Skip to content

Commit

Permalink
feat: introduce a lightweight workflow which utilizes composite actio…
Browse files Browse the repository at this point in the history 
…ns (#199)

This PR introduces a lightweight workflow to get faster feedback on PRs.
The new approach utilizes composite actions to allow for separate
definition of each job.

Based on the following MSCS TA Jira story:
[https://splunk.atlassian.net/browse/ADDON-66448?atlOrigin=eyJpIjoiYjc1NzdkNzc4MTlkNDM0ODg2M2EzZDY0YzgyNGZmMjMiLCJwIjoiaiJ9](url)

Sample run of the reused workflow in the MSCS TA repo:
[https://github.com/splunk/splunk-add-on-for-microsoft-cloud-services/actions/workflows/lightweight-check-pr.yml](https://github.com/splunk/splunk-add-on-for-microsoft-cloud-services/actions/workflows/lightweight-check-pr.yml)
  • Loading branch information
@awownysz-splunk
awownysz-splunk authored Dec 12, 2023
1 parent a6824b5 commit c954809
Show file tree
Hide file tree
Showing 18 changed files with 1,193 additions and 535 deletions.
40 changes: 40 additions & 0 deletions .github/actions/appinspect-api/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: AppInspect

description: >
Performs validation checks on your Splunk app package against a set of standardized criteria to evaluate
the app structure, features, security, and adherence to Splunk Cloud Platform requirements.
Uses AppInspect API.
inputs:
matrix_tags:
required: true
SPL_COM_USER:
required: true
SPL_COM_PASSWORD:
required: true

runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Download artifact
uses: actions/download-artifact@v3
with:
name: package-splunkbase
path: build/package/

- name: AppInspect API
uses: splunk/appinspect-api-action@v3.0
with:
username: ${{ inputs.SPL_COM_USER }}
password: ${{ inputs.SPL_COM_PASSWORD }}
app_path: build/package/
included_tags: ${{ inputs.matrix_tags }}

- uses: actions/upload-artifact@v3
if: always()
with:
name: appinspect-api-html-report-${{ inputs.matrix_tags }}
path: AppInspect_response.html
44 changes: 44 additions & 0 deletions .github/actions/appinspect-cli/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: AppInspect

description: >
Performs validation checks on your Splunk app package against a set of standardized criteria to evaluate
the app structure, features, security, and adherence to Splunk Cloud Platform requirements.
Uses AppInspect CLI.
inputs:
matrix_tags:
required: true

runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Download artifact
uses: actions/download-artifact@v3
with:
name: package-splunkbase
path: build/package/

- name: Scan
uses: splunk/appinspect-cli-action@v1.12
with:
app_path: build/package/
included_tags: ${{ inputs.matrix_tags }}
result_file: appinspect_result_${{ inputs.matrix_tags }}.json

- name: Upload AppInspect report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v3
with:
name: appinspect_${{ inputs.matrix_tags }}_checks.json
path: appinspect_result_${{ inputs.matrix_tags }}.json

- name: Upload Markdown
if: inputs.matrix_tags == 'manual'
uses: actions/upload-artifact@v3
with:
name: check_markdown
path: |
*_markdown.txt
94 changes: 94 additions & 0 deletions .github/actions/artifact-registry/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
name: Artifact registry

description: Uploads the generated addon build to ghcr.io

inputs:
sc4s:
required: true

outputs:
artifact:
value: ${{ steps.artifactid.outputs.result }}

runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Download artifact
uses: actions/download-artifact@v3
with:
name: package-splunkbase
path: build/package/splunkbase

- name: Get app ID
id: getappid
shell: bash
run: |
appid=$(jq -r '.info.id.name' package/app.manifest)
echo appid="$appid"
echo "result=$appid" >> "$GITHUB_OUTPUT"
- name: Download ORAS
shell: bash
run: |
curl -LO https://github.com/oras-project/oras/releases/download/v0.12.0/oras_0.12.0_linux_amd64.tar.gz
mkdir -p oras-install/
tar -zxf oras_0.12.0_*.tar.gz -C oras-install/
mv oras-install/oras /usr/local/bin/
rm -rf oras_0.12.0_*.tar.gz oras-install/
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Login to GitHub Packages Docker Registry
uses: docker/login-action@v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}

- name: Docker meta
id: meta
uses: docker/metadata-action@v4.6.0
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=semver,pattern=v{{major}}.{{minor}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern=v{{major}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern=v{{version}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern={{major}}.{{minor}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern={{major}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern={{version}},prefix=${{ steps.getappid.outputs.result }}-
type=ref,event=branch,prefix=${{ steps.getappid.outputs.result }}-
type=ref,event=pr,prefix=${{ steps.getappid.outputs.result }}-
type=sha,prefix=${{ steps.getappid.outputs.result }}-
type=sha,format=long,prefix=${{ steps.getappid.outputs.result }}-
- name: Upload artifacts
shell: bash
run: |
tee /tmp/tags &>/dev/null <<EOF
${{ steps.meta.outputs.tags }}
EOF
pushd build/package/splunkbase/
PACKAGE=$(ls ./*)
echo "$PACKAGE"
mv "$PACKAGE" "${{ steps.getappid.outputs.result }}".spl
while IFS= read -r line
do
echo ">>$line<<"
oras push \
--manifest-config /dev/null:application/vnd.splunk.ent.package.v1.tar+gzip \
"$line" \
"${{ steps.getappid.outputs.result }}".spl
echo " complete"
done < /tmp/tags
popd
- name: Output artifact locator
id: artifactid
shell: bash
run: |
echo "result= ${{ inputs.sc4s }}" >> "$GITHUB_OUTPUT"
179 changes: 179 additions & 0 deletions .github/actions/build/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,179 @@
name: Build

description: >
Creates the UCC build for the addon, generates the SPL file using slim
and uploads it to the Github registry
inputs:
python_version:
required: true
SA_GH_USER_NAME:
required: true
SA_GH_USER_EMAIL:
required: true
SA_GPG_PRIVATE_KEY:
required: true
SA_GPG_PASSPHRASE:
required: true
AWS_ACCESS_KEY_ID:
required: true
AWS_DEFAULT_REGION:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
ucc_modinput_functional:
required: true
modinput_functional:
required: true

outputs:
buildname:
value: ${{ steps.buildupload.outputs.name }}

runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
# Very Important: semantic-release won't trigger a tagged
# build if this is not set to false
persist-credentials: false

- name: Setup python
uses: actions/setup-python@v4
with:
python-version: 3.7

- name: Create requirements file for pip
shell: bash
run: |
if [ -f "poetry.lock" ]
then
echo " poetry.lock found "
sudo pip3 install poetry==1.5.1 poetry-plugin-export==1.4.0
poetry lock --check
poetry export --without-hashes -o requirements.txt
if [ "$(grep -cve '^\s*$' requirements.txt)" -ne 0 ]
then
echo "Prod dependencies were found, creating package/lib folder"
mkdir -p package/lib || true
mv requirements.txt package/lib
else
echo "No prod dependencies were found"
rm requirements.txt
fi
poetry export --without-hashes --dev -o requirements_dev.txt
cat requirements_dev.txt
fi
- name: Get pip cache dir
id: pip-cache
shell: bash
run: |
echo "dir=$(pip cache dir)" >> "$GITHUB_OUTPUT"
- name: Run Check there are libraries to scan
id: checklibs
shell: bash
run: if [ -f requirements_dev.txt ]; then echo "ENABLED=true" >> "$GITHUB_OUTPUT"; fi

- name: Run pip cache
if: ${{ steps.checklibs.outputs.ENABLED == 'true' }}
uses: actions/cache@v3
with:
path: ${{ steps.pip-cache.outputs.dir }}
key: ${{ runner.os }}-pip-${{ hashFiles('requirements_dev.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install deps
if: ${{ steps.checklibs.outputs.ENABLED == 'true' }}
shell: bash
run: pip install -r requirements_dev.txt

- name: Semantic Release Get Next
id: semantic
if: github.event_name != 'pull_request'
uses: splunk/semantic-release-action@v1.3
with:
dry_run: true
git_committer_name: ${{ inputs.SA_GH_USER_NAME }}
git_committer_email: ${{ inputs.SA_GH_USER_EMAIL }}
gpg_private_key: ${{ inputs.SA_GPG_PRIVATE_KEY }}
passphrase: ${{ inputs.SA_GPG_PASSPHRASE }}
env:
GITHUB_TOKEN: ${{ github.token }}

- name: Determine the version to build
id: BuildVersion
uses: splunk/addonfactory-get-splunk-package-version-action@v1
with:
SemVer: ${{ steps.semantic.outputs.new_release_version }}
PrNumber: ${{ github.event.number }}

- name: Download THIRDPARTY
if: ${{ inputs.python_version }} == '3.7' && github.event_name != 'pull_request' && github.event_name != 'schedule'
uses: actions/download-artifact@v3
with:
name: THIRDPARTY

- name: Download THIRDPARTY (Optional for PR and schedule)
if: ${{ inputs.python_version }} == '3.7' && github.event_name == 'pull_request' || github.event_name == 'schedule'
continue-on-error: true
uses: actions/download-artifact@v3
with:
name: THIRDPARTY

- name: Update Notices
if: ${{ inputs.python_version }} == '3.7'
shell: bash
run: |
cp -f THIRDPARTY package/THIRDPARTY || echo "THIRDPARTY file not found (allowed for PR and schedule)"
- name: Build Package
id: uccgen
uses: splunk/addonfactory-ucc-generator-action@v2
with:
version: ${{ steps.BuildVersion.outputs.VERSION }}

- name: Slim Package
if: always() && ${{ inputs.python_version }} == '3.7'
id: slim
uses: splunk/addonfactory-packaging-toolkit-action@v1
with:
source: ${{ steps.uccgen.outputs.OUTPUT }}

- name: Artifact OpenAPI
if: ${{ inputs.python_version }} == '3.7' && ${{ !cancelled() && inputs.ucc_modinput_functional == 'true' && inputs.modinput_functional == 'true' }}
uses: actions/upload-artifact@v3
with:
name: artifact-openapi
path: ${{ github.workspace }}/${{ steps.uccgen.outputs.OUTPUT }}/static/openapi.json

- name: Artifact Splunkbase
if: ${{ !cancelled() }} && ${{ inputs.python_version }} == '3.7'
uses: actions/upload-artifact@v3
with:
name: package-splunkbase
path: ${{ steps.slim.outputs.OUTPUT }}

- name: Upload build to S3
if: ${{ inputs.python_version }} == '3.7'
id: buildupload
shell: bash
env:
AWS_ACCESS_KEY_ID: ${{ inputs.AWS_ACCESS_KEY_ID }}
AWS_DEFAULT_REGION: ${{ inputs.AWS_DEFAULT_REGION }}
AWS_SECRET_ACCESS_KEY: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
run: |
echo "name=$(basename "${{ steps.slim.outputs.OUTPUT }}")" >> "$GITHUB_OUTPUT"
basename "${{ steps.slim.outputs.OUTPUT }}"
aws s3 cp "${{ steps.slim.outputs.OUTPUT }}" s3://ta-production-artifacts/ta-apps/
- name: Artifact Splunk parts
if: ${{ !cancelled() }} && ${{ inputs.python_version }} == '3.7'
uses: actions/upload-artifact@v3
with:
name: package-deployment
path: build/package/deployment**
14 changes: 14 additions & 0 deletions .github/actions/compliance-copyrights/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: Compliance copyrights

description: >
Reuse compliance check. Analyze third-party dependencies, generate a report,
and upload the report as an artifact for further inspection or use.
runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: REUSE Compliance Check
uses: fsfe/reuse-action@v1.1
Loading

0 comments on commit c954809

Please sign in to comment.