Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: introduce a lightweight workflow which utilizes composite actions #199

Merged
merged 5 commits into from
Dec 12, 2023
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/actions/appinspect-api/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: AppInspect

description: >
Performs validation checks on your Splunk app package against a set of standardized criteria to evaluate
the app structure, features, security, and adherence to Splunk Cloud Platform requirements.
Uses AppInspect API.

inputs:
matrix_tags:
required: true
SPL_COM_USER:
required: true
SPL_COM_PASSWORD:
required: true

runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Download artifact
uses: actions/download-artifact@v3
with:
name: package-splunkbase
path: build/package/

- name: AppInspect API
uses: splunk/appinspect-api-action@v3.0
with:
username: ${{ inputs.SPL_COM_USER }}
password: ${{ inputs.SPL_COM_PASSWORD }}
app_path: build/package/
included_tags: ${{ inputs.matrix_tags }}

- uses: actions/upload-artifact@v3
if: always()
with:
name: appinspect-api-html-report-${{ inputs.matrix_tags }}
path: AppInspect_response.html
44 changes: 44 additions & 0 deletions .github/actions/appinspect-cli/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: AppInspect

description: >
Performs validation checks on your Splunk app package against a set of standardized criteria to evaluate
the app structure, features, security, and adherence to Splunk Cloud Platform requirements.
Uses AppInspect CLI.

inputs:
matrix_tags:
required: true

runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Download artifact
uses: actions/download-artifact@v3
with:
name: package-splunkbase
path: build/package/

- name: Scan
uses: splunk/appinspect-cli-action@v1.9
with:
app_path: build/package/
included_tags: ${{ inputs.matrix_tags }}
result_file: appinspect_result_${{ inputs.matrix_tags }}.json

- name: Upload AppInspect report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v3
with:
name: appinspect_${{ inputs.matrix_tags }}_checks.json
path: appinspect_result_${{ inputs.matrix_tags }}.json

- name: Upload Markdown
if: inputs.matrix_tags == 'manual'
uses: actions/upload-artifact@v3
with:
name: check_markdown
path: |
*_markdown.txt
94 changes: 94 additions & 0 deletions .github/actions/artifact-registry/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
name: Artifact registry

description: Uploads the generated addon build to ghcr.io

inputs:
sc4s:
required: true

outputs:
artifact:
value: ${{ steps.artifactid.outputs.result }}

runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Download artifact
uses: actions/download-artifact@v3
with:
name: package-splunkbase
path: build/package/splunkbase

- name: Get app ID
id: getappid
shell: bash
run: |
appid=$(jq -r '.info.id.name' package/app.manifest)
echo appid="$appid"
echo "result=$appid" >> "$GITHUB_OUTPUT"

- name: Download ORAS
shell: bash
run: |
curl -LO https://github.com/oras-project/oras/releases/download/v0.12.0/oras_0.12.0_linux_amd64.tar.gz
mkdir -p oras-install/
tar -zxf oras_0.12.0_*.tar.gz -C oras-install/
mv oras-install/oras /usr/local/bin/
rm -rf oras_0.12.0_*.tar.gz oras-install/

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Login to GitHub Packages Docker Registry
uses: docker/login-action@v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}

- name: Docker meta
id: meta
uses: docker/metadata-action@v4.6.0
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=semver,pattern=v{{major}}.{{minor}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern=v{{major}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern=v{{version}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern={{major}}.{{minor}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern={{major}},prefix=${{ steps.getappid.outputs.result }}-
type=semver,pattern={{version}},prefix=${{ steps.getappid.outputs.result }}-
type=ref,event=branch,prefix=${{ steps.getappid.outputs.result }}-
type=ref,event=pr,prefix=${{ steps.getappid.outputs.result }}-
type=sha,prefix=${{ steps.getappid.outputs.result }}-
type=sha,format=long,prefix=${{ steps.getappid.outputs.result }}-

- name: Upload artifacts
shell: bash
run: |
tee /tmp/tags &>/dev/null <<EOF
${{ steps.meta.outputs.tags }}
EOF
pushd build/package/splunkbase/
PACKAGE=$(ls ./*)
echo "$PACKAGE"
mv "$PACKAGE" "${{ steps.getappid.outputs.result }}".spl
while IFS= read -r line
do
echo ">>$line<<"
oras push \
--manifest-config /dev/null:application/vnd.splunk.ent.package.v1.tar+gzip \
"$line" \
"${{ steps.getappid.outputs.result }}".spl
echo " complete"
done < /tmp/tags
popd

- name: Output artifact locator
id: artifactid
shell: bash
run: |
echo "result= ${{ inputs.sc4s }}" >> "$GITHUB_OUTPUT"
179 changes: 179 additions & 0 deletions .github/actions/build/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,179 @@
name: Build

description: >
Creates the UCC build for the addon, generates the SPL file using slim
and uploads it to the Github registry

inputs:
python_version:
required: true
SA_GH_USER_NAME:
required: true
SA_GH_USER_EMAIL:
required: true
SA_GPG_PRIVATE_KEY:
required: true
SA_GPG_PASSPHRASE:
required: true
AWS_ACCESS_KEY_ID:
required: true
AWS_DEFAULT_REGION:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
ucc_modinput_functional:
required: true
modinput_functional:
required: true

outputs:
buildname:
value: ${{ steps.buildupload.outputs.name }}

runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
# Very Important: semantic-release won't trigger a tagged
# build if this is not set to false
persist-credentials: false

- name: Setup python
uses: actions/setup-python@v4
with:
python-version: 3.7

- name: Create requirements file for pip
shell: bash
run: |
if [ -f "poetry.lock" ]
then
echo " poetry.lock found "
sudo pip3 install poetry==1.5.1 poetry-plugin-export==1.4.0
poetry lock --check
poetry export --without-hashes -o requirements.txt
if [ "$(grep -cve '^\s*$' requirements.txt)" -ne 0 ]
then
echo "Prod dependencies were found, creating package/lib folder"
mkdir -p package/lib || true
mv requirements.txt package/lib
else
echo "No prod dependencies were found"
rm requirements.txt
fi
poetry export --without-hashes --dev -o requirements_dev.txt
cat requirements_dev.txt
fi

- name: Get pip cache dir
id: pip-cache
shell: bash
run: |
echo "dir=$(pip cache dir)" >> "$GITHUB_OUTPUT"

- name: Run Check there are libraries to scan
id: checklibs
shell: bash
run: if [ -f requirements_dev.txt ]; then echo "ENABLED=true" >> "$GITHUB_OUTPUT"; fi

- name: Run pip cache
if: ${{ steps.checklibs.outputs.ENABLED == 'true' }}
uses: actions/cache@v3
with:
path: ${{ steps.pip-cache.outputs.dir }}
key: ${{ runner.os }}-pip-${{ hashFiles('requirements_dev.txt') }}
restore-keys: |
${{ runner.os }}-pip-

- name: Install deps
if: ${{ steps.checklibs.outputs.ENABLED == 'true' }}
shell: bash
run: pip install -r requirements_dev.txt

- name: Semantic Release Get Next
id: semantic
if: github.event_name != 'pull_request'
uses: splunk/semantic-release-action@v1.3
with:
dry_run: true
git_committer_name: ${{ inputs.SA_GH_USER_NAME }}
git_committer_email: ${{ inputs.SA_GH_USER_EMAIL }}
gpg_private_key: ${{ inputs.SA_GPG_PRIVATE_KEY }}
passphrase: ${{ inputs.SA_GPG_PASSPHRASE }}
env:
GITHUB_TOKEN: ${{ github.token }}

- name: Determine the version to build
id: BuildVersion
uses: splunk/addonfactory-get-splunk-package-version-action@v1
with:
SemVer: ${{ steps.semantic.outputs.new_release_version }}
PrNumber: ${{ github.event.number }}

- name: Download THIRDPARTY
if: ${{ inputs.python_version }} == '3.7' && github.event_name != 'pull_request' && github.event_name != 'schedule'
uses: actions/download-artifact@v3
with:
name: THIRDPARTY

- name: Download THIRDPARTY (Optional for PR and schedule)
if: ${{ inputs.python_version }} == '3.7' && github.event_name == 'pull_request' || github.event_name == 'schedule'
continue-on-error: true
uses: actions/download-artifact@v3
with:
name: THIRDPARTY

- name: Update Notices
if: ${{ inputs.python_version }} == '3.7'
shell: bash
run: |
cp -f THIRDPARTY package/THIRDPARTY || echo "THIRDPARTY file not found (allowed for PR and schedule)"

- name: Build Package
id: uccgen
uses: splunk/addonfactory-ucc-generator-action@v2
with:
version: ${{ steps.BuildVersion.outputs.VERSION }}

- name: Slim Package
if: always() && ${{ inputs.python_version }} == '3.7'
id: slim
uses: splunk/addonfactory-packaging-toolkit-action@v1
with:
source: ${{ steps.uccgen.outputs.OUTPUT }}

- name: Artifact OpenAPI
if: ${{ inputs.python_version }} == '3.7' && ${{ !cancelled() && inputs.ucc_modinput_functional == 'true' && inputs.modinput_functional == 'true' }}
uses: actions/upload-artifact@v3
with:
name: artifact-openapi
path: ${{ github.workspace }}/${{ steps.uccgen.outputs.OUTPUT }}/static/openapi.json

- name: Artifact Splunkbase
if: ${{ !cancelled() }} && ${{ inputs.python_version }} == '3.7'
uses: actions/upload-artifact@v3
with:
name: package-splunkbase
path: ${{ steps.slim.outputs.OUTPUT }}

- name: Upload build to S3
if: ${{ inputs.python_version }} == '3.7'
id: buildupload
shell: bash
env:
AWS_ACCESS_KEY_ID: ${{ inputs.AWS_ACCESS_KEY_ID }}
AWS_DEFAULT_REGION: ${{ inputs.AWS_DEFAULT_REGION }}
AWS_SECRET_ACCESS_KEY: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
run: |
echo "name=$(basename "${{ steps.slim.outputs.OUTPUT }}")" >> "$GITHUB_OUTPUT"
basename "${{ steps.slim.outputs.OUTPUT }}"
aws s3 cp "${{ steps.slim.outputs.OUTPUT }}" s3://ta-production-artifacts/ta-apps/

- name: Artifact Splunk parts
if: ${{ !cancelled() }} && ${{ inputs.python_version }} == '3.7'
uses: actions/upload-artifact@v3
with:
name: package-deployment
path: build/package/deployment**
14 changes: 14 additions & 0 deletions .github/actions/compliance-copyrights/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: Compliance copyrights

description: >
Reuse compliance check. Analyze third-party dependencies, generate a report,
and upload the report as an artifact for further inspection or use.

runs:
using: composite
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: REUSE Compliance Check
uses: fsfe/reuse-action@v1.1
Loading