-
Notifications
You must be signed in to change notification settings - Fork 0
143 lines (119 loc) · 5.82 KB
/
validate_new_changes.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: "New changes validation"
on:
pull_request: # yamllint disable-line rule:empty-values
permissions:
contents: "read"
packages: "read"
env:
REGISTRY: "ghcr.io"
jobs:
find-changed-files:
runs-on: "ubuntu-latest"
outputs:
is_yaml_changed: "${{ steps.filter.outputs.yaml }}"
is_dockerfile_linter_image_changed: "${{ steps.filter.outputs.dockerfile-linter-image }}"
is_markdown_changed: "${{ steps.filter.outputs.markdown }}"
permissions:
pull-requests: "read"
steps:
- name: "Checkout ${{ github.event.repository.name }}"
uses: "actions/checkout@v4"
with:
fetch-depth: 1
- name: "Find changed files"
uses: "dorny/paths-filter@v3"
id: "filter"
with:
filters: |
yaml:
- "**/*.yaml"
- "**/*.yml"
dockerfile-linter-image:
- "**/Dockerfile"
- "**/.dockerignore"
markdown:
- "**/*.md"
validate-dockerfile-linter-image:
runs-on: "ubuntu-latest"
needs: "find-changed-files"
if: "${{ needs.find-changed-files.outputs.is_dockerfile_linter_image_changed == 'true' }}"
# NOTE: building and running Docker image of Dockerfile linter take around 1 minute.
# If this job takes more than 5 minutes, it means that something is wrong.
timeout-minutes: 5
steps:
- name: "Checkout ${{ github.event.repository.name }}"
uses: "actions/checkout@v4"
- name: "Set up Docker Buildx"
uses: "docker/setup-buildx-action@v3"
- name: "Login to Docker registry"
uses: "docker/login-action@v3"
with:
registry: "${{ env.REGISTRY }}"
username: "${{ github.actor }}"
password: "${{ secrets.GITHUB_TOKEN }}"
- name: "Build Dockerfile linter Docker image"
uses: "docker/build-push-action@v6"
with:
# NOTE: setup of `context` is needed to force builder to use the `.dockerignore` file.
context: "."
push: false
load: true
# NOTE: using another name to don't allow docker to download image from the internet in the next step.
tags: "local/dockerfile-linter-pr:latest"
cache-from: "type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
cache-to: "type=inline"
- name: "Test correctly setup Dockerfile"
run: "docker run --rm -v ${{ github.workspace }}/tests/correct_dockerfile:/linter_workdir/repo
local/dockerfile-linter-pr:latest"
- name: "Test incorrectly setup Dockerfile"
run: "docker run --rm -v ${{ github.workspace }}/tests/incorrect_dockerfile:/linter_workdir/repo
local/dockerfile-linter-pr:latest && { echo 'Incorrectly setup Dockerfile test must fail!' >&2; exit 1; }
|| exit 0"
# HACK: remove `tests` directory before linting repo directory because this is easier than implementing a proper
# way to ignore directories in ENTRYPOINT command.
- name: "Remove `tests` directory"
run: "rm -rf ${{ github.workspace }}/tests"
- name: "Lint repo directory"
run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo local/dockerfile-linter-pr:latest"
- name: "Run Dockerfile security scanner"
run: "docker run --rm --group-add $(getent group docker | cut -d: -f3)
-v /var/run/docker.sock:/var/run/docker.sock
ghcr.io/articola-tools/dockerfile-security-scanner local/yaml-linter-pr:latest"
validate-yaml-changes:
runs-on: "ubuntu-latest"
needs: "find-changed-files"
if: "${{ needs.find-changed-files.outputs.is_yaml_changed == 'true' }}"
# NOTE: validating YAML changes takes around 1 minute.
# If this job takes more than 5 minutes, it means that something is wrong.
timeout-minutes: 5
steps:
- name: "Checkout ${{ github.event.repository.name }}"
uses: "actions/checkout@v4"
- name: "Login to Docker registry"
uses: "docker/login-action@v3"
with:
registry: "${{ env.REGISTRY }}"
username: "${{ github.actor }}"
password: "${{ secrets.GITHUB_TOKEN }}"
- name: "Run YAML linter"
run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo
${{ env.REGISTRY }}/articola-tools/yaml-linter:latest"
validate-markdown-changes:
runs-on: "ubuntu-latest"
needs: "find-changed-files"
if: "${{ needs.find-changed-files.outputs.is_markdown_changed == 'true' }}"
# NOTE: validating Markdown changes takes around 1 minute.
# If this job takes more than 5 minutes, it means that something is wrong.
timeout-minutes: 5
steps:
- name: "Checkout ${{ github.event.repository.name }}"
uses: "actions/checkout@v4"
- name: "Login to Docker registry"
uses: "docker/login-action@v3"
with:
registry: "${{ env.REGISTRY }}"
username: "${{ github.actor }}"
password: "${{ secrets.GITHUB_TOKEN }}"
- name: "Run Dockerfile linter"
run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo
${{ env.REGISTRY }}/articola-tools/markdown-linter:latest"