From 5a85d06571050565ca5cc61d1357a083f96d544b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=BE=E3=81=A3=E3=81=A1=E3=82=83=E3=81=A8=E3=83=BC?= =?UTF-8?q?=E3=81=AB=E3=82=85?= <17376330+u1-liquid@users.noreply.github.com> Date: Thu, 9 Nov 2023 02:43:24 +0900 Subject: [PATCH] =?UTF-8?q?misc(GitHub=20Actions):=20io=E3=81=AB=E4=B8=8D?= =?UTF-8?q?=E8=A6=81=E3=81=AAGitHub=20Actions=E3=81=AEWorkflow=E3=83=95?= =?UTF-8?q?=E3=82=A1=E3=82=A4=E3=83=AB=E3=82=92=E5=89=8A=E9=99=A4=20(Missk?= =?UTF-8?q?eyIO#225)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Dockle 公式のactionを使うように Co-authored-by: riku6460 <17585784+riku6460@users.noreply.github.com> --- .github/workflows/docker-develop.yml | 43 ----------- .github/workflows/docker.yml | 49 ------------- .github/workflows/dockle.yml | 36 +++++----- .github/workflows/ok-to-test.yml | 36 ---------- .github/workflows/pr-preview-deploy.yml | 92 ------------------------ .github/workflows/pr-preview-destroy.yml | 54 -------------- 6 files changed, 19 insertions(+), 291 deletions(-) delete mode 100644 .github/workflows/docker-develop.yml delete mode 100644 .github/workflows/docker.yml delete mode 100644 .github/workflows/ok-to-test.yml delete mode 100644 .github/workflows/pr-preview-deploy.yml delete mode 100644 .github/workflows/pr-preview-destroy.yml diff --git a/.github/workflows/docker-develop.yml b/.github/workflows/docker-develop.yml deleted file mode 100644 index 09a2c33e0c..0000000000 --- a/.github/workflows/docker-develop.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Publish Docker image (develop) - -on: - push: - branches: - - develop - workflow_dispatch: - -jobs: - push_to_registry: - name: Push Docker image to Docker Hub - runs-on: ubuntu-latest - if: github.repository == 'misskey-dev/misskey' - steps: - - name: Check out the repo - uses: actions/checkout@v3.3.0 - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v2.3.0 - with: - platforms: linux/amd64,linux/arm64 - - name: Docker meta - id: meta - uses: docker/metadata-action@v4 - with: - images: misskey/misskey - - name: Log in to Docker Hub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - name: Build and Push to Docker Hub - uses: docker/build-push-action@v4 - with: - builder: ${{ steps.buildx.outputs.name }} - context: . - push: true - platforms: ${{ steps.buildx.outputs.platforms }} - provenance: false - tags: misskey/misskey:develop - labels: develop - cache-from: type=gha - cache-to: type=gha,mode=max diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml deleted file mode 100644 index a465d92eaf..0000000000 --- a/.github/workflows/docker.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: Publish Docker image - -on: - release: - types: [published] - workflow_dispatch: - -jobs: - push_to_registry: - name: Push Docker image to Docker Hub - runs-on: ubuntu-latest - - steps: - - name: Check out the repo - uses: actions/checkout@v3.3.0 - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v2.3.0 - with: - platforms: linux/amd64,linux/arm64 - - name: Docker meta - id: meta - uses: docker/metadata-action@v4 - with: - images: misskey/misskey - tags: | - type=edge - type=ref,event=pr - type=ref,event=branch - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - - name: Log in to Docker Hub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - name: Build and Push to Docker Hub - uses: docker/build-push-action@v4 - with: - builder: ${{ steps.buildx.outputs.name }} - context: . - push: true - platforms: ${{ steps.buildx.outputs.platforms }} - provenance: false - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max diff --git a/.github/workflows/dockle.yml b/.github/workflows/dockle.yml index 9b79ee54f0..292e68be13 100644 --- a/.github/workflows/dockle.yml +++ b/.github/workflows/dockle.yml @@ -1,4 +1,3 @@ ---- name: Dockle on: @@ -11,20 +10,23 @@ on: jobs: dockle: runs-on: ubuntu-latest - env: - DOCKER_CONTENT_TRUST: 1 steps: - - uses: actions/checkout@v3.2.0 - - run: | - curl -L -o dockle.deb "https://github.com/goodwithtech/dockle/releases/download/v0.4.10/dockle_0.4.10_Linux-64bit.deb" - sudo dpkg -i dockle.deb - - run: | - cp .config/docker_example.env .config/docker.env - cp ./docker-compose.yml.example ./docker-compose.yml - - run: | - docker compose up -d web - docker tag "$(docker compose images web | awk 'OFS=":" {print $4}' | tail -n +2)" misskey-web:latest - - run: | - cmd="dockle --exit-code 1 misskey-web:latest ${image_name}" - echo "> ${cmd}" - eval "${cmd}" + - name: Checkout code + uses: actions/checkout@v3 + - name: Build an image from Dockerfile + uses: docker/build-push-action@v4 + with: + context: . + push: false + provenance: false + cache-from: type=registry,ref=ghcr.io/misskeyio/misskey:io-buildcache + tags: | + misskey:scan + - name: Run dockle + uses: goodwithtech/dockle-action@main + with: + image: 'misskey:scan' + format: 'list' + exit-code: '1' + exit-level: 'warn' + ignore: 'CIS-DI-0005,CIS-DI-0010' diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml deleted file mode 100644 index 87af3a6ba6..0000000000 --- a/.github/workflows/ok-to-test.yml +++ /dev/null @@ -1,36 +0,0 @@ -# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event -name: Ok To Test - -on: - issue_comment: - types: [created] - -jobs: - ok-to-test: - runs-on: ubuntu-latest - # Only run for PRs, not issue comments - if: ${{ github.event.issue.pull_request }} - steps: - # Generate a GitHub App installation access token from an App ID and private key - # To create a new GitHub App: - # https://developer.github.com/apps/building-github-apps/creating-a-github-app/ - # See app.yml for an example app manifest - - name: Generate token - id: generate_token - uses: tibdex/github-app-token@v1 - with: - app_id: ${{ secrets.DEPLOYBOT_APP_ID }} - private_key: ${{ secrets.DEPLOYBOT_PRIVATE_KEY }} - - - name: Slash Command Dispatch - uses: peter-evans/slash-command-dispatch@v1 - env: - TOKEN: ${{ steps.generate_token.outputs.token }} - with: - token: ${{ env.TOKEN }} # GitHub App installation access token - # token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} # PAT or OAuth token will also work - reaction-token: ${{ secrets.GITHUB_TOKEN }} - issue-type: pull-request - commands: deploy - named-args: true - permission: write diff --git a/.github/workflows/pr-preview-deploy.yml b/.github/workflows/pr-preview-deploy.yml deleted file mode 100644 index 9b786d34aa..0000000000 --- a/.github/workflows/pr-preview-deploy.yml +++ /dev/null @@ -1,92 +0,0 @@ -# Run secret-dependent integration tests only after /deploy approval -on: - repository_dispatch: - types: [deploy-command] - -name: Deploy preview environment - -jobs: - # Repo owner has commented /deploy on a (fork-based) pull request - deploy-preview-environment: - runs-on: ubuntu-latest - if: - github.event.client_payload.slash_command.sha != '' && - contains(github.event.client_payload.pull_request.head.sha, github.event.client_payload.slash_command.sha) - steps: - - uses: actions/github-script@v6.3.3 - id: check-id - env: - number: ${{ github.event.client_payload.pull_request.number }} - job: ${{ github.job }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - result-encoding: string - script: | - const { data: pull } = await github.rest.pulls.get({ - ...context.repo, - pull_number: process.env.number - }); - const ref = pull.head.sha; - - const { data: checks } = await github.rest.checks.listForRef({ - ...context.repo, - ref - }); - - const check = checks.check_runs.filter(c => c.name === process.env.job); - - return check[0].id; - - - uses: actions/github-script@v6.3.3 - env: - check_id: ${{ steps.check-id.outputs.result }} - details_url: ${{ github.server_url }}/${{ github.repository }}/runs/${{ github.run_id }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - await github.rest.checks.update({ - ...context.repo, - check_run_id: process.env.check_id, - status: 'in_progress', - details_url: process.env.details_url - }); - - # Check out merge commit - - name: Fork based /deploy checkout - uses: actions/checkout@v3.3.0 - with: - ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge' - - # - - name: Context - uses: okteto/context@latest - with: - token: ${{ secrets.OKTETO_TOKEN }} - - - name: Deploy preview environment - uses: ikuradon/deploy-preview@latest - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - name: pr-${{ github.event.client_payload.pull_request.number }}-syuilo - timeout: 15m - - # Update check run called "integration-fork" - - uses: actions/github-script@v6.3.3 - id: update-check-run - if: ${{ always() }} - env: - # Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run - conclusion: ${{ job.status }} - check_id: ${{ steps.check-id.outputs.result }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const { data: result } = await github.rest.checks.update({ - ...context.repo, - check_run_id: process.env.check_id, - status: 'completed', - conclusion: process.env.conclusion - }); - - return result; diff --git a/.github/workflows/pr-preview-destroy.yml b/.github/workflows/pr-preview-destroy.yml deleted file mode 100644 index 8adfad9dab..0000000000 --- a/.github/workflows/pr-preview-destroy.yml +++ /dev/null @@ -1,54 +0,0 @@ -# file: .github/workflows/preview-closed.yaml -on: - pull_request: - types: - - closed - -name: Destroy preview environment - -jobs: - destroy-preview-environment: - runs-on: ubuntu-latest - steps: - - uses: actions/github-script@v6.3.3 - id: check-conclusion - env: - number: ${{ github.event.number }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - result-encoding: string - script: | - const { data: pull } = await github.rest.pulls.get({ - ...context.repo, - pull_number: process.env.number - }); - const ref = pull.head.sha; - - const { data: checks } = await github.rest.checks.listForRef({ - ...context.repo, - ref - }); - - const check = checks.check_runs.filter(c => c.name === 'deploy-preview-environment'); - - if (check.length === 0) { - return; - } - - const { data: result } = await github.rest.checks.get({ - ...context.repo, - check_run_id: check[0].id, - }); - - return result.conclusion; - - name: Context - if: steps.check-conclusion.outputs.result == 'success' - uses: okteto/context@latest - with: - token: ${{ secrets.OKTETO_TOKEN }} - - - name: Destroy preview environment - if: steps.check-conclusion.outputs.result == 'success' - uses: okteto/destroy-preview@latest - with: - name: pr-${{ github.event.number }}-syuilo