diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index de49b979..08dec0bb 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -11,6 +11,10 @@ # https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA name: Bandit + +permissions: + contents: read # for actions/checkout to fetch code + on: push: branches: [ "main" ] @@ -22,15 +26,16 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: main + - name: Bandit Scan - uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c + uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 with: # optional arguments # exit with 0, even with results found exit_zero: true # optional, default is DEFAULT @@ -48,4 +53,3 @@ jobs: # skips: # optional, default is DEFAULT # path to a .bandit file that supplies command line arguments # ini_path: # optional, default is DEFAULT - diff --git a/.github/workflows/docker-push-audiovec-worker-staging.yml b/.github/workflows/docker-push-audiovec-worker-staging.yml index bceace16..ba53c27f 100644 --- a/.github/workflows/docker-push-audiovec-worker-staging.yml +++ b/.github/workflows/docker-push-audiovec-worker-staging.yml @@ -1,33 +1,40 @@ name: Publish Audio Worker to Dockerhub for Staging +permissions: + contents: read + on: workflow_dispatch jobs: - api: + docker: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 + + - name: Login to Docker Hub + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v.3.1.0 with: - ref: development - - name: "Setup Node version" - uses: actions/setup-node@v4 + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push amd64 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - node-version: 20.9.0 - - name: Declare some variables - id: vars - shell: bash - run: | - echo "setting variables" - echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + context: "{{defaultContext}}:src/" + file: worker/audiovec/Dockerfile.audio_worker + platforms: linux/amd64 + push: true + tags: tattletech/feluda-operator-audiovec:worker-amd64-latest - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - uses: elgohr/Publish-Docker-Github-Action@main + - name: Build and push arm64 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-audiovec - workdir: src/ - dockerfile: worker/audiovec/Dockerfile.audio_worker - tags: worker-amd64-latest - platforms: linux/amd64 \ No newline at end of file + context: "{{defaultContext}}:src/" + file: worker/audiovec/Dockerfile.audio_worker_graviton + platforms: linux/arm64 + push: true + tags: tattletech/feluda-operator-audiovec:worker-arm64-latest diff --git a/.github/workflows/docker-push-hash-worker-staging.yml b/.github/workflows/docker-push-hash-worker-staging.yml index 66dda88a..6976cdf6 100644 --- a/.github/workflows/docker-push-hash-worker-staging.yml +++ b/.github/workflows/docker-push-hash-worker-staging.yml @@ -1,33 +1,40 @@ name: Publish Hash Worker to Dockerhub for Staging +permissions: + contents: read + on: workflow_dispatch jobs: - api: + docker: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 + + - name: Login to Docker Hub + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v.3.1.0 with: - ref: development - - name: "Setup Node version" - uses: actions/setup-node@v4 + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push amd64 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - node-version: 20.9.0 - - name: Declare some variables - id: vars - shell: bash - run: | - echo "setting variables" - echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + context: "{{defaultContext}}:src/" + file: worker/hash/Dockerfile.hash_worker + platforms: linux/amd64 + push: true + tags: tattletech/feluda-operator-hash:worker-amd64-latest - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - uses: elgohr/Publish-Docker-Github-Action@main + - name: Build and push arm64 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-hash - workdir: src/ - dockerfile: worker/hash/Dockerfile.hash_worker - tags: worker-amd64-latest - platforms: linux/amd64 \ No newline at end of file + context: "{{defaultContext}}:src/" + file: worker/hash/Dockerfile.hash_worker_graviton + platforms: linux/arm64 + push: true + tags: tattletech/feluda-operator-hash:worker-arm64-latest diff --git a/.github/workflows/docker-push-vidvec-benchmark.yml b/.github/workflows/docker-push-vidvec-benchmark.yml index 314e6421..23414d34 100644 --- a/.github/workflows/docker-push-vidvec-benchmark.yml +++ b/.github/workflows/docker-push-vidvec-benchmark.yml @@ -1,54 +1,40 @@ name: Publish Video Operator to Dockerhub +permissions: + contents: read + on: workflow_dispatch jobs: - api: + docker: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: - ref: master - - name: "Setup Node version" - uses: actions/setup-node@v4 - with: - node-version: 20.9.0 - - name: Declare some variables - id: vars - shell: bash - run: | - echo "setting variables" - echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - uses: elgohr/Publish-Docker-Github-Action@main + uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 + + - name: Login to Docker Hub + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v.3.1.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-vidvec - workdir: src/ - dockerfile: benchmark/vidvec/Dockerfile.vid_vec_rep_resnet - tags: benchmark-amd64-latest + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push amd64 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + with: + context: "{{defaultContext}}:src/" + file: benchmark/vidvec/Dockerfile.vid_vec_rep_resnet platforms: linux/amd64 - - uses: elgohr/Publish-Docker-Github-Action@main + push: true + tags: tattletech/feluda-operator-vidvec:benchmark-amd64-latest + + - name: Build and push arm64 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-vidvec - workdir: src/ - dockerfile: benchmark/vidvec/Dockerfile.vid_vec_rep_resnet_graviton - tags: benchmark-arm64-latest + context: "{{defaultContext}}:src/" + file: benchmark/vidvec/Dockerfile.vid_vec_rep_resnet_graviton platforms: linux/arm64 - - # - name: deploy to cluster - # uses: steebchen/kubectl@v2.0.0 - # with: # defaults to latest kubectl binary version - # config: ${{ secrets.PROD_KUBE_CONFIG_DATA }} - # command: set image --record deployment/feluda-server feluda-server=tattletech/feluda-server:${{ steps.vars.outputs.sha_short }} - # - name: verify deployment - # uses: steebchen/kubectl@v2.0.0 - # with: - # config: ${{ secrets.PROD_KUBE_CONFIG_DATA }} - # version: v1.21.0 # specify kubectl binary version explicitly - # command: rollout status deployment/feluda-server + push: true + tags: tattletech/feluda-operator-vidvec:benchmark-arm64-latest diff --git a/.github/workflows/docker-push-vidvec-worker-staging.yml b/.github/workflows/docker-push-vidvec-worker-staging.yml index 540d7638..324f1d78 100644 --- a/.github/workflows/docker-push-vidvec-worker-staging.yml +++ b/.github/workflows/docker-push-vidvec-worker-staging.yml @@ -1,33 +1,40 @@ name: Publish Video Worker to Dockerhub for Staging +permissions: + contents: read + on: workflow_dispatch jobs: - api: + docker: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 + + - name: Login to Docker Hub + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v.3.1.0 with: - ref: development - - name: "Setup Node version" - uses: actions/setup-node@v4 + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push amd64 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - node-version: 20.9.0 - - name: Declare some variables - id: vars - shell: bash - run: | - echo "setting variables" - echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + context: "{{defaultContext}}:src/" + file: worker/vidvec/Dockerfile.video_worker + platforms: linux/amd64 + push: true + tags: tattletech/feluda-operator-vidvec:worker-amd64-latest - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - uses: elgohr/Publish-Docker-Github-Action@main + - name: Build and push arm64 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-vidvec - workdir: src/ - dockerfile: worker/vidvec/Dockerfile.video_worker - tags: worker-amd64-latest - platforms: linux/amd64 \ No newline at end of file + context: "{{defaultContext}}:src/" + file: worker/vidvec/Dockerfile.video_worker_graviton + platforms: linux/arm64 + push: true + tags: tattletech/feluda-operator-vidvec:worker-arm64-latest diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml index 70f7c2f0..ddb311f0 100644 --- a/.github/workflows/merge-main.yml +++ b/.github/workflows/merge-main.yml @@ -1,5 +1,8 @@ name: Merge PR to main +permissions: + contents: read + on: pull_request: types: @@ -8,116 +11,104 @@ on: - main jobs: - if_merged: + release: if: github.event.pull_request.merged == true runs-on: ubuntu-latest concurrency: release permissions: contents: write + # Map a step output to a job output + outputs: + released: ${{ steps.release.outputs.released }} + tag: ${{ steps.release.outputs.tag }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Setup Python version - uses: actions/setup-python@v5 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: '3.11' -# - name: Dry Run to get next release version -# id: next_version -# shell: bash -# run: | -# pip install python-semantic-release -# echo "new_tag_version=$(semantic-release --noop version --print)" >> $GITHUB_OUTPUT - - name: Python Semantic Release id: release - uses: python-semantic-release/python-semantic-release@master + uses: python-semantic-release/python-semantic-release@c82bd673c30da94a02e039963c8c4c8a51758096 # v9.1.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} -# shell: bash -# run: | -# echo "the release status is: ${{ steps.release.outputs.released }}" -# echo "the new version is: ${{ steps.release.outputs.version }}" -# echo "the new tag version is: ${{ steps.release.outputs.tag }}" + + docker: + needs: release + if: needs.release.outputs.released == 'true' + runs-on: ubuntu-latest + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 + + - name: Login to Docker Hub + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v.3.1.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Publish vidvec amd64 worker to dockerhub - if: steps.release.outputs.released == 'true' - uses: elgohr/Publish-Docker-Github-Action@main + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-vidvec - workdir: src/ - dockerfile: worker/vidvec/Dockerfile.video_worker - tags: worker-amd64-${{ steps.release.outputs.tag }} + context: "{{defaultContext}}:src/" + file: worker/vidvec/Dockerfile.video_worker platforms: linux/amd64 + push: true + tags: tattletech/feluda-operator-vidvec:worker-amd64-${{ needs.release.outputs.tag }} - name: Publish vidvec arm64 worker to dockerhub - if: steps.release.outputs.released == 'true' - uses: elgohr/Publish-Docker-Github-Action@main + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-vidvec - workdir: src/ - dockerfile: worker/vidvec/Dockerfile.video_worker_graviton - tags: worker-arm64-${{ steps.release.outputs.tag }} + context: "{{defaultContext}}:src/" + file: worker/vidvec/Dockerfile.video_worker_graviton platforms: linux/arm64 + push: true + tags: tattletech/feluda-operator-vidvec:worker-arm64-${{ needs.release.outputs.tag }} - name: Publish audiovec amd64 worker to dockerhub - if: steps.release.outputs.released == 'true' - uses: elgohr/Publish-Docker-Github-Action@main + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-audiovec - workdir: src/ - dockerfile: worker/audiovec/Dockerfile.audio_worker - tags: worker-amd64-${{ steps.release.outputs.tag }} + context: "{{defaultContext}}:src/" + file: worker/audiovec/Dockerfile.audio_worker platforms: linux/amd64 + push: true + tags: tattletech/feluda-operator-audiovec:worker-amd64-${{ needs.release.outputs.tag }} - name: Publish audiovec arm64 worker to dockerhub - if: steps.release.outputs.released == 'true' - uses: elgohr/Publish-Docker-Github-Action@main + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-audiovec - workdir: src/ - dockerfile: worker/audiovec/Dockerfile.audio_worker_graviton - tags: worker-arm64-${{ steps.release.outputs.tag }} + context: "{{defaultContext}}:src/" + file: worker/audiovec/Dockerfile.audio_worker_graviton platforms: linux/arm64 + push: true + tags: tattletech/feluda-operator-audiovec:worker-arm64-${{ needs.release.outputs.tag }} - name: Publish media hash amd64 worker to dockerhub - if: steps.release.outputs.released == 'true' - uses: elgohr/Publish-Docker-Github-Action@main + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-hash - workdir: src/ - dockerfile: worker/hash/Dockerfile.hash_worker - tags: worker-amd64-${{ steps.release.outputs.tag }} + context: "{{defaultContext}}:src/" + file: worker/hash/Dockerfile.hash_worker platforms: linux/amd64 + push: true + tags: tattletech/feluda-operator-hash:worker-amd64-${{ needs.release.outputs.tag }} - name: Publish media hash arm64 worker to dockerhub - if: steps.release.outputs.released == 'true' - uses: elgohr/Publish-Docker-Github-Action@main + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-operator-hash - workdir: src/ - dockerfile: worker/hash/Dockerfile.hash_worker_graviton - tags: worker-arm64-${{ steps.release.outputs.tag }} + context: "{{defaultContext}}:src/" + file: worker/hash/Dockerfile.hash_worker_graviton platforms: linux/arm64 + push: true + tags: tattletech/feluda-operator-hash:worker-arm64-${{ needs.release.outputs.tag }} # - name: deploy to cluster # uses: steebchen/kubectl@v2.0.0 diff --git a/.github/workflows/pr-security.yml b/.github/workflows/pr-security.yml index 222eb7fb..17b56f7a 100644 --- a/.github/workflows/pr-security.yml +++ b/.github/workflows/pr-security.yml @@ -1,5 +1,8 @@ name: Run security checks on PR +permissions: + contents: read # for actions/checkout to fetch code + on: pull_request: branches: @@ -15,17 +18,16 @@ jobs: checks: if: github.event.pull_request.draft == false permissions: - contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Run security checks runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Lint with Ruff run: | - pip install ruff + pip install ruff==0.3.2 ruff --output-format=github ./src/ continue-on-error: false @@ -34,7 +36,7 @@ jobs: python -m venv env1/ source env1/bin/activate - name: pip audit src requirements - uses: pypa/gh-action-pip-audit@v1.0.8 + uses: pypa/gh-action-pip-audit@d499194be74aeb3bc7dbed3a224a87e1831132c7 # v1.0.8 with: # must be populated earlier in the CI virtual-environment: env1/ @@ -47,7 +49,7 @@ jobs: python -m venv env2/ source env2/bin/activate - name: pip audit operator audiovec requirements - uses: pypa/gh-action-pip-audit@v1.0.8 + uses: pypa/gh-action-pip-audit@d499194be74aeb3bc7dbed3a224a87e1831132c7 # v1.0.8 with: # must be populated earlier in the CI virtual-environment: env2/ @@ -60,7 +62,7 @@ jobs: python -m venv env3/ source env3/bin/activate - name: pip audit operator vidvec requirements - uses: pypa/gh-action-pip-audit@v1.0.8 + uses: pypa/gh-action-pip-audit@d499194be74aeb3bc7dbed3a224a87e1831132c7 # v1.0.8 with: # must be populated earlier in the CI virtual-environment: env3/ @@ -69,7 +71,7 @@ jobs: ./src/core/operators/vid_vec_rep_resnet_requirements.txt - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0 with: scan-type: 'fs' ignore-unfixed: true @@ -81,13 +83,13 @@ jobs: skip-dirs: '.vscode,docs' exit-code: '1' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@9e39a05578dd315aad814d3c71bd03472cc5b815 # v.3.24.7 if: always() with: sarif_file: 'trivy-results.sarif' - name: Bandit Scan - uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c + uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 with: # optional arguments # exit with 0, even with results found exit_zero: false # optional, default is DEFAULT diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index 4a7c036c..b4f58bfa 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -1,5 +1,8 @@ name: Run tests on PR +permissions: + contents: read + on: pull_request: branches: @@ -18,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Build container for tests run: docker compose -f ./.ci/docker-compose.yml -p ci build diff --git a/.github/workflows/prod-deploy.yml b/.github/workflows/prod-deploy.yml index 1cf3e8c0..4167254a 100644 --- a/.github/workflows/prod-deploy.yml +++ b/.github/workflows/prod-deploy.yml @@ -1,9 +1,12 @@ name: Deploy to Production +permissions: + contents: read + on: push: branches: - - master + - main jobs: changes: @@ -12,10 +15,10 @@ jobs: api: ${{ steps.filter.outputs.api}} docs: ${{ steps.filter.outputs.docs }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: development - - uses: dorny/paths-filter@v2.2.0 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: filters: | @@ -29,9 +32,9 @@ jobs: needs: changes if: ${{ needs.changes.outputs.api == 'true' }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: master + ref: main - name: Declare some variables id: vars shell: bash @@ -41,21 +44,34 @@ jobs: pwd ls - - uses: elgohr/Publish-Docker-Github-Action@master + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 + + - name: Login to Docker Hub + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v.3.1.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push amd64 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: - username: tattletech - password: ${{ secrets.DOCKER_PASSWORD }} - name: tattletech/feluda-server - tags: ${{ steps.vars.outputs.sha_short }} - workdir: src/api/ + context: "{{defaultContext}}:src/" + file: Dockerfile + platforms: linux/amd64 + push: true + tags: tattletech/feluda-server:${{ steps.vars.outputs.sha_short }} - name: deploy to cluster - uses: steebchen/kubectl@v2.0.0 + uses: steebchen/kubectl@7c4c70d551952e40881998b840e16d4d9824a54f # v2.1.1 with: # defaults to latest kubectl binary version config: ${{ secrets.PROD_KUBE_CONFIG_DATA }} command: set image --record deployment/feluda-server feluda-server=tattletech/feluda-server:${{ steps.vars.outputs.sha_short }} - name: verify deployment - uses: steebchen/kubectl@v2.0.0 + uses: steebchen/kubectl@7c4c70d551952e40881998b840e16d4d9824a54f # v2.1.1 with: config: ${{ secrets.PROD_KUBE_CONFIG_DATA }} version: v1.21.0 # specify kubectl binary version explicitly @@ -66,11 +82,11 @@ jobs: needs: changes if: ${{ needs.changes.outputs.docs == 'true' }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: master + ref: main - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -95,7 +111,7 @@ jobs: if: ${{ always() }} steps: - name: Notify on Slack - uses: rtCamp/action-slack-notify@v2.0.0 + uses: rtCamp/action-slack-notify@b24d75fe0e728a4bf9fc42ee217caa686d141ee8 # v2.2.1 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} SLACK_MESSAGE: "Deploy Feluda Production" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 66f474c4..542f4237 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,13 +32,13 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false ref: main - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + uses: github/codeql-action/upload-sarif@9e39a05578dd315aad814d3c71bd03472cc5b815 # v.3.24.7 with: sarif_file: results.sarif