests require Docker (Linux images) which is not | |
| # available on Windows runners; those are covered by the Linux CI job. | |
| run: | | |
| cd "$RUNNER_TEMP/ci-test-project" | |
| task -v unit-test | |
| - name: Build Docker image | |
| shell: bash | |
| run: | | |
| cd "$RUNNER_TEMP/ci-test-project" | |
| task -v build | |
| - name: Verify Docker image | |
| shell: bash | |
| run: | | |
| docker run --rm zenable-io/ci-test-project:latest --version | |
| docker run --rm zenable-io/ci-test-project:latest --help | |
| - name: Verify zenable CLI | |
| shell: bash | |
| run: | | |
| export PATH="$HOME/.zenable/bin:$PATH" | |
| zenable version | |
| finalizer: | |
| # This gives us something to set as required in the repo settings. Some projects use dynamic fan-outs using matrix strategies and the fromJSON function, so | |
| # you can't hard-code what _should_ run vs not. Having a finalizer simplifies that so you can just check that the finalizer succeeded, and if so, your | |
| # requirements have been met | |
| # Example: https://x.com/JonZeolla/status/1877344137713766516 | |
| name: Finalize the pipeline | |
| runs-on: ubuntu-24.04 | |
| # Keep this aligned with the above jobs | |
| needs: [lint, test, windows-smoke-test] | |
| if: always() # Ensure it runs even if "needs" fails or is cancelled | |
| steps: | |
| - name: Check for failed or cancelled jobs | |
| run: | | |
| if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" || | |
| "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then | |
| echo "One or more required jobs failed or was cancelled. Marking finalizer as failed." | |
| exit 1 | |
| fi | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| - name: Scan workflow logs for warnings and errors | |
| run: scripts/scan_workflow_logs.sh ${{ github.run_id }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Finalize | |
| run: echo "Pipeline complete!" |