fix(kubernetes): avoid privilege escalation in Kubernetes jobs (#475) #686
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This file is part of REANA. | |
# Copyright (C) 2020, 2022, 2023, 2024 CERN. | |
# | |
# REANA is free software; you can redistribute it and/or modify it | |
# under the terms of the MIT License; see LICENSE file for more details. | |
name: CI | |
on: [push, pull_request] | |
jobs: | |
lint-commitlint: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
- name: Install commitlint | |
run: | | |
npm install conventional-changelog-conventionalcommits | |
npm install commitlint@latest | |
- name: Check commit message compliance of the recently pushed commit | |
if: github.event_name == 'push' | |
run: | | |
./run-tests.sh --check-commitlint HEAD~1 HEAD | |
- name: Check commit message compliance of the pull request | |
if: github.event_name == 'pull_request' | |
run: | | |
./run-tests.sh --check-commitlint ${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }} ${{ github.event.pull_request.head.sha }} ${{ github.event.pull_request.number }} | |
lint-shellcheck: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Runs shell script static analysis | |
run: | | |
sudo apt-get install shellcheck | |
./run-tests.sh --check-shellcheck | |
lint-black: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.8 | |
- name: Check Python code formatting | |
run: | | |
pip install --upgrade pip | |
pip install black | |
./run-tests.sh --check-black | |
lint-flake8: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.8 | |
- name: Check compliance with pep8, pyflakes and circular complexity | |
run: | | |
pip install --upgrade pip | |
pip install flake8 | |
./run-tests.sh --check-flake8 | |
lint-pydocstyle: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.8 | |
- name: Check compliance with Python docstring conventions | |
run: | | |
pip install --upgrade pip | |
pip install pydocstyle | |
./run-tests.sh --check-pydocstyle | |
lint-check-manifest: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.8 | |
- name: Check Python manifest completeness | |
run: | | |
pip install --upgrade pip | |
pip install check-manifest | |
./run-tests.sh --check-manifest | |
docs-sphinx: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.8 | |
- name: Install system dependencies | |
run: | | |
sudo apt-get update -y | |
sudo apt install libcurl4-openssl-dev libssl-dev | |
sudo apt-get install libgnutls28-dev | |
sudo apt-get install libkrb5-dev | |
- name: Install Python dependencies | |
run: | | |
pip install --upgrade pip 'setuptools<71' py | |
pip install -r requirements.txt | |
pip install -e .[all] | |
- name: Run Sphinx documentation with doctests | |
run: ./run-tests.sh --check-sphinx | |
python-tests: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install system dependencies | |
run: | | |
sudo apt-get update -y | |
sudo apt-get install libkrb5-dev | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.8 | |
- name: Install Python dependencies | |
run: | | |
pip install --upgrade pip 'setuptools<71' py | |
pip install twine wheel | |
pip install -r requirements.txt | |
pip install -e .[all] | |
- name: Generate and check OpenAPI specification | |
run: ./run-tests.sh --check-openapi-spec | |
- name: Run pytest | |
run: ./run-tests.sh --check-pytest | |
- name: Codecov Coverage | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: coverage.xml | |
lint-dockerfile: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Check Dockerfile compliance | |
run: ./run-tests.sh --check-dockerfile | |
docker-build: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Build Docker image | |
run: ./run-tests.sh --check-docker-build | |
release-docker: | |
runs-on: ubuntu-20.04 | |
if: > | |
vars.RELEASE_DOCKER == 'true' && | |
github.event_name == 'push' && | |
startsWith(github.ref, 'refs/tags/') | |
needs: | |
- docs-sphinx | |
- lint-black | |
- lint-check-manifest | |
- lint-dockerfile | |
- lint-flake8 | |
- lint-pydocstyle | |
- lint-shellcheck | |
- python-tests | |
steps: | |
- name: Release Docker image | |
uses: reanahub/reana-github-actions/release-docker@v1 | |
with: | |
username: ${{ secrets.DOCKER_USER }} | |
token: ${{ secrets.DOCKER_TOKEN }} | |
organisation: ${{ vars.DOCKER_ORGANISATION }} | |
registry: ${{ vars.DOCKER_REGISTRY }} | |
platform: | | |
linux/amd64 | |
linux/arm64 |