-
Notifications
You must be signed in to change notification settings - Fork 4
Overalls
Stéphane Brunner edited this page Feb 5, 2024
·
4 revisions
- Be able to publish from a commit on a branch or from a tag.
- Print useful information in the CI.
- Offer a tool to print the Docker (compose) and Kubernetes Pods logs.
- Have message well formatted for GitHub.
- Be able to audit the stabilization branch.
- Trigger a rebuild when a dpkg package is updated.
- Trigger the deployment (ArgoCD) repository when a Docker image is published.
- Be well integrated with GitHub.
- Be able to publish from a commit on a branch or from a tag.
- Have the master branch with up-to-date dependency.
- Have the stabilization without any fixable CVE (in the dependency) (including the dpkg packages present in the Docker images).
- Have a changelog in the releases.
- Apply the patch updates on the stabilization branches.
- Assure that the security fix are safely pushed in production.
- Renovate To update the dependency.
-
Poetry Python dependency management and packaging.
- dynamic versioning to be able to publish on a tag.
- tweak dependencies version to be able to pin the dependency (good for Renovate) and publish a wider of supported range of required dependency.
- drop python upper constraint.
-
pre-commit to apply formation, fixes, code generation, quick checks.
- hooks especially to update the copyright if you need it in all the files.
- example list for Python project.
- Snyk Security scanner, SonarCloud can also be used to find many types (security, bug, code style, ...) in the code, but he gets many false positives...
- Chart Releaser to publish the HELM charts.
- initialise-gopass-summon-action GitHub action to instantiate Gopass the CI password store, and auto login to some sites (Docker hub, PyPI, NPM).
-
Prospector Used to run at one time Pylint, Mypy, Bandit, ...
- base.
- duplicated Remove duplicated checks with Black, isort or internal.
- Python.
- Docker.
- Helm.
- JavaScript (needs more work to provide a good support...).
With Snyk we:
- Monitor the code (send to the Snyk website).
- Monitor the published images (send to the Snyk website).
- Audit the dependency, propose a pull request if possible, raise an error if there is some fixable CVE.
Major managed projects are "application" projects with one master branch and some stabilization branches (supported released versions).
Some managed projects are "project" projects with e.g. one int
and one prod
branches.
We consider the pull requests as the features branch, and a Docker image will be published with the pull request number.
By default, the Docker images will be published on the pull request, the stabilization branches, the tags.
By default, the Python and HELM packages will be published only on the tags.