name: CI on: push: branches: [master] pull_request: branches: [master] jobs: lint: runs-on: linux container: image: python:3.12-alpine steps: - name: Checkout run: | apk add --no-cache -q git git clone --depth 1 --branch "${GITHUB_REF_NAME}" \ "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" . - name: Install ruff run: pip install --no-cache-dir -q ruff - name: Lint run: ruff check src/ tests/ test: runs-on: linux needs: [lint] container: image: python:3.12-alpine steps: - name: Checkout run: | apk add --no-cache -q git git clone --depth 1 --branch "${GITHUB_REF_NAME}" \ "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" . - name: Install deps run: | pip install --no-cache-dir -q -r requirements.txt pip install --no-cache-dir -q pytest pytest-asyncio - name: Test run: PYTHONPATH=src pytest tests/ -v secrets: runs-on: linux steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Scan for secrets run: | podman run --rm \ -v "$PWD:/scan:ro" \ ghcr.io/gitleaks/gitleaks:latest \ detect --source /scan -v build: runs-on: linux needs: [test, secrets] if: github.event_name == 'push' && github.ref == 'refs/heads/master' steps: - uses: actions/checkout@v4 - name: Login to Harbor run: echo "$HARBOR_PASS" | podman login -u "$HARBOR_USER" --password-stdin harbor.mymx.me env: HARBOR_USER: ${{ secrets.HARBOR_USER }} HARBOR_PASS: ${{ secrets.HARBOR_PASS }} - name: Build and push run: | TAG="harbor.mymx.me/library/bouncer:${GITHUB_SHA::8}" LATEST="harbor.mymx.me/library/bouncer:latest" podman build -t "$TAG" -t "$LATEST" -f Containerfile . podman push "$TAG" podman push "$LATEST"