2f7b82047d
Lint, test, secrets scan, and Harbor build/push jobs running on linux runner using ephemeral podman containers. Adds requirements.txt for container-based pip installs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
69 lines
1.8 KiB
YAML
69 lines
1.8 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
pull_request:
|
|
branches: [master]
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: linux
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Lint
|
|
run: |
|
|
podman run --rm \
|
|
-v "$PWD:/app:ro" \
|
|
-w /app \
|
|
python:3.12-alpine \
|
|
sh -c "pip install --no-cache-dir -q ruff && \
|
|
ruff check src/ tests/"
|
|
|
|
test:
|
|
runs-on: linux
|
|
needs: [lint]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Test
|
|
run: |
|
|
podman run --rm \
|
|
-v "$PWD:/app:ro" \
|
|
-w /app \
|
|
python:3.12-alpine \
|
|
sh -c "pip install --no-cache-dir -q -r requirements.txt && \
|
|
pip install --no-cache-dir -q pytest pytest-asyncio && \
|
|
PYTHONPATH=src pytest tests/ -v"
|
|
|
|
secrets:
|
|
runs-on: linux
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Scan for secrets
|
|
run: |
|
|
podman run --rm \
|
|
-v "$PWD:/scan:ro" \
|
|
ghcr.io/gitleaks/gitleaks:latest \
|
|
detect --source /scan -v
|
|
|
|
build:
|
|
runs-on: linux
|
|
needs: [test, secrets]
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Login to Harbor
|
|
run: echo "$HARBOR_PASS" | podman login -u "$HARBOR_USER" --password-stdin harbor.mymx.me
|
|
env:
|
|
HARBOR_USER: ${{ secrets.HARBOR_USER }}
|
|
HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
|
|
- name: Build and push
|
|
run: |
|
|
TAG="harbor.mymx.me/library/bouncer:${GITHUB_SHA::8}"
|
|
LATEST="harbor.mymx.me/library/bouncer:latest"
|
|
podman build -t "$TAG" -t "$LATEST" -f Containerfile .
|
|
podman push "$TAG"
|
|
podman push "$LATEST"
|