name: CI on: push: branches: [master] pull_request: branches: [master] workflow_dispatch: env: IMAGE_NAME: rusian/yt-local GRYPE_VERSION: "0.112.0" PLATFORMS: linux/amd64,linux/arm64 jobs: lock-check: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" - name: Install pip-tools run: pip install pip-tools - name: Verify lock files are in sync run: | pip-compile --generate-hashes pyproject.toml -o /tmp/requirements.lock diff -qI '^#' requirements.lock /tmp/requirements.lock || { echo "ERROR: requirements.lock is out of sync. Run: make lock" exit 1 } pip-compile --generate-hashes --extra dev pyproject.toml -o /tmp/requirements-dev.lock diff -qI '^#' requirements-dev.lock /tmp/requirements-dev.lock || { echo "ERROR: requirements-dev.lock is out of sync. Run: make lock" exit 1 } test: needs: lock-check runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" - name: Install pip-tools run: pip install pip-tools - name: Compile lock files run: | pip-compile --generate-hashes pyproject.toml -o requirements.lock pip-compile --generate-hashes --extra dev pyproject.toml -o requirements-dev.lock - name: Install dependencies (pinned) run: pip-sync requirements-dev.lock - name: Run tests run: pytest -v docker: needs: test runs-on: ubuntu-latest if: >- forgejo.event_name == 'workflow_dispatch' || (forgejo.event_name == 'push' && forgejo.ref == 'refs/heads/master') steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to Docker Hub uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKER_REGISTRY_USER }} password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} - name: Extract metadata id: meta uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.IMAGE_NAME }} tags: | type=sha,prefix= type=raw,value=latest - name: Build image for scan (amd64 only) uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . load: true tags: ${{ env.IMAGE_NAME }}:scan - name: Install Grype run: | tarball="grype_${GRYPE_VERSION}_linux_amd64.tar.gz" base="https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}" curl -sSfL -o "$tarball" "$base/$tarball" curl -sSfL -o checksums.txt "$base/grype_${GRYPE_VERSION}_checksums.txt" # Verify only the file we downloaded; fail if it isn't checked. grep " $tarball\$" checksums.txt | sha256sum --check --strict - tar -xzf "$tarball" -C /usr/local/bin grype grype version - name: Scan image for vulnerabilities run: | # Full report for visibility (informational, never fails the build). grype "${IMAGE_NAME}:scan" --output table # Gate: only fail on vulnerabilities that HAVE a fix available. # Unfixable base-image CVEs (e.g. the python binary) can't be # remediated here, so blocking on them would just stall every # deploy with no action to take. grype "${IMAGE_NAME}:scan" --only-fixed --fail-on critical -q - name: Build and push (multi-platform) uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . platforms: ${{ env.PLATFORMS }} push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }}