Skip to content

[pre-commit.ci] pre-commit autoupdate (#26) #155

[pre-commit.ci] pre-commit autoupdate (#26)

[pre-commit.ci] pre-commit autoupdate (#26) #155

Workflow file for this run

name: ci
concurrency:
cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
group: ci-${{ github.ref_name }}-${{ github.event_name }}
on:
push:
branches:
- main
tags:
- "v*"
pull_request:
branches:
- main
env:
ANSIBLE_FORCE_COLOR: "1"
PY_COLORS: "1"
jobs:
trivy:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
scan-type:
- fs
- config
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Cache trivy db
uses: actions/cache@v4
with:
path: |
~/.cache/trivy
~/work/temp
key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }}
restore-keys: |
${{ runner.os }}-trivy-db-
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
format: sarif
ignore-unfixed: true
output: trivy-results.sarif
scan-ref: .
scan-type: ${{ matrix.scan-type }}
severity: CRITICAL,HIGH
token-setup-trivy: ${{ secrets.GH_PAT }}
trivy-config: trivy.yaml
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
test:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
services:
prometheus:
image: prom/prometheus:v3.0.1
ports:
- 9090:9090
loki:
image: grafana/loki:3.3.1
ports:
- 3100:3100
strategy:
fail-fast: false
matrix:
role:
- haproxy
- node_exporter
- vmagent
- promtail
- pushgateway
env:
VMAGENT_REMOTE_WRITE_URL: http://localhost:9090/api/v1/write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check ansible
run: ansible --version
- name: Cache Ansible collections
uses: actions/cache@v4
with:
path: |
~/.ansible/collections
~/.ansible/plugins
key: ${{ runner.os }}-ansible-${{ hashFiles('**/requirements.yml') }}
restore-keys: |
${{ runner.os }}-ansible-
- name: Prepare localhost inventory
run: |
cat << 'EOF' > localhost.yml
all:
hosts:
localhost:
ansible_connection: local
EOF
- name: Install the dependencies
run: |
ansible-galaxy collection install -r requirements.yml
ansible-galaxy collection install ./
- name: Ansible playbook
run: ansible-playbook playbook.yml -i localhost.yml -t ${{ matrix.role }}
release-please:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
outputs:
releases_created: ${{ steps.release-please.outputs.releases_created }}
tag_name: ${{ steps.release-please.outputs.tag_name }}
permissions:
contents: write
pull-requests: write
steps:
- id: release-please
name: Release please
uses: googleapis/release-please-action@v4
with:
release-type: simple
publish-galaxy:
needs:
- test
- release-please
if: needs.release-please.outputs.releases_created == 'true'
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Build collection
run: ansible-galaxy collection build
- id: publish
name: Publish to Ansible Galaxy
run: |
namespace=$(yq -r .namespace galaxy.yml)
name=$(yq -r .name galaxy.yml)
version=$(yq -r .version galaxy.yml)
if [ v"$version" != "${{ needs.release-please.outputs.tag_name }}" ]; then
echo "Version in galaxy.yml ($version) does not match git tag (${{ needs.release-please.outputs.tag_name }})"
exit 1
fi
ansible-galaxy collection publish \
$namespace-$name-$version.tar.gz \
--token ${{ secrets.ANSIBLE_GALAXY_TOKEN }}
echo "asset=$namespace-$name-$version.tar.gz" >> $GITHUB_OUTPUT
ansible-lint:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run ansible-lint
uses: ansible/ansible-lint@main
with:
setup_python: "true"
requirements_file: requirements.yml
sonarcloud:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}