64f3fedb9f
Runs gitleaks detect with full history before the build job. Both test and secrets jobs must pass to gate image push. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
44 lines
1.1 KiB
YAML
44 lines
1.1 KiB
YAML
name: ci
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.13'
|
|
- run: pip install pyyaml ruff pytest
|
|
- run: ruff check src/ tests/
|
|
- run: PYTHONPATH=src pytest tests/ -v
|
|
|
|
secrets:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- run: |
|
|
curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz \
|
|
| tar xz -C /usr/local/bin gitleaks
|
|
- run: gitleaks detect --source . -v
|
|
|
|
build:
|
|
needs: [test, secrets]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- run: |
|
|
docker login harbor.mymx.me \
|
|
-u "${{ secrets.HARBOR_USER }}" \
|
|
-p "${{ secrets.HARBOR_PASS }}"
|
|
- run: |
|
|
docker build \
|
|
-t harbor.mymx.me/s5p/s5p:latest \
|
|
-f Containerfile .
|
|
- run: docker push harbor.mymx.me/s5p/s5p:latest
|