name: CI on: push: branches: [master] pull_request: branches: [master] env: REPO_URL: ${{ github.server_url }}/${{ github.repository }} jobs: gitleaks: runs-on: linux container: image: ghcr.io/gitleaks/gitleaks:latest options: --entrypoint "" steps: - name: Checkout run: | apk add --no-cache git git clone "$REPO_URL" . git checkout "${{ github.sha }}" - name: Scan for secrets run: gitleaks detect --source . --verbose lint: runs-on: linux container: image: python:3.13-alpine steps: - name: Checkout run: | apk add --no-cache git git clone --depth=1 "$REPO_URL" . git checkout "${{ github.sha }}" - name: Install deps run: pip install -q -r requirements-dev.txt - name: Lint run: ruff check src/ tests/ plugins/ test: runs-on: linux needs: [lint] strategy: matrix: python-version: ["3.11", "3.12", "3.13"] container: image: python:${{ matrix.python-version }}-alpine steps: - name: Checkout run: | apk add --no-cache git git clone --depth=1 "$REPO_URL" . git checkout "${{ github.sha }}" - name: Install system deps run: | apk add --no-cache opus opus-dev ln -sf /usr/lib/libopus.so.0 /usr/lib/libopus.so - name: Install Python deps run: pip install -q -r requirements-dev.txt - name: Patch pymumble/opuslib for musl run: python3 patches/apply_pymumble_ssl.py - name: Test run: pytest -v build: runs-on: linux if: github.event_name == 'push' && github.ref == 'refs/heads/master' needs: [gitleaks, test] steps: - uses: actions/checkout@v4 - name: Login to Harbor run: >- podman login harbor.mymx.me -u "${{ secrets.HARBOR_USER }}" -p "${{ secrets.HARBOR_PASS }}" - name: Build and push run: | TAG="harbor.mymx.me/library/derp:${GITHUB_SHA::8}" LATEST="harbor.mymx.me/library/derp:latest" podman build -t "$TAG" -t "$LATEST" . podman push "$TAG" podman push "$LATEST"