feat: add due dates to todos #24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CI | |
| permissions: | |
| contents: read | |
| on: | |
| pull_request: | |
| branches: [main] | |
| env: | |
| python_version: "3.13" | |
| defaults: | |
| run: | |
| shell: 'bash --noprofile --norc -Eeuo pipefail {0}' | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: 'false' | |
| - name: Bootstrap repository | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| python-version: ${{ env.python_version }} | |
| - name: Set up QEMU for cross-platform emulation | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Install license compliance tool | |
| run: | | |
| mkdir -p "${RUNNER_TEMP}/bin" | |
| # Install grant via curl until official Docker image is available | |
| # See: https://github.com/anchore/grant/issues/222 | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin" | |
| chmod +x "${RUNNER_TEMP}/bin/grant" | |
| echo "${RUNNER_TEMP}/bin" | tee -a "${GITHUB_PATH}" | |
| - name: Build Docker image | |
| run: task -v build | |
| - name: Run tests | |
| run: task -v test | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: 'false' | |
| - name: Bootstrap repository | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| python-version: ${{ env.python_version }} | |
| - name: Run linting | |
| run: task -v lint | |
| - name: Validate configuration | |
| run: task -v validate | |
| build: | |
| name: Build | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| platform: | |
| - linux/amd64 | |
| - linux/arm64 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: 'false' | |
| - name: Bootstrap repository | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| python-version: ${{ env.python_version }} | |
| - name: Set up QEMU for cross-platform emulation | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Build Docker image | |
| run: task -v build | |
| env: | |
| PLATFORM: ${{ matrix.platform }} | |
| - name: Install license compliance tool | |
| run: | | |
| mkdir "${RUNNER_TEMP}/bin" | |
| # Install grant via curl until official Docker image is available | |
| # See: https://github.com/anchore/grant/issues/222 | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin" | |
| chmod +x "${RUNNER_TEMP}/bin/grant" | |
| echo "${RUNNER_TEMP}/bin" | tee -a "${GITHUB_PATH}" | |
| - name: Generate SBOM | |
| run: task -v sbom | |
| env: | |
| PLATFORM: ${{ matrix.platform }} | |
| - name: Set env var for unique artifact uploads | |
| run: echo SANITIZED_PLATFORM="$(echo "${{ matrix.platform }}" | sed 's/\//_/g')" | tee -a "${GITHUB_ENV}" | |
| - name: Upload SBOM artifacts | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: sbom-${{ env.SANITIZED_PLATFORM }} | |
| path: | | |
| sbom.*.json | |
| if-no-files-found: error | |
| - name: Check license compliance | |
| run: task -v license-check | |
| env: | |
| PLATFORM: ${{ matrix.platform }} | |
| - name: Upload license check results | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: license-check-${{ env.SANITIZED_PLATFORM }} | |
| path: license-check.*.json | |
| if-no-files-found: error | |
| - name: Run vulnerability scan | |
| run: task -v vulnscan | |
| env: | |
| PLATFORM: ${{ matrix.platform }} | |
| - name: Upload vulnerability scan results | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: vulns-${{ env.SANITIZED_PLATFORM }} | |
| path: vulns.*.json | |
| if-no-files-found: error | |
| finalizer: | |
| # This gives us something to set as required in the repo settings. Some projects use dynamic fan-outs using matrix strategies and the fromJSON function, so | |
| # you can't hard-code what _should_ run vs not. Having a finalizer simplifies that so you can just check that the finalizer succeeded, and if so, your | |
| # requirements have been met | |
| # Example: https://x.com/JonZeolla/status/1877344137713766516 | |
| name: Finalize the pipeline | |
| runs-on: ubuntu-24.04 | |
| # Keep this aligned with the above jobs | |
| needs: [lint, test, build] | |
| if: always() # Ensure it runs even if "needs" fails or is cancelled | |
| steps: | |
| - name: Check for failed or cancelled jobs | |
| run: | | |
| # Use contains() to check for any failure or cancellation | |
| if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" || | |
| "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then | |
| echo "One or more required jobs failed or was cancelled. Marking finalizer as failed." | |
| exit 1 | |
| fi | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| - name: Scan workflow logs for warnings and errors | |
| run: scripts/scan_workflow_logs.sh ${{ github.run_id }} | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Finalize | |
| run: echo "Pipeline complete!" |