Walter CI #2276
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This file is maintained by Walter CI, and may be rewritten. | |
# https://github.com/piotr-yuxuan/walter-ci | |
# | |
# You are free to remove this project from Walter CI realm by opening | |
# a PR. You may also create another workflow besides this one. | |
name: Walter CI | |
'on': | |
repository_dispatch: null | |
workflow_dispatch: | |
inputs: | |
walter-version: | |
description: Walter bin version | |
required: false | |
type: string | |
push: | |
branches: '**' | |
schedule: | |
- cron: 28 6,18 * * * | |
concurrency: | |
group: walter-ci | |
cancel-in-progress: true | |
env: | |
GIT_ASKPASS: ${HOME}/.walter-ci/bin/askpass.sh | |
GIT_AUTHOR_EMAIL: ${{ secrets.WALTER_GIT_EMAIL }} | |
GIT_AUTHOR_NAME: ${{ secrets.WALTER_AUTHOR_NAME }} | |
GIT_COMMITTER_EMAIL: ${{ secrets.WALTER_GIT_EMAIL }} | |
GIT_COMMITTER_NAME: ${{ secrets.WALTER_AUTHOR_NAME }} | |
GIT_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
WALTER_VERSION: ${{ github.event.inputs.walter-version }} | |
jobs: | |
security-sarif-clojure: | |
runs-on: ubuntu-latest | |
name: 'Security: clojure,clj-holmes' | |
steps: | |
- uses: actions/checkout@main | |
- uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb | |
with: | |
output-type: sarif | |
output-file: clj-holmes.sarif | |
fail-on-result: 'false' | |
- run: cat clj-holmes.sarif | |
- name: Upload analysis results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: clj-holmes.sarif | |
wait-for-processing: true | |
security-policy: | |
runs-on: ubuntu-latest | |
name: 'Security: policy' | |
needs: | |
- security-nvd | |
- security-sarif-clojure | |
- security-sarif-terraform | |
- security-sarif-trivy | |
steps: | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- run: |- | |
walter security-policy \ | |
--current-version $(awk '{$1=$1};1' < ./resources/*.version) \ | |
--current-commit $(git rev-parse HEAD) | |
- run: git add . | |
continue-on-error: true | |
- run: git diff --staged --exit-code | |
continue-on-error: true | |
id: diff | |
- run: git commit --message "Security policy for version $(awk '{$1=$1};1' < ./resources/*.version)" | |
if: steps.diff.outcome == 'failure' | |
- name: git push | |
run: walter retry | |
if: steps.diff.outcome == 'failure' | |
env: | |
WALTER_TRY: git push | |
WALTER_BEFORE_RETRY: git pull --rebase | |
security-nvd: | |
runs-on: ubuntu-latest | |
name: 'Security: clojure,nvd' | |
steps: | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/cache@8f1e2e02865c42348f9baddbbaafb1841dce610a | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-nvd-${{ hashFiles('**/project.clj') }} | |
restore-keys: ${{ runner.os }}-maven- | |
- run: git rm "./doc/Known vulnerabilities.txt" | |
continue-on-error: true | |
- run: clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' :as nvd | |
- run: clojure -Tnvd nvd.task/check :classpath '"'"$(lein with-profile -user,-dev classpath)"'"' | |
continue-on-error: true | |
- run: bb "$HOME/.walter-ci/cut-nvd.clj" ./target/nvd/dependency-check-report.csv | |
continue-on-error: true | |
- run: cp ./target/nvd/dependency-check-report.csv ./doc/known-vulnerabilities.csv | |
- run: git add ./doc/known-vulnerabilities.csv | |
continue-on-error: true | |
- run: git diff --staged --exit-code | |
continue-on-error: true | |
id: diff | |
- run: git commit --message "Update known vulnerabilities" | |
if: steps.diff.outcome == 'failure' | |
- name: git push | |
run: walter retry | |
if: steps.diff.outcome == 'failure' | |
env: | |
WALTER_TRY: git push | |
WALTER_BEFORE_RETRY: git pull --rebase | |
clj-kondo: | |
runs-on: ubuntu-latest | |
name: clj-kondo, a linter for Clojure | |
steps: | |
- uses: actions/checkout@main | |
- uses: DeLaGuardo/setup-clj-kondo@afc83dbbf4e7e32e04649e29dbf30668d30e9e3e | |
with: | |
version: 2022.04.08 | |
- run: clj-kondo --lint src --config '{:output {:pattern "::warning file={{filename}},line={{row}},col={{col}}::{{message}}"}}' | |
continue-on-error: true | |
conform-repository: | |
runs-on: ubuntu-latest | |
name: Conform GitHub repository | |
env: | |
WALTER_ACTOR: ${{ secrets.WALTER_ACTOR }} | |
WALTER_GITHUB_PASSWORD: ${{ secrets.WALTER_GITHUB_PASSWORD }} | |
steps: | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- run: walter conform-repository | |
- run: git add .github/CODEOWNERS.yml | |
continue-on-error: true | |
- run: git add .github/FUNDING.yml | |
continue-on-error: true | |
- run: git diff --staged --exit-code | |
continue-on-error: true | |
id: diff | |
- run: git commit --message "Conform repository" | |
if: steps.diff.outcome == 'failure' | |
- name: git push | |
run: walter retry | |
if: steps.diff.outcome == 'failure' | |
env: | |
WALTER_TRY: git push | |
WALTER_BEFORE_RETRY: git pull --rebase | |
update-gitignore: | |
runs-on: ubuntu-latest | |
name: Update .gitignore | |
steps: | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- run: walter update-git-ignore | |
- run: git add .gitignore | |
continue-on-error: true | |
- run: git diff --staged --exit-code | |
continue-on-error: true | |
id: diff | |
- run: git commit --message "Update .gitignore" | |
if: steps.diff.outcome == 'failure' | |
- name: git push | |
run: walter retry | |
if: steps.diff.outcome == 'failure' | |
env: | |
WALTER_TRY: git push | |
WALTER_BEFORE_RETRY: git pull --rebase | |
detect-secrets: | |
runs-on: ubuntu-latest | |
name: 'Security: secrets' | |
steps: | |
- uses: actions/checkout@main | |
- uses: reviewdog/action-detect-secrets@c29dcff1bd0ac2e4ea528311abac6fdd2d8bb13a | |
with: | |
github_token: ${{ secrets.github_token }} | |
fail_on_error: false | |
security-sarif-terraform: | |
runs-on: ubuntu-latest | |
name: 'Security: tfsec' | |
steps: | |
- uses: actions/checkout@main | |
- uses: aquasecurity/tfsec-sarif-action@9b703869c5108700605056134506e274ef6e9bd3 | |
with: | |
sarif_file: tfsec.sarif | |
- run: cat tfsec.sarif | |
- name: Upload analysis results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: tfsec.sarif | |
wait-for-processing: true | |
list-licenses: | |
runs-on: ubuntu-latest | |
name: List dependency licenses | |
steps: | |
- run: git rm "./doc/Licenses.csv" | |
continue-on-error: true | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- run: lein with-profile uberjar licenses :csv > ./doc/licences.csv | |
- run: sort -o ./doc/licences.csv{,} | |
continue-on-error: true | |
- run: awk -i inplace 'BEGINFILE{print "Library name,Version,License name"}{print}' ./doc/licences.csv | |
- run: git add ./doc/licences.csv | |
continue-on-error: true | |
- run: git diff --staged --exit-code | |
continue-on-error: true | |
id: diff | |
- run: git commit --message "List dependency licences" | |
if: steps.diff.outcome == 'failure' | |
- name: git push | |
run: walter retry | |
if: steps.diff.outcome == 'failure' | |
env: | |
WALTER_TRY: git push | |
WALTER_BEFORE_RETRY: git pull --rebase | |
ns-sort: | |
runs-on: ubuntu-latest | |
name: Sort namespace forms | |
steps: | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- run: lein help | |
- run: lein ns-sort | |
- run: git add . | |
continue-on-error: true | |
- run: git diff --staged --exit-code | |
continue-on-error: true | |
id: diff | |
- run: git commit --message "Sort namespace forms" | |
if: steps.diff.outcome == 'failure' | |
- name: git push | |
run: walter retry | |
if: steps.diff.outcome == 'failure' | |
env: | |
WALTER_TRY: git push | |
WALTER_BEFORE_RETRY: git pull --rebase | |
idiomatic-code: | |
runs-on: ubuntu-latest | |
name: Idiomatic code | |
steps: | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- run: clojure -M:lint/idiom -- --replace | |
- run: git add . | |
continue-on-error: true | |
- run: git diff --staged --exit-code | |
continue-on-error: true | |
id: diff | |
- run: git commit --message "More idiomatic code" | |
if: steps.diff.outcome == 'failure' | |
- name: git push | |
run: walter retry | |
if: steps.diff.outcome == 'failure' | |
env: | |
WALTER_TRY: git push | |
WALTER_BEFORE_RETRY: git pull --rebase | |
security-sarif-trivy: | |
runs-on: ubuntu-latest | |
name: 'Security: general,clojure' | |
env: | |
TRIVY_CACHE_DIR: ${HOME}/.trivy-cache-dir | |
needs: [] | |
permissions: | |
security-events: write | |
steps: | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- run: lein uberjar | |
- run: lein with-profile uberjar pom | |
- uses: aquasecurity/trivy-action@master | |
continue-on-error: true | |
with: | |
scan-type: fs | |
scan-ref: . | |
cache-dir: ${TRIVY_CACHE_DIR} | |
security-checks: vuln,config | |
output: trivy-results.sarif | |
ignore-unfixed: false | |
format: sarif | |
- run: cat trivy-results.sarif | |
- name: Upload analysis results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: trivy-results.sarif | |
wait-for-processing: true | |
update-dependencies: | |
runs-on: ubuntu-latest | |
name: Update dependency versions | |
steps: | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- run: lein ancient upgrade :no-tests :all :recursive :check-clojure :allow-qualified | |
- run: lein with-profile +walter/kaocha,+kaocha run -m kaocha.runner --skip-meta :slow --skip-meta :perf | |
- run: git add . | |
continue-on-error: true | |
- run: git diff --staged --exit-code | |
continue-on-error: true | |
id: diff | |
- run: git commit --message "Update dependency versions" | |
if: steps.diff.outcome == 'failure' | |
- name: git push | |
run: walter retry | |
if: steps.diff.outcome == 'failure' | |
env: | |
WALTER_TRY: git push | |
WALTER_BEFORE_RETRY: git pull --rebase | |
code-coverage: | |
runs-on: ubuntu-latest | |
name: Code coverage | |
steps: | |
- uses: piotr-yuxuan/walter-ci@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/cache@8f1e2e02865c42348f9baddbbaafb1841dce610a | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-perf-${{ hashFiles('**/project.clj') }} | |
restore-keys: ${{ runner.os }}-maven- | |
- run: git rm ./doc/code-coverage/ | |
continue-on-error: true | |
- run: lein with-profile +walter/kaocha,+kaocha run -m kaocha.runner --plugin cloverage --cov-output ./doc/code-coverage --skip-meta :slow --skip-meta :perf --cov-text --cov-html | |
- run: git add ./doc/code-coverage/**.{txt,css,html} | |
continue-on-error: true | |
- run: git diff --staged --exit-code | |
continue-on-error: true | |
id: diff | |
- run: git commit --message "Update code coverage" | |
if: steps.diff.outcome == 'failure' | |
- name: git push | |
run: walter retry | |
if: steps.diff.outcome == 'failure' | |
env: | |
WALTER_TRY: git push | |
WALTER_BEFORE_RETRY: git pull --rebase |