diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 91c361fb..9a3220b0 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 0.26.2 +current_version = 0.27.0 commit = True message = Bumps version to {new_version} tag = False diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9f3c45d8..0bb16f68 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,14 +16,14 @@ updates: interval: weekly open-pull-requests-limit: 10 - package-ecosystem: docker - directory: "/.github/dependencies/python38" + directory: "/.github/dependencies/python312" schedule: interval: weekly ignore: # See - dependency-name: python update-types: - # Ignore major/minor to pin python 3.8.x + # Ignore major/minor to pin python 3.12.x - "version-update:semver-major" - "version-update:semver-minor" open-pull-requests-limit: 10 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..db04fa32 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,85 @@ +name: Build, test, and publish container image + +on: + # Run pull requests against the default branch + pull_request: + branches: [master] + + # Run on push to default branch + push: + branches: [master] + + # Run when a release is created + release: + types: [released] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Clone this git repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + + - name: Docker meta + if: github.event_name != 'pull_request' + id: meta + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 + with: + # list of Docker images to use as base name for tags + images: | + plus3it/tardigrade-ci + ghcr.io/plus3it/tardigrade-ci + flavor: | + latest=false + # generate Docker tags based on the following events/attributes + tags: | + # set latest tag for default branch + type=raw,value=latest,enable={{is_default_branch}} + # set version tags for releases + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} + + - name: Login to Docker Hub + if: github.event_name != 'pull_request' + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 + + - name: Build and export + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 + with: + context: . + load: true + tags: plus3it/tardigrade-ci:test + secrets: | + "GITHUB_ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}" + + - name: Run bats tests + if: github.event_name == 'pull_request' + run: docker run --rm -e "GITHUB_ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}" plus3it/tardigrade-ci:test bats/test + + - name: Push to registries + if: github.event_name != 'pull_request' + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 + with: + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + secrets: | + "GITHUB_ACCESS_TOKEN=${{ secrets.GH_READONLY_TOKEN }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000..7c429735 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,22 @@ +name: Run lint and static analysis checks +on: + pull_request: + +concurrency: + group: lint-${{ github.head_ref || github.ref }} + cancel-in-progress: true + +jobs: + lint: + runs-on: ubuntu-latest + env: + GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - name: Clone this git repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + + - name: Install lint dependencies + run: make lint/install + + - name: Run lint checks + run: make -o docs/lint lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..d207e085 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,19 @@ +name: Create GitHub Release + +on: + # Run on demand + workflow_dispatch: + + # Run on push to default branch when .bumpversion.cfg version is updated + push: + branches: + - main + - master + paths: + - .bumpversion.cfg + +jobs: + release: + uses: plus3it/actions-workflows/.github/workflows/release.yml@00bdf2c02c2bb252dc7ba7f74816ac8359aa6693 + secrets: + release-token: ${{ secrets.GH_RELEASES_TOKEN }} diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 6409d827..00000000 --- a/.travis.yml +++ /dev/null @@ -1,87 +0,0 @@ -dist: focal - -language: python -python: "3.10" - -git: - depth: false - -env: - global: - - IMAGE_NAME=tardigrade-ci-test - -if: branch = master OR type = pull_request OR tag is present - -stages: - - lint - - test - - deploy - -services: - - docker - -jobs: - include: - - stage: lint - name: Project Syntax Verification - install: make lint/install - script: make -o docs/lint lint - - stage: test - name: Run Makefile unit tests - install: docker build --quiet --build-arg GITHUB_ACCESS_TOKEN=$GITHUB_ACCESS_TOKEN -t "$IMAGE_NAME" -f Dockerfile . - script: docker run "$IMAGE_NAME" bats/test - - stage: deploy - name: Deploy to GitHub Releases - if: branch = master AND type = push AND repo = plus3it/tardigrade-ci - before_script: - - | - PRIOR_VERSION=$(git describe --abbrev=0 --tags) - RELEASE_VERSION=$(grep current_version $TRAVIS_BUILD_DIR/.bumpversion.cfg | sed 's/^.*= //' ) - RELEASE_BODY="* [tardigrade-ci v$RELEASE_VERSION CHANGELOG](https://github.com/plus3it/tardigrade-ci/blob/$RELEASE_VERSION/CHANGELOG.md)" - export PRIOR_VERSION RELEASE_VERSION RELEASE_BODY - script: skip - before_deploy: - # Per https://travis-ci.community/t/deployments-are-failing-due-to-uri-dependency/14375 - - yes | gem update --system --force - - gem install bundler - # Travis-CI is so broken, https://travis-ci.community/t/cannot-load-such-file-faraday-net-http-loaderror/14455 - - gem install faraday-net_http -v '3.3.0' # Fix faraday version - - gem install uri - - gem install logger - - (set -x; git tag -a $RELEASE_VERSION -m $RELEASE_VERSION) - deploy: - provider: releases - api_key: $GH_RELEASES_TOKEN - name: $RELEASE_VERSION - body: $RELEASE_BODY - tag_name: $RELEASE_VERSION - target_commitish: $TRAVIS_COMMIT - draft: false - on: - branch: master - repo: plus3it/tardigrade-ci - condition: '"$PRIOR_VERSION" != "$RELEASE_VERSION"' - - - stage: deploy - name: Deploy docker image to dockerhub - if: (branch = master OR tag is present) AND type != pull_request AND repo = plus3it/tardigrade-ci - script: docker build --build-arg GITHUB_ACCESS_TOKEN=$GITHUB_ACCESS_TOKEN -t "$IMAGE_NAME" -f Dockerfile . - before_deploy: - - export DOCKERHUB_TARGET="plus3it/tardigrade-ci:${TRAVIS_TAG:-latest}" - - docker tag "$IMAGE_NAME" "$DOCKERHUB_TARGET" - - echo Pushing image "$DOCKERHUB_TARGET" - - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - after_deploy: echo Pushed image "$DOCKERHUB_TARGET" - deploy: - - provider: script - # push "latest" to dockerhub - script: docker push "$DOCKERHUB_TARGET" - skip_cleanup: true - on: - branch: master - - provider: script - # push "tag" to dockerhub - script: docker push "$DOCKERHUB_TARGET" - skip_cleanup: true - on: - tags: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 8976fed3..4de959bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,24 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +### [0.27.0](https://github.com/plus3it/tardigrade-ci/releases/tag/0.27.0) + +**Released**: 2025.05.14 + +**Summary**: + +* Uses github actions instead of travis-ci +* Publishes container image to both dockerhub and ghcr.io +* Uses docker secret instead of build-arg to set GITHUB_ACCESS_TOKEN + +* Updates tool versions: + * cfn-lint 1.35.1 + * editorconfig-checker 3.3.0 + * golang 1.24.3 + * localstack 4.4.0 + * terragrunt 0.78.2 + * yq 4.45.4 + ### [0.26.2](https://github.com/plus3it/tardigrade-ci/releases/tag/0.26.2) **Released**: 2025.05.05 diff --git a/Dockerfile b/Dockerfile index ecd6f7aa..6470a4eb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,8 @@ -FROM golang:1.24.3-bookworm as golang +FROM golang:1.24.3-bookworm AS golang FROM python:3.13.3-bookworm ARG PROJECT_NAME=tardigrade-ci -ARG GITHUB_ACCESS_TOKEN ENV USER=${PROJECT_NAME} ENV USER_UID=1000 @@ -43,7 +42,8 @@ COPY --chown=${USER}:${USER} --from=golang /go/ /go/ COPY --chown=${USER}:${USER} . /${PROJECT_NAME} COPY entrypoint.sh /usr/local/bin/entrypoint.sh -RUN make -C /${PROJECT_NAME} fixuid/install \ +RUN --mount=type=secret,id=GITHUB_ACCESS_TOKEN,env=GITHUB_ACCESS_TOKEN \ + make -C /${PROJECT_NAME} fixuid/install \ && cp /root/bin/fixuid /usr/local/bin/fixuid \ && chown root:root /usr/local/bin/fixuid \ && chmod 4755 /usr/local/bin/fixuid\ @@ -58,10 +58,12 @@ ENV PYENV_ROOT=${HOME}/.pyenv ENV PATH="$PYENV_ROOT/shims:$PYENV_ROOT/bin:${HOME}/.local/bin:${HOME}/bin:/go/bin:/usr/local/go/bin:${PATH}" ENV GOPATH=/go -RUN make -C /${PROJECT_NAME} install +RUN --mount=type=secret,id=GITHUB_ACCESS_TOKEN,env=GITHUB_ACCESS_TOKEN \ + make -C /${PROJECT_NAME} install # Install python versions -RUN make -C /${PROJECT_NAME} python312/install +RUN --mount=type=secret,id=GITHUB_ACCESS_TOKEN,env=GITHUB_ACCESS_TOKEN \ + make -C /${PROJECT_NAME} python312/install RUN pyenv global system $(pyenv versions | grep 3.12) RUN python --version \ && python3 --version \