a64b09de8e
Use container: directive per job instead of nested podman run. Each job specifies its execution image directly: - test: python:3.13-alpine - secrets: ghcr.io/gitleaks/gitleaks:latest - build: quay.io/podman/stable (--privileged for nested builds) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
49 lines
1.5 KiB
YAML
49 lines
1.5 KiB
YAML
name: ci
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: linux
|
|
container: python:3.13-alpine
|
|
steps:
|
|
- run: apk add --no-cache git
|
|
- run: |
|
|
git clone --depth 1 \
|
|
-c "http.extraHeader=Authorization: token ${{ github.token }}" \
|
|
"${{ github.server_url }}/${{ github.repository }}.git" .
|
|
- run: pip install --no-cache-dir -r requirements.txt ruff pytest
|
|
- run: ruff check src/ tests/
|
|
- run: PYTHONPATH=src pytest tests/ -v
|
|
|
|
secrets:
|
|
runs-on: linux
|
|
container: ghcr.io/gitleaks/gitleaks:latest
|
|
steps:
|
|
- run: |
|
|
git clone \
|
|
-c "http.extraHeader=Authorization: token ${{ github.token }}" \
|
|
"${{ github.server_url }}/${{ github.repository }}.git" .
|
|
- run: gitleaks detect --source . -v
|
|
|
|
build:
|
|
needs: [test, secrets]
|
|
runs-on: linux
|
|
container:
|
|
image: quay.io/podman/stable
|
|
options: --privileged
|
|
steps:
|
|
- run: dnf install -y git
|
|
- run: |
|
|
git clone --depth 1 \
|
|
-c "http.extraHeader=Authorization: token ${{ github.token }}" \
|
|
"${{ github.server_url }}/${{ github.repository }}.git" .
|
|
- run: echo "$HARBOR_PASS" | podman login -u "$HARBOR_USER" --password-stdin harbor.mymx.me
|
|
env:
|
|
HARBOR_USER: ${{ secrets.HARBOR_USER }}
|
|
HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
|
|
- run: podman build -t harbor.mymx.me/s5p/s5p:latest -f Containerfile .
|
|
- run: podman push harbor.mymx.me/s5p/s5p:latest
|