Initial implementation
This commit is contained in:
parent
ad13172a32
commit
fa1a60b3b2
|
@ -0,0 +1,5 @@
|
||||||
|
# Allow the `latest` tag
|
||||||
|
DKL-DI-0006
|
||||||
|
|
||||||
|
# Don't care about signatures
|
||||||
|
CIS-DI-0005
|
|
@ -0,0 +1,15 @@
|
||||||
|
version: 2
|
||||||
|
updates:
|
||||||
|
# Maintain dependencies for GitHub Actions
|
||||||
|
- package-ecosystem: "github-actions"
|
||||||
|
directory: "/.github/workflows"
|
||||||
|
schedule:
|
||||||
|
interval: "weekly"
|
||||||
|
|
||||||
|
# Maintain dependencies for Dockerfile
|
||||||
|
- package-ecosystem: "docker"
|
||||||
|
directory: "/"
|
||||||
|
schedule:
|
||||||
|
interval: "weekly"
|
||||||
|
ignore:
|
||||||
|
- dependency-name: "node"
|
|
@ -7,6 +7,8 @@ on:
|
||||||
branches: [master]
|
branches: [master]
|
||||||
tags:
|
tags:
|
||||||
- v*
|
- v*
|
||||||
|
schedule:
|
||||||
|
- cron: '18 1 * * 4'
|
||||||
|
|
||||||
env:
|
env:
|
||||||
DOCKER_USERNAME: viktorstrate
|
DOCKER_USERNAME: viktorstrate
|
||||||
|
@ -15,16 +17,61 @@ env:
|
||||||
PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
|
PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
prepare:
|
||||||
|
name: Prepare the Matrix
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Prepare the Matrix
|
||||||
|
id: prepare_matrix
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
case ${{ github.event_name }} in
|
||||||
|
pull_request)
|
||||||
|
echo 'tags=[{"tag": "", "ref": "${{ github.ref }}"}]' >> $GITHUB_OUTPUT
|
||||||
|
;;
|
||||||
|
push)
|
||||||
|
echo 'tags=[{"tag": "${{ github.ref_name }}", "ref": "${{ github.ref }}"}]' >> $GITHUB_OUTPUT
|
||||||
|
;;
|
||||||
|
schedule)
|
||||||
|
git fetch --all
|
||||||
|
TAG=$(git describe --tags --abbrev=0 || exit 0)
|
||||||
|
if [ -z "$TAG" ]; then
|
||||||
|
echo 'tags=[{"tag": "${{ github.ref_name }}", "ref": "${{ github.ref }}"}]' >> $GITHUB_OUTPUT
|
||||||
|
else
|
||||||
|
echo 'tags=[{"tag": "${{ github.ref_name }}", "ref": "${{ github.ref }}"}, {"tag": "$TAG", "ref": "$(git show-ref --tags -d | grep "/$TAG$" | cut -d ' ' -f 2)"}]' >> $GITHUB_OUTPUT
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Run for '${{ github.event_name }}' is not expected"
|
||||||
|
echo 'tags=[{"tag": "", "ref": "${{ github.ref }}"}]' >> $GITHUB_OUTPUT
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
tags: ${{ steps.prepare_matrix.outputs.tags }}
|
||||||
|
|
||||||
build:
|
build:
|
||||||
name: Build Docker Image
|
name: Build Docker Image
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
needs: prepare
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
tags: ${{ fromJson(needs.prepare.outputs.tags) }}
|
||||||
steps:
|
steps:
|
||||||
- name: Delete huge unnecessary tools folder
|
- name: Delete huge unnecessary tools folder
|
||||||
run: rm -rf /opt/hostedtoolcache
|
run: rm -rf /opt/hostedtoolcache
|
||||||
|
|
||||||
- name: Checkout
|
- name: Checkout ${{ matrix.tags.ref }}
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
ref: ${{ matrix.tags.ref }}
|
||||||
|
|
||||||
|
- name: Fetch branches
|
||||||
|
run: git fetch --all
|
||||||
|
|
||||||
- name: Set up QEMU
|
- name: Set up QEMU
|
||||||
uses: docker/setup-qemu-action@v3
|
uses: docker/setup-qemu-action@v3
|
||||||
|
@ -36,7 +83,7 @@ jobs:
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
- name: Docker Login
|
- name: Docker Login
|
||||||
if: success() && github.event_name != 'pull_request' && github.repository == 'photoview/photoview'
|
if: github.event_name != 'pull_request' && github.repository == 'photoview/photoview'
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
username: ${{ env.DOCKER_USERNAME }}
|
username: ${{ env.DOCKER_USERNAME }}
|
||||||
|
@ -62,16 +109,58 @@ jobs:
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v6
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
|
sbom: true
|
||||||
|
provenance: mode=max
|
||||||
platforms: ${{ env.PLATFORMS }}
|
platforms: ${{ env.PLATFORMS }}
|
||||||
pull: true
|
pull: true
|
||||||
push: ${{ github.event_name != 'pull_request' && github.repository == 'photoview/photoview' }}
|
push: ${{ github.event_name != 'pull_request' && github.repository == 'photoview/photoview' }}
|
||||||
tags: ${{ steps.docker_meta.outputs.tags }}
|
tags: ${{ steps.docker_meta.outputs.tags }}
|
||||||
labels: ${{ steps.docker_meta.outputs.labels }}
|
labels: ${{ steps.docker_meta.outputs.labels }}
|
||||||
|
annotations: ${{ steps.docker_meta.outputs.annotations }}
|
||||||
cache-from: type=gha
|
cache-from: type=gha
|
||||||
cache-to: type=gha,mode=max
|
cache-to: type=gha,mode=max
|
||||||
sbom: true
|
|
||||||
provenance: mode=max
|
|
||||||
annotations: ${{ steps.docker_meta.outputs.annotations }}
|
|
||||||
build-args: |
|
build-args: |
|
||||||
VERSION=${{ github.ref_name }}
|
VERSION=${{ github.ref_name }}
|
||||||
COMMIT_SHA=${{ github.sha }}
|
COMMIT_SHA=${{ github.sha }}
|
||||||
|
|
||||||
|
dockle:
|
||||||
|
name: Dockle Container Analysis
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
needs:
|
||||||
|
- prepare
|
||||||
|
- build
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
tags: ${{ fromJson(needs.prepare.outputs.tags) }}
|
||||||
|
if: ${{ github.event_name != 'pull_request' && github.repository == 'photoview/photoview' }}
|
||||||
|
steps:
|
||||||
|
# Makes sure your .dockleignore file is available to the next step
|
||||||
|
- name: Checkout ${{ matrix.tags.ref }}
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
ref: ${{ matrix.tags.ref }}
|
||||||
|
|
||||||
|
- name: Docker Login
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
username: ${{ env.DOCKER_USERNAME }}
|
||||||
|
password: ${{ env.DOCKER_PASSWORD }}
|
||||||
|
|
||||||
|
- name: Run Dockle for '${{ env.DOCKER_IMAGE }}:${{ matrix.tags.tag }}'
|
||||||
|
id: dockle
|
||||||
|
if: ${{ matrix.tags.tag != '' }}
|
||||||
|
uses: erzz/dockle-action@v1
|
||||||
|
with:
|
||||||
|
image: '${{ env.DOCKER_IMAGE }}:${{ matrix.tags.tag }}'
|
||||||
|
report-name: dockle-results-${{ matrix.tags.tag }}
|
||||||
|
report-format: sarif
|
||||||
|
failure-threshold: fatal
|
||||||
|
exit-code: 1
|
||||||
|
timeout: 5m
|
||||||
|
|
||||||
|
- name: Upload SARIF file
|
||||||
|
if: ${{ steps.dockle.conclusion == 'success' || steps.dockle.conclusion == 'failure' }}
|
||||||
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
|
with:
|
||||||
|
sarif_file: dockle-results-${{ matrix.tags.tag }}.sarif
|
||||||
|
|
|
@ -7,34 +7,91 @@ on:
|
||||||
# The branches below must be a subset of the branches above
|
# The branches below must be a subset of the branches above
|
||||||
branches: [master]
|
branches: [master]
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 1 * * 4'
|
- cron: '37 1 * * 4'
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
create-matrix:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get languages from repo
|
||||||
|
id: set-matrix
|
||||||
|
uses: advanced-security/set-codeql-language-matrix@v1
|
||||||
|
with:
|
||||||
|
access-token: ${{ github.token }}
|
||||||
|
endpoint: ${{ github.event.repository.languages_url }}
|
||||||
|
outputs:
|
||||||
|
matrix: ${{ steps.set-matrix.outputs.languages }}
|
||||||
|
|
||||||
analyze:
|
analyze:
|
||||||
name: Analyze
|
name: Analyze
|
||||||
if: github.repository == 'photoview/photoview'
|
needs: create-matrix
|
||||||
runs-on: ubuntu-20.04
|
if: ${{ needs.create-matrix.outputs.matrix != '[]' && github.repository == 'photoview/photoview' }}
|
||||||
|
runs-on: ubuntu-latest
|
||||||
# strategy:
|
strategy:
|
||||||
# fail-fast: false
|
fail-fast: false
|
||||||
# matrix:
|
matrix:
|
||||||
# Override automatic language detection by changing the below list
|
language: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}
|
||||||
# Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
|
|
||||||
# language: ['go', 'javascript']
|
|
||||||
# Learn more...
|
|
||||||
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
uses: github/codeql-action/init@v1
|
uses: github/codeql-action/init@v3
|
||||||
with:
|
with:
|
||||||
languages: go, javascript
|
languages: ${{ matrix.language }}
|
||||||
# Run further tests
|
# Run further tests
|
||||||
queries: security-extended, security-and-quality
|
queries: security-extended, security-and-quality
|
||||||
|
|
||||||
|
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||||
|
- name: Autobuild
|
||||||
|
uses: github/codeql-action/autobuild@v3
|
||||||
|
|
||||||
- name: Perform CodeQL Analysis
|
- name: Perform CodeQL Analysis
|
||||||
uses: github/codeql-action/analyze@v1
|
uses: github/codeql-action/analyze@v3
|
||||||
|
with:
|
||||||
|
category: "/language:${{ matrix.language }}"
|
||||||
|
|
||||||
|
anchore:
|
||||||
|
name: Anchore scan code dependencies
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout repository
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Generate report
|
||||||
|
id: scan
|
||||||
|
uses: anchore/scan-action@v4
|
||||||
|
with:
|
||||||
|
path: "."
|
||||||
|
fail-build: false
|
||||||
|
add-cpes-if-none: true
|
||||||
|
|
||||||
|
- name: Upload report
|
||||||
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
|
if: ${{ steps.scan.conclusion == 'success' || steps.scan.conclusion == 'failure' }}
|
||||||
|
with:
|
||||||
|
sarif_file: ${{ steps.scan.outputs.sarif }}
|
||||||
|
|
||||||
|
hadolint:
|
||||||
|
name: Hadolint Dockerfile
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout repository
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Lint Dockerfile
|
||||||
|
uses: hadolint/hadolint-action@v3.1.0
|
||||||
|
id: hadolint-report
|
||||||
|
with:
|
||||||
|
dockerfile: Dockerfile
|
||||||
|
config: ${{ github.workspace }}/.hadolint.yaml
|
||||||
|
output-file: hadolint.sarif
|
||||||
|
format: sarif
|
||||||
|
failure-threshold: ignore
|
||||||
|
|
||||||
|
- name: Upload report
|
||||||
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
|
if: ${{ steps.hadolint-report.conclusion == 'success' || steps.hadolint-report.conclusion == 'failure' }}
|
||||||
|
with:
|
||||||
|
sarif_file: hadolint.sarif
|
||||||
|
|
|
@ -17,14 +17,15 @@ jobs:
|
||||||
|
|
||||||
services:
|
services:
|
||||||
mariadb:
|
mariadb:
|
||||||
image: mariadb:10.5
|
image: mariadb:lts
|
||||||
env:
|
env:
|
||||||
MYSQL_DATABASE: photoview_test
|
MYSQL_DATABASE: photoview_test
|
||||||
MYSQL_USER: photoview
|
MYSQL_USER: photoview
|
||||||
MYSQL_PASSWORD: photosecret
|
MYSQL_PASSWORD: photosecret
|
||||||
MYSQL_RANDOM_ROOT_PASSWORD: yes
|
MYSQL_RANDOM_ROOT_PASSWORD: yes
|
||||||
|
# https://github.com/MariaDB/mariadb-docker/issues/497
|
||||||
options: >-
|
options: >-
|
||||||
--health-cmd="mysqladmin ping"
|
--health-cmd="mariadb-admin ping"
|
||||||
--health-interval=10s
|
--health-interval=10s
|
||||||
--health-timeout=5s
|
--health-timeout=5s
|
||||||
--health-retries=5
|
--health-retries=5
|
||||||
|
@ -32,7 +33,7 @@ jobs:
|
||||||
- 3306:3306
|
- 3306:3306
|
||||||
|
|
||||||
postgres:
|
postgres:
|
||||||
image: postgres:13.2
|
image: postgres:16-alpine
|
||||||
env:
|
env:
|
||||||
POSTGRES_USER: photoview
|
POSTGRES_USER: photoview
|
||||||
POSTGRES_PASSWORD: photosecret
|
POSTGRES_PASSWORD: photosecret
|
||||||
|
@ -64,6 +65,7 @@ jobs:
|
||||||
cache-to: type=gha,mode=max
|
cache-to: type=gha,mode=max
|
||||||
|
|
||||||
- name: Test
|
- name: Test
|
||||||
|
id: test
|
||||||
run: |
|
run: |
|
||||||
docker run --name test --network host \
|
docker run --name test --network host \
|
||||||
-e PHOTOVIEW_DATABASE_DRIVER=${{ matrix.database }} \
|
-e PHOTOVIEW_DATABASE_DRIVER=${{ matrix.database }} \
|
||||||
|
@ -76,6 +78,7 @@ jobs:
|
||||||
|
|
||||||
- name: Upload coverage
|
- name: Upload coverage
|
||||||
uses: codecov/codecov-action@v4
|
uses: codecov/codecov-action@v4
|
||||||
|
if: ${{ steps.test.conclusion == 'success' || steps.test.conclusion == 'failure' }}
|
||||||
with:
|
with:
|
||||||
flags: api-${{ matrix.database }}
|
flags: api-${{ matrix.database }}
|
||||||
|
|
||||||
|
@ -102,11 +105,32 @@ jobs:
|
||||||
cache-to: type=gha,mode=max
|
cache-to: type=gha,mode=max
|
||||||
|
|
||||||
- name: Test
|
- name: Test
|
||||||
|
id: test
|
||||||
run: |
|
run: |
|
||||||
docker run --name test photoview/ui npm run test:ci
|
docker run --name test photoview/ui npm run test:ci
|
||||||
docker cp test:/app/ui/coverage ./ui/
|
docker cp test:/app/ui/coverage ./ui/
|
||||||
|
|
||||||
- name: Upload coverage
|
- name: Upload coverage
|
||||||
uses: codecov/codecov-action@v4
|
uses: codecov/codecov-action@v4
|
||||||
|
if: ${{ steps.test.conclusion == 'success' || steps.test.conclusion == 'failure' }}
|
||||||
with:
|
with:
|
||||||
flags: ui
|
flags: ui
|
||||||
|
|
||||||
|
- name: Run ESLint
|
||||||
|
working-directory: ui
|
||||||
|
run: |
|
||||||
|
npm run lint:ci || true
|
||||||
|
echo "--------------------------"
|
||||||
|
echo "ESLint execution results :"
|
||||||
|
echo "--------------------------"
|
||||||
|
cat ./eslint-report.txt || echo "ESLint report file not found."
|
||||||
|
|
||||||
|
- name: ESLint artifact
|
||||||
|
id: eslint-artifact
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
with:
|
||||||
|
name: ESLint-report
|
||||||
|
path: ./ui/eslint-report.txt
|
||||||
|
if-no-files-found: warn
|
||||||
|
compression-level: 9
|
||||||
|
overwrite: true
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
ignored:
|
||||||
|
- DL3008 # Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
|
||||||
|
- DL3015 # Avoid additional packages by specifying `--no-install-recommends`.
|
||||||
|
- SC1091 # Not following: File not included in mock.
|
Loading…
Reference in New Issue