Feat/add trivy #69
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Push to BlockJoy | |
| on: | |
| pull_request: | |
| types: [closed] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} | |
| cancel-in-progress: false | |
| jobs: | |
| detect-changes: | |
| runs-on: dev | |
| if: github.event.pull_request.merged == true | |
| outputs: | |
| version_changes: ${{ steps.check-versions.outputs.version_changes }} | |
| content_changes: ${{ steps.check-content.outputs.content_changes }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45 | |
| with: | |
| base_sha: ${{ github.event.pull_request.base.sha }} | |
| fetch_depth: 0 | |
| files: | | |
| protocols/**/babel.yaml | |
| - name: Check content changes | |
| id: check-content | |
| run: | | |
| declare -a CONTENT_CHANGES=() | |
| for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
| if [[ "$file" == *"babel.yaml" ]]; then | |
| echo "Processing $file for content changes" | |
| DIR=$(dirname "$file") | |
| PROTOCOL=$(basename "$DIR") | |
| # Check if file content has changed | |
| if ! git diff --quiet ${{ github.event.pull_request.base.sha }} HEAD -- "$file"; then | |
| echo "Content changed in $file" | |
| CONTENT_CHANGES+=("{\"image_path\":\"$DIR\",\"protocol\":\"$PROTOCOL\"}") | |
| fi | |
| fi | |
| done | |
| # Create content changes array using jq for proper JSON handling | |
| if [ ${#CONTENT_CHANGES[@]} -gt 0 ]; then | |
| echo "content_changes=$(printf '%s\n' "${CONTENT_CHANGES[@]}" | jq -sc '.')" >> $GITHUB_OUTPUT | |
| else | |
| echo "content_changes=[]" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Check version changes | |
| id: check-versions | |
| run: | | |
| # Get changed files from previous step | |
| CHANGED_FILES="${{ steps.changed-files.outputs.all_changed_files }}" | |
| # Initialize array for babel files with version changes | |
| declare -a CHANGED_BABEL=() | |
| # Process each file | |
| for file in $CHANGED_FILES; do | |
| if [[ "$file" == *"babel.yaml" ]]; then | |
| echo "Processing $file for version changes" | |
| # Compare version key between current and base | |
| CURRENT_VERSION=$(yq e '.version' "$file") | |
| PREV_VERSION=$(git show ${{ github.event.pull_request.base.sha }}:"$file" | yq e '.version' -) | |
| if [ "$CURRENT_VERSION" != "$PREV_VERSION" ]; then | |
| echo "Version changed in $file: $PREV_VERSION -> $CURRENT_VERSION" | |
| DIR=$(dirname "$file") | |
| PROTOCOL=$(basename "$DIR") | |
| CHANGED_BABEL+=("{\"protocol\":\"$PROTOCOL\",\"babel_yaml\":\"$file\"}") | |
| fi | |
| fi | |
| done | |
| # Create array using jq for proper JSON handling | |
| if [ ${#CHANGED_BABEL[@]} -gt 0 ]; then | |
| echo "DEBUG: Raw babel changes:" | |
| printf "%s\n" "${CHANGED_BABEL[@]}" | |
| # Create JSON array directly | |
| BABEL_JSON="[${CHANGED_BABEL[*]}]" | |
| BABEL_ARRAY=$(echo "$BABEL_JSON" | jq -c '.') | |
| echo "DEBUG: Babel files with version changes:" | |
| echo "$BABEL_ARRAY" | jq '.' | |
| echo "version_changes=$BABEL_ARRAY" >> $GITHUB_OUTPUT | |
| else | |
| echo "DEBUG: No version changes detected in babel files" | |
| echo "version_changes=[]" >> $GITHUB_OUTPUT | |
| fi | |
| check-protocols: | |
| needs: [detect-changes] | |
| if: fromJson(needs.detect-changes.outputs.content_changes)[0] | |
| runs-on: dev | |
| outputs: | |
| protocols_changed: ${{ steps.check-protocol.outputs.protocols_changed }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Check protocol keys in protocols.yaml | |
| id: check-protocol | |
| run: | | |
| # Get all changed protocols from detect-changes | |
| CHANGED_PROTOCOLS='${{ needs.detect-changes.outputs.content_changes }}' | |
| # Check each protocol key | |
| echo "$CHANGED_PROTOCOLS" | jq -r '.[] | .image_path' | while read -r IMAGE_PATH; do | |
| echo "Checking protocol in $IMAGE_PATH" | |
| # Get protocol key from babel.yaml | |
| PROTOCOL_KEY=$(yq e '.protocol_key' "$IMAGE_PATH/babel.yaml") | |
| echo "Checking for protocol key: $PROTOCOL_KEY" | |
| # Check if key exists in protocols.yaml | |
| if ! yq e '.[] | select(.key == "'$PROTOCOL_KEY'")' protocols/protocols.yaml > /dev/null 2>&1; then | |
| echo " Protocol key '$PROTOCOL_KEY' not found in protocols/protocols.yaml" | |
| exit 1 | |
| fi | |
| done | |
| # Check if protocols.yaml has changed | |
| if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} | grep -q "^protocols/protocols.yaml$"; then | |
| echo "protocols/protocols.yaml has changed, will push protocol updates" | |
| echo "protocols_changed=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "protocols/protocols.yaml unchanged" | |
| echo "protocols_changed=false" >> $GITHUB_OUTPUT | |
| fi | |
| push-protocols-staging: | |
| environment: Staging | |
| needs: [detect-changes, check-protocols] | |
| if: needs.check-protocols.outputs.protocols_changed == 'true' | |
| runs-on: dev | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Setup NIB auth | |
| run: | | |
| echo '${{ secrets.NIB_AUTH }}' > ~/.nib.json | |
| - name: Push protocols to staging | |
| run: | | |
| echo "Pushing protocol updates to staging" | |
| nib protocol push --path protocols/protocols.yaml | |
| push-protocols-prod: | |
| environment: Prod | |
| needs: [detect-changes, check-protocols] | |
| if: needs.check-protocols.outputs.protocols_changed == 'true' | |
| runs-on: dev | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Setup NIB auth | |
| run: | | |
| echo '${{ secrets.NIB_AUTH }}' > ~/.nib.json | |
| - name: Push protocols to production | |
| run: | | |
| echo "Pushing protocol updates to production" | |
| nib protocol push --path protocols/protocols.yaml | |
| push-dev: | |
| environment: Dev | |
| needs: [detect-changes] | |
| if: fromJson(needs.detect-changes.outputs.content_changes)[0] | |
| runs-on: dev | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| strategy: | |
| matrix: | |
| include: ${{ fromJson(needs.detect-changes.outputs.content_changes) }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup NIB auth | |
| run: | | |
| echo '${{ secrets.NIB_AUTH }}' > ~/.nib.json | |
| - name: Setup GitHub CLI | |
| run: | | |
| gh auth login --with-token <<< "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Push to dev environment | |
| id: push-dev | |
| run: | | |
| echo "Pushing ${{ matrix.protocol }} to dev environment" | |
| OUTPUT=$(nib image push --path ${{ matrix.image_path }}/babel.yaml) | |
| echo "$OUTPUT" | |
| # Extract image ID from output | |
| IMAGE_ID=$(echo "$OUTPUT" | grep "^Image '" | cut -d"'" -f2) | |
| if [ ! -z "$IMAGE_ID" ]; then | |
| # Split image ID into components | |
| IFS='/' read -r PROTOCOL VARIANT VERSION BUILDNUM <<< "$IMAGE_ID" | |
| echo "protocol=$PROTOCOL" >> $GITHUB_OUTPUT | |
| echo "variant=$VARIANT" >> $GITHUB_OUTPUT | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "buildnum=$BUILDNUM" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Comment on PR (Dev) | |
| if: steps.push-dev.outputs.protocol != '' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Capitalize first letter of protocol | |
| PROTOCOL=$(echo "${{ steps.push-dev.outputs.protocol }}" | sed 's/\b\(.\)/\u\1/') | |
| COMMENT="${PROTOCOL}: ${{ steps.push-dev.outputs.variant }} version ${{ steps.push-dev.outputs.version }} and build number ${{ steps.push-dev.outputs.buildnum }} has been pushed to the Dev API." | |
| gh pr comment ${{ github.event.pull_request.number }} --body "$COMMENT" | |
| push-staging: | |
| environment: Staging | |
| needs: [detect-changes, push-dev, check-protocols] | |
| if: fromJson(needs.detect-changes.outputs.version_changes)[0] | |
| runs-on: dev | |
| permissions: | |
| contents: write | |
| packages: write | |
| pull-requests: write | |
| strategy: | |
| matrix: | |
| include: ${{ fromJson(needs.detect-changes.outputs.version_changes) }} | |
| steps: | |
| - name: Debug matrix | |
| run: | | |
| echo "DEBUG: Matrix context:" | |
| echo '${{ toJSON(matrix) }}' | jq '.' | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup NIB auth | |
| run: | | |
| echo '${{ secrets.NIB_AUTH }}' > ~/.nib.json | |
| - name: Setup GitHub CLI | |
| run: | | |
| gh auth login --with-token <<< "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Push to staging environment | |
| id: push-staging | |
| run: | | |
| echo "Pushing ${{ matrix.protocol }} to staging environment" | |
| OUTPUT=$(nib image push --path ${{ matrix.babel_yaml }}) | |
| echo "$OUTPUT" | |
| # Extract image ID from output | |
| IMAGE_ID=$(echo "$OUTPUT" | grep "^Image '" | cut -d"'" -f2) | |
| if [ ! -z "$IMAGE_ID" ]; then | |
| # Split image ID into components | |
| IFS='/' read -r PROTOCOL VARIANT VERSION BUILDNUM <<< "$IMAGE_ID" | |
| echo "protocol=$PROTOCOL" >> $GITHUB_OUTPUT | |
| echo "variant=$VARIANT" >> $GITHUB_OUTPUT | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "buildnum=$BUILDNUM" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Create version tag | |
| run: | | |
| TAG="${{ steps.push-staging.outputs.protocol }}/v${{ steps.push-staging.outputs.version }}" | |
| echo "Creating tag $TAG" | |
| git tag $TAG | |
| git push origin $TAG | |
| - name: Comment on PR (Staging) | |
| if: steps.push-staging.outputs.protocol != '' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Capitalize first letter of protocol | |
| PROTOCOL=$(echo "${{ steps.push-staging.outputs.protocol }}" | sed 's/\b\(.\)/\u\1/') | |
| COMMENT="${PROTOCOL}: ${{ steps.push-staging.outputs.variant }} version ${{ steps.push-staging.outputs.version }} and build number ${{ steps.push-staging.outputs.buildnum }} has been pushed to the Staging API." | |
| gh pr comment ${{ github.event.pull_request.number }} --body "$COMMENT" | |
| push-prod: | |
| environment: Prod | |
| needs: [detect-changes, push-staging, check-protocols] | |
| if: fromJson(needs.detect-changes.outputs.version_changes)[0] | |
| runs-on: dev | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| strategy: | |
| matrix: | |
| include: ${{ fromJson(needs.detect-changes.outputs.version_changes) }} | |
| steps: | |
| - name: Debug matrix | |
| run: | | |
| echo "DEBUG: Matrix context:" | |
| echo '${{ toJSON(matrix) }}' | jq '.' | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup NIB auth | |
| run: | | |
| echo '${{ secrets.NIB_AUTH }}' > ~/.nib.json | |
| - name: Setup GitHub CLI | |
| run: | | |
| gh auth login --with-token <<< "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Push to production environment | |
| id: push-prod | |
| run: | | |
| echo "Pushing ${{ matrix.protocol }} to production environment" | |
| OUTPUT=$(nib image push --path ${{ matrix.babel_yaml }}) | |
| echo "$OUTPUT" | |
| # Extract image ID from output | |
| IMAGE_ID=$(echo "$OUTPUT" | grep "^Image '" | cut -d"'" -f2) | |
| if [ ! -z "$IMAGE_ID" ]; then | |
| # Split image ID into components | |
| IFS='/' read -r PROTOCOL VARIANT VERSION BUILDNUM <<< "$IMAGE_ID" | |
| echo "protocol=$PROTOCOL" >> $GITHUB_OUTPUT | |
| echo "variant=$VARIANT" >> $GITHUB_OUTPUT | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "buildnum=$BUILDNUM" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Comment on PR (Prod) | |
| if: steps.push-prod.outputs.protocol != '' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Capitalize first letter of protocol | |
| PROTOCOL=$(echo "${{ steps.push-prod.outputs.protocol }}" | sed 's/\b\(.\)/\u\1/') | |
| COMMENT="${PROTOCOL}: ${{ steps.push-prod.outputs.variant }} version ${{ steps.push-prod.outputs.version }} and build number ${{ steps.push-prod.outputs.buildnum }} has been pushed to the Production API." | |
| gh pr comment ${{ github.event.pull_request.number }} --body "$COMMENT" | |
| create-release: | |
| needs: [detect-changes, push-prod] | |
| runs-on: dev | |
| if: success() | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Create Release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Parse version_changes JSON array | |
| VERSION_CHANGES='${{ needs.detect-changes.outputs.version_changes }}' | |
| echo "Creating releases for changes: $VERSION_CHANGES" | |
| # Process each protocol version | |
| echo "$VERSION_CHANGES" | jq -c '.[]' | while read -r change; do | |
| PROTOCOL=$(echo $change | jq -r '.protocol') | |
| VERSION=$(echo $change | jq -r '.version') | |
| TAG="$PROTOCOL/v$VERSION" | |
| echo "Creating release for $TAG" | |
| gh release create "$TAG" \ | |
| --title "$PROTOCOL version $VERSION" \ | |
| --notes "Release of $PROTOCOL version $VERSION" \ | |
| --target ${{ github.event.pull_request.merge_commit_sha }} |