Engine CI/CD #7

Workflow file for this run

	name: "Engine CI/CD"

	on:
	push:
	branches: ['main', 'staging', 'dev']
	pull_request:
	branches: ['main', 'staging', 'dev']
	schedule:
	- cron: '32 23 * * 6'

	jobs:
	changes:
	name: Allocating Push Filter
	runs-on: ubuntu-latest
	if: github.event_name == 'push'
	permissions:
	pull-requests: read
	outputs:
	engine: ${{ steps.filter.outputs.engine }}
	steps:
	- uses: actions/checkout@v4
	- uses: dorny/paths-filter@v3
	id: filter
	with:
	filters: \|
	engine:
	- 'engine/**'
	base: ${{ github.ref }}

	analyze:
	name: Security Analysis on (${{ matrix.language }})
	needs: changes
	if: github.event_name != 'push' \|\| needs.changes.outputs.engine == 'true'
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	packages: read
	actions: read
	contents: read
	strategy:
	fail-fast: false
	matrix:
	language: ['python']
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: ${{ matrix.language }}

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: "/language:${{matrix.language}}"

	run-lint:
	name: Linting Code
	runs-on: ubuntu-latest
	needs: [changes, analyze]
	if: github.event_name != 'push' \|\| needs.changes.outputs.engine == 'true'
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Lint Code Base
	uses: github/super-linter@v4
	env:
	VALIDATE_ALL_CODEBASE: false
	DEFAULT_BRANCH: "main"
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	VALIDATE_YAML: false
	VALIDATE_GITHUB_ACTIONS: false
	VALIDATE_PYTHON_BLACK: false
	VALIDATE_PYTHON_FLAKE8: false
	VALIDATE_PYTHON_ISORT: false
	VALIDATE_JAVASCRIPT_STANDARD: false
	VALIDATE_MARKDOWN: false
	VALIDATE_NATURAL_LANGUAGE: false
	VALIDATE_MARKDOWN_PRETTIER: false

	build-and-deploy:
	name: Build and Deploy Engine
	needs: [changes, analyze]
	environment: ${{ github.ref_name == 'main' && 'prod' \|\| github.ref_name }}
	runs-on: ubuntu-latest
	permissions:
	contents: read
	id-token: write
	security-events: write
	packages: write
	actions: write

	steps:
	- name: Checkout source code
	uses: actions/checkout@v4
	with:
	ref: ${{ github.ref }}
	- name: Set environment name
	id: set-env
	run: \|
	if [ "${{ github.ref_name }}" == "main" ]; then
	echo "ENV_NAME=prod" >> $GITHUB_OUTPUT
	else
	echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT
	fi

	- name: Login to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Build and tag Docker image
	run: \|
	docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \
	--build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \
	-f engine/docker/engine.Dockerfile .

	- name: Push Docker image
	run: \|
	docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }}

	- name: Scan Docker image with Grype
	uses: anchore/scan-action@v6
	with:
	image: ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }}
	fail-build: false
	output-format: sarif
	output-file: grype-report.sarif

	- name: Upload SARIF to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: grype-report.sarif

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Engine CI/CD #7

Workflow file

Engine CI/CD #7

Uh oh!

Workflow file for this run