Fix: Add DNS validation, G2G_NO_GERRIT #310
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # SPDX-FileCopyrightText: 2025 The Linux Foundation | |
| # Runs on a new pull request, performs build and runs tests | |
| name: 'Python Build/Test' | |
| # yamllint disable-line rule:truthy | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| clear_cache: | |
| description: 'Clear all Python dependency caches' | |
| type: boolean | |
| default: false | |
| required: false | |
| pull_request: | |
| types: [opened, reopened, edited, synchronize] | |
| branches: | |
| - main | |
| - master | |
| paths: | |
| - '**' | |
| - '!.github/**' | |
| - '!.*' | |
| - '!tox.ini' | |
| concurrency: | |
| group: "${{ github.workflow }}-${{ github.ref }}" | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| repository-metadata: | |
| name: "Repository Metadata" | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| timeout-minutes: 5 | |
| steps: | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: audit | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: "Gather repository metadata" | |
| id: repo-metadata | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/repository-metadata-action@ceabcd987d13d7bfefd2372e01eebb0ddac45956 # v0.2.0 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| github_summary: 'true' | |
| gerrit_summary: 'false' | |
| artifact_upload: 'true' | |
| artifact_formats: 'json' | |
| python-build: | |
| name: 'Python Build' | |
| runs-on: 'ubuntu-latest' | |
| outputs: | |
| matrix_json: "${{ steps.python-build.outputs.matrix_json }}" | |
| artefact_name: "${{ steps.python-build.outputs.artefact_name }}" | |
| artefact_path: "${{ steps.python-build.outputs.artefact_path }}" | |
| permissions: | |
| contents: read | |
| actions: write # Required for cache deletion when clear_cache is true | |
| timeout-minutes: 12 | |
| env: | |
| GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: 'audit' | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: 'Build Python project' | |
| id: python-build | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/python-build-action@7ff456c72f1dd50ef212ea7222efc12693221af3 # v1.0.4 | |
| with: | |
| clear_cache: ${{ github.event.inputs.clear_cache || 'false' }} | |
| python-tests: | |
| name: 'Python Tests' | |
| runs-on: 'ubuntu-latest' | |
| needs: 'python-build' | |
| # Matrix job | |
| strategy: | |
| fail-fast: false | |
| matrix: "${{ fromJson(needs.python-build.outputs.matrix_json) }}" | |
| permissions: | |
| contents: read | |
| timeout-minutes: 12 | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: audit | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Python tests [pytest] ${{ matrix.python-version }}" | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/python-test-action@92d4110d44ebc18fa4575c6b00203ff67d01a1cb # v1.0.1 | |
| with: | |
| python_version: ${{ matrix.python-version }} | |
| python-audit: | |
| name: 'Python Audit' | |
| runs-on: 'ubuntu-latest' | |
| needs: 'python-build' | |
| # Matrix job | |
| strategy: | |
| fail-fast: false | |
| matrix: "${{ fromJson(needs.python-build.outputs.matrix_json) }}" | |
| permissions: | |
| contents: read | |
| timeout-minutes: 10 | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: 'audit' | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Audit dependencies ${{ matrix.python-version }}" | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/python-audit-action@ec8d84ca14c0413a2b2c6612a3e15b9803f9de75 # v0.2.5 | |
| with: | |
| python_version: "${{ matrix.python-version }}" | |
| sbom: | |
| name: 'Generate SBOM' | |
| runs-on: ubuntu-latest | |
| needs: 'python-build' | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: read | |
| steps: | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Generate SBOM" | |
| id: sbom | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/python-sbom-action@ae4aca2ef28d7da4ec95049cc78be43e632d322a # v0.1.0 | |
| with: | |
| include_dev: "false" | |
| sbom_format: "both" | |
| - name: "Upload SBOM artifacts" | |
| # yamllint disable-line rule:line-length | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: sbom-files | |
| path: | | |
| sbom-cyclonedx.json | |
| sbom-cyclonedx.xml | |
| retention-days: 45 | |
| - name: "Security scan with Grype (SARIF)" | |
| # yamllint disable-line rule:line-length | |
| uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 | |
| id: grype-sarif | |
| # The first Grype scan should not abort the job on failure so that | |
| # subsequent steps can collect artefacts and display human-readable | |
| # results; the final check step will fail the job if needed | |
| continue-on-error: true | |
| with: | |
| sbom: "${{ steps.sbom.outputs.sbom_json_path }}" | |
| output-format: "sarif" | |
| output-file: "grype-results.sarif" | |
| fail-build: "true" | |
| - name: "Security scan with Grype (Text/Table)" | |
| # yamllint disable-line rule:line-length | |
| uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 | |
| id: grype-table | |
| if: always() | |
| with: | |
| sbom: "${{ steps.sbom.outputs.sbom_json_path }}" | |
| output-format: "table" | |
| output-file: "grype-results.txt" | |
| fail-build: "false" | |
| - name: "Upload Grype scan results" | |
| # yamllint disable-line rule:line-length | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| if: always() | |
| with: | |
| name: grype-scan-results | |
| path: | | |
| grype-results.sarif | |
| grype-results.txt | |
| retention-days: 90 | |
| - name: "Grype summary" | |
| if: always() | |
| run: | | |
| # Grype summary | |
| { | |
| echo "## SBOM Summary" | |
| echo "SBOM count: ${{ steps.sbom.outputs.component_count }}" | |
| echo "Tool used: ${{ steps.sbom.outputs.dependency_manager }}" | |
| echo "" | |
| echo "## Grype Vulnerability Scan" | |
| if [ -f grype-results.txt ]; then | |
| cat grype-results.txt | |
| else | |
| echo "No scan results available" | |
| fi | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| if [ -f grype-results.txt ]; then | |
| echo "--- Grype scan results ---" | |
| cat grype-results.txt | |
| fi | |
| - name: "Check Grype scan results" | |
| if: steps.grype-sarif.outcome == 'failure' | |
| run: | | |
| # Check Grype scan results | |
| echo "::error::Grype found vulnerabilities" \ | |
| "at or above severity threshold" | |
| echo "Review the Grype Summary above or download the" \ | |
| "grype-scan-results artifact for details" | |
| exit 1 |