ai-native-python/{{cookiecutter.project_name}}/.github/workflows/commit.yml at 8a1e817e89e2f89e0ce3a8b87d90b31906ef0f0f · Zenable-io/ai-native-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
---
name: "Commit"

on:
  push:
    branches:
      - main

env:
  python_version: "{{ cookiecutter.python_version }}"

defaults:
  run:
    shell: 'bash --noprofile --norc -Eeuo pipefail {0}'

jobs:
  lint:
    name: Lint
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v6
        with:
          persist-credentials: 'false'
      - name: Bootstrap repository
        uses: ./.github/actions/bootstrap
        with:
          token: ${{ "{{ secrets.GITHUB_TOKEN }}" }}
          python-version: ${{ "{{ env.python_version }}" }}
      - name: Run pre-commit
        run: task -v lint
  test:
    name: Test
    runs-on: ubuntu-24.04
    strategy:
      fail-fast: false
      matrix:
        platform:
          - linux/amd64
          - linux/arm64
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          persist-credentials: 'false'
      - name: Bootstrap repository
        uses: ./.github/actions/bootstrap
        with:
          token: ${{ "{{ secrets.GITHUB_TOKEN }}" }}
          python-version: ${{ "{{ env.python_version }}" }}
      - name: Validate the repo
        run: task -v validate
      - name: Set up QEMU for cross-platform emulation
        uses: docker/setup-qemu-action@v3
      - name: Build the image(s)
        run: task -v build
        env:
          PLATFORM: ${{ "{{ matrix.platform }}" }}
      - name: Install license compliance tool
        run: |
          mkdir "${RUNNER_TEMP}/bin"
          # Install grant via curl until official Docker image is available
          # See: https://github.com/anchore/grant/issues/222
          curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
          chmod +x "${RUNNER_TEMP}/bin/grant"
          echo "${RUNNER_TEMP}/bin" | tee -a "${GITHUB_PATH}"
      - name: Run the tests
        run: task -v test
        env:
          PLATFORM: ${{ "{{ matrix.platform }}" }}
      - name: Generate SBOM
        run: task -v sbom
        env:
          PLATFORM: ${{ "{{ matrix.platform }}" }}
      - name: Set env var for unique artifact uploads
        run: echo SANITIZED_PLATFORM="$(echo "${{ "{{ matrix.platform }}" }}" | sed 's/\//_/g')" | tee -a "${GITHUB_ENV}"
      - name: Upload SBOM artifacts
        uses: actions/upload-artifact@v7
        with:
          name: sbom-${{ "{{ env.SANITIZED_PLATFORM }}" }}
          path: |
            sbom.*.json
          if-no-files-found: error
      - name: Check license compliance
        run: task -v license-check
        env:
          PLATFORM: ${{ "{{ matrix.platform }}" }}
      - name: Upload license check results
        uses: actions/upload-artifact@v7
        with:
          name: license-check-${{ "{{ env.SANITIZED_PLATFORM }}" }}
          path: license-check.*.json
          if-no-files-found: error
      - name: Run vulnerability scan
        run: task -v vulnscan
        env:
          PLATFORM: ${{ "{{ matrix.platform }}" }}
      - name: Upload vulnerability scan results
        uses: actions/upload-artifact@v7
        with:
          name: vulns-${{ "{{ env.SANITIZED_PLATFORM }}" }}
          path: vulns.*.json
          if-no-files-found: error