.forgejo/workflows/ci.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

name: CI

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]
  workflow_dispatch:

env:
  IMAGE_NAME: rusian/yt-local
  GRYPE_VERSION: "0.112.0"
  PLATFORMS: linux/amd64,linux/arm64

jobs:
  lock-check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.11"

      - name: Install pip-tools
        run: pip install pip-tools

      - name: Verify lock files are in sync
        run: |
          pip-compile --generate-hashes pyproject.toml -o /tmp/requirements.lock
          diff -qI '^#' requirements.lock /tmp/requirements.lock || {
            echo "ERROR: requirements.lock is out of sync. Run: make lock"
            exit 1
          }
          pip-compile --generate-hashes --extra dev pyproject.toml -o /tmp/requirements-dev.lock
          diff -qI '^#' requirements-dev.lock /tmp/requirements-dev.lock || {
            echo "ERROR: requirements-dev.lock is out of sync. Run: make lock"
            exit 1
          }

  test:
    needs: lock-check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.11"

      - name: Install pip-tools
        run: pip install pip-tools

      - name: Compile lock files
        run: |
          pip-compile --generate-hashes pyproject.toml -o requirements.lock
          pip-compile --generate-hashes --extra dev pyproject.toml -o requirements-dev.lock

      - name: Install dependencies (pinned)
        run: pip-sync requirements-dev.lock

      - name: Run tests
        run: pytest -v

  docker:
    needs: test
    runs-on: ubuntu-latest
    if: >-
      forgejo.event_name == 'workflow_dispatch' ||
      (forgejo.event_name == 'push' && forgejo.ref == 'refs/heads/master')
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0

      - name: Set up Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Login to Docker Hub
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKER_REGISTRY_USER }}
          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env.IMAGE_NAME }}
          tags: |
            type=sha,prefix=
            type=raw,value=latest

      - name: Build image for scan (amd64 only)
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          load: true
          tags: ${{ env.IMAGE_NAME }}:scan

      - name: Install Grype
        run: |
          tarball="grype_${GRYPE_VERSION}_linux_amd64.tar.gz"
          base="https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}"
          curl -sSfL -o "$tarball" "$base/$tarball"
          curl -sSfL -o checksums.txt "$base/grype_${GRYPE_VERSION}_checksums.txt"
          # Verify only the file we downloaded; fail if it isn't checked.
          grep " $tarball\$" checksums.txt | sha256sum --check --strict -
          tar -xzf "$tarball" -C /usr/local/bin grype
          grype version

      - name: Scan image for vulnerabilities
        run: |
          # Full report for visibility (informational, never fails the build).
          grype "${IMAGE_NAME}:scan" --output table
          # Gate: only fail on vulnerabilities that HAVE a fix available.
          # Unfixable base-image CVEs (e.g. the python binary) can't be
          # remediated here, so blocking on them would just stall every
          # deploy with no action to take.
          grype "${IMAGE_NAME}:scan" --only-fixed --fail-on critical -q

      - name: Build and push (multi-platform)
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}