ci(deps): bump armakuni/github-actions #73

Workflow file for this run

.github/workflows/app-pipeline.yml at 6383fb3

	name: python-application-deployment

	env:
	AZURE_WEBAPP_NAME: python-postgres-azure
	PYTHON_VERSION: "3.13"

	on:
	push:
	branches: ["main"]
	paths:
	- "**"
	- "!infrastructure/bootstrap/**"
	- "!db/**"
	- "!.github/workflows/infra-pipeline.yml"
	- "!.github/workflows/app-pipeline-pr.yml"
	workflow_dispatch:

	permissions:
	contents: write
	id-token: write # This is required for requesting the JWT

	jobs:
	conventional-commit-check:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Conventional commit check
	uses: cocogitto/cocogitto-action@v3

	linting:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Set up Python version
	uses: actions/setup-python@v5.3.0
	with:
	python-version: ${{ env.PYTHON_VERSION }}
	cache: "pip"

	- name: Install dependencies
	run: pip install black flake8

	- name: Check Formatting and linting
	run: black ./ --check && flake8

	static-code-analysis:
	runs-on: ubuntu-latest
	needs:
	- linting
	- conventional-commit-check
	steps:
	- uses: actions/checkout@v4

	- name: Set up Python version
	uses: actions/setup-python@v5.3.0
	with:
	python-version: ${{ env.PYTHON_VERSION }}
	cache: "pip"

	- name: Install dependencies
	run: pip install bandit

	- name: SAST
	run: bandit -r ./rates -c .bandit.yaml

	dependency-vulnerability-analysis:
	runs-on: ubuntu-latest
	defaults:
	run:
	working-directory: rates
	needs:
	- linting
	- conventional-commit-check
	steps:
	- uses: actions/checkout@v4

	- name: Set up Python version
	uses: actions/setup-python@v5.3.0
	with:
	python-version: ${{ env.PYTHON_VERSION }}
	cache: "pip"

	- name: Install dependencies
	run: pip install safety

	- name: Safety Check
	run: safety check --file requirements.txt.lock --full-report

	placeholder-unit-test:
	runs-on: ubuntu-latest
	needs:
	- linting
	- conventional-commit-check
	steps:
	- name: Placeholder for unit test
	run: \|
	echo "Implement Unit test and execute them here in the pipeline"

	bdd-test:
	runs-on: ubuntu-latest
	needs:
	- linting
	- conventional-commit-check
	steps:
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- uses: actions/checkout@v4

	- name: Set up Python version
	uses: actions/setup-python@v5.3.0
	with:
	python-version: ${{ env.PYTHON_VERSION }}
	cache: "pip"

	- name: Run Behave BDD Tests
	run: \|
	make start-app-db
	pip install behave requests
	echo "**** Running behave tests ****"
	behave
	make stop-app-db

	docker-lint-build-scan-push:
	runs-on: ubuntu-latest
	needs:
	- static-code-analysis
	- dependency-vulnerability-analysis
	- placeholder-unit-test
	- bdd-test
	steps:
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: fetch-tags
	run: git fetch --tags origin
	shell: bash

	- name: Set up Python version
	uses: actions/setup-python@v5.3.0
	with:
	python-version: ${{ env.PYTHON_VERSION }}
	cache: "pip"

	- name: Install Dependencies
	run: \|
	echo " Install Checkov "
	pip install checkov
	echo " Install Trivy "
	sudo apt-get install wget apt-transport-https gnupg lsb-release
	wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \| sudo apt-key add -
	echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main \| sudo tee -a /etc/apt/sources.list.d/trivy.list
	sudo apt-get update
	sudo apt-get install trivy

	- name: Dockerfile vulnerability Analysis
	run: \|
	checkov -d . --framework dockerfile --skip-check CKV_DOCKER_2

	- id: bump-version
	name: Bump to Next Semver Version
	uses: armakuni/github-actions/bump-version@v0.19.5

	- name: Build Docker Image
	run: \|
	echo "The next tag version is ::: ${{ steps.bump-version.outputs.current-version }}"
	echo "${{ steps.bump-version.outputs.current-version }}" > tag-version.txt
	docker build -t "${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:${{ steps.bump-version.outputs.current-version }}" .
	echo "docker image built successfully"

	- name: Scan Docker Image Vulnerabilities
	run: \|
	trivy image "${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:${{ steps.bump-version.outputs.current-version }}"

	- name: Login to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Push Docker Image
	run: \|
	docker tag "${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:${{ steps.bump-version.outputs.current-version }}" "${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:latest"
	docker push "${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:${{ steps.bump-version.outputs.current-version }}"
	docker push "${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:latest"

	- name: Upload Next Tag Version
	uses: actions/upload-artifact@v4
	with:
	name: tag-version
	path: tag-version.txt

	dev-deploy-to-az-container-apps:
	runs-on: ubuntu-latest
	needs:
	- docker-lint-build-scan-push
	defaults:
	run:
	working-directory: infrastructure/app-infra
	environment:
	name: approve-dev-deployment
	steps:
	- uses: actions/checkout@v4

	- name: Log in to Azure using OIDC
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZ_CLIENT_ID }}
	tenant-id: ${{ secrets.AZ_TENANT_ID }}
	subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}

	- uses: hashicorp/setup-terraform@v3
	with:
	terraform_version: 1.5.7

	- name: Terraform Init
	id: init
	run: terraform init -backend-config=./dev/backend-config.hcl
	env:
	ARM_CLIENT_ID: ${{ secrets.AZ_CLIENT_ID }}
	ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
	ARM_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
	ARM_USE_OIDC: true

	- name: Download Next Tag Version
	uses: actions/download-artifact@v4
	with:
	name: tag-version

	- name: Terraform Apply
	run: \|
	TAG_VERSION=$(cat ../../tag-version.txt)
	terraform apply --auto-approve -var-file=./dev/terraform.tfvars -var="registry_username=${{ secrets.DOCKERHUB_USERNAME }}" -var="registry_password=${{ secrets.DOCKERHUB_TOKEN }}" -var="image=${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:$TAG_VERSION"
	env:
	ARM_CLIENT_ID: ${{ secrets.AZ_CLIENT_ID }}
	ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
	ARM_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
	ARM_USE_OIDC: true

	placeholder-dev-e2e-test:
	runs-on: ubuntu-latest
	needs:
	- dev-deploy-to-az-container-apps
	steps:
	- name: Placeholder for e2e test
	run: \|
	echo "Implement e2e test and execute them here in the pipeline"

	placeholder-pre-deploy-to-az-container-apps:
	runs-on: ubuntu-latest
	needs:
	- placeholder-dev-e2e-test
	steps:
	- name: Download Next Tag Version
	uses: actions/download-artifact@v4
	with:
	name: tag-version
	- name: Placeholder pre-deploy-to-az-container-apps
	run: \|
	cat tag-version.txt
	echo "Implement pre-deploy-to-az-container-apps and execute them here in the pipeline"

	placeholder-pre-e2e-test:
	runs-on: ubuntu-latest
	needs:
	- placeholder-pre-deploy-to-az-container-apps
	steps:
	- name: Placeholder pre-deploy-to-az-container-apps
	run: \|
	echo "Implement pre-deploy-to-az-container-apps and execute them here in the pipeline"

	placeholder-pre-pen-test:
	runs-on: ubuntu-latest
	needs:
	- placeholder-pre-deploy-to-az-container-apps
	steps:
	- name: Placeholder for pen test
	run: \|
	echo "Implement pen test and execute them here in the pipeline"

	placeholder-pre-load-performance-test:
	runs-on: ubuntu-latest
	needs:
	- placeholder-pre-deploy-to-az-container-apps
	steps:
	- name: Placeholder pre-deploy-to-az-container-apps
	run: \|
	echo "Implement pre-deploy-to-az-container-apps and execute them here in the pipeline"

	placeholder-change-management-entry:
	runs-on: ubuntu-latest
	needs:
	- placeholder-pre-load-performance-test
	- placeholder-pre-pen-test
	- placeholder-pre-e2e-test
	steps:
	- name: Placeholder pre-deploy-to-az-container-apps
	run: \|
	echo "Implement pre-deploy-to-az-container-apps and execute them here in the pipeline"

	placeholder-prod-manual-approval:
	runs-on: ubuntu-latest
	needs:
	- placeholder-change-management-entry
	steps:
	- name: Download Next Tag Version
	uses: actions/download-artifact@v4
	with:
	name: tag-version
	- name: Placeholder pre-deploy-to-az-container-apps
	run: \|
	cat tag-version.txt
	echo "Implement pre-deploy-to-az-container-apps and execute them here in the pipeline"

	placeholder-prod-deploy-to-az-container-apps:
	runs-on: ubuntu-latest
	needs:
	- placeholder-prod-manual-approval
	steps:
	- name: Placeholder pre-deploy-to-az-container-apps
	run: \|
	echo "Implement pre-deploy-to-az-container-apps and execute them here in the pipeline"

	placeholder-prod-e2e-test:
	runs-on: ubuntu-latest
	needs:
	- placeholder-prod-deploy-to-az-container-apps
	steps:
	- name: Download Next Tag Version
	uses: actions/download-artifact@v4
	with:
	name: tag-version
	- name: Placeholder prod-deploy-to-az-container-apps
	run: \|
	cat tag-version.txt
	echo "Implement prod-deploy-to-az-container-apps and execute them here in the pipeline"

	create-release:
	needs:
	- placeholder-prod-deploy-to-az-container-apps
	if: github.ref == 'refs/heads/main'
	uses: armakuni/github-actions/.github/workflows/tag-and-release.yml@v0.19.5
	secrets: inherit
	with:
	download-artifacts: true

	placeholder-prod-pen-test:
	runs-on: ubuntu-latest
	needs:
	- placeholder-prod-deploy-to-az-container-apps
	steps:
	- name: Placeholder for pen test
	run: \|
	echo "Implement pen test and execute them here in the pipeline"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci(deps): bump armakuni/github-actions #73

Workflow file

ci(deps): bump armakuni/github-actions #73

Jobs

Run details

Workflow file for this run