-
Notifications
You must be signed in to change notification settings - Fork 39
149 lines (135 loc) · 5.98 KB
/
main.yml
File metadata and controls
149 lines (135 loc) · 5.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
---
# This file governs the main CI workflow.
# It's the only workflow triggered on push and pull requests,
# it manages the CI workflow as follows:
# 1. Lint the code aborting the workflow if there are linting errors.
# 2. Determine which files have changed and set job outputs accordingly.
# 3. Conditionally run the other workflows based on the changed files:
# * stackhpc.yml
# * extra.yml
# * trivyscan.yml
name: Test on push and pull request
permissions:
actions: write
contents: read
packages: write
# To report GitHub Actions status checks
statuses: write
id-token: write
on:
push:
branches:
- main
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref }}
cancel-in-progress: true
jobs:
lint:
name: Lint
uses: ./.github/workflows/lint.yml
files_changed:
name: Determine files changed
needs: lint
runs-on: ubuntu-latest
# Map a step output to a job output, this allows other jobs to be gated on the filter results
outputs:
# The 'stackhpc' output will be 'true' if either of the two stackhpc filters below matched
stackhpc: ${{ toJson(fromJson(steps.filter_on_every.outputs.stackhpc) || fromJson(steps.filter_on_some.outputs.stackhpc)) }}
extra_on_push: ${{ steps.filter_on_some.outputs.extra_on_push }}
extra_on_pull_request: ${{ steps.filter_on_some.outputs.extra_on_pull_request }}
trivyscan: ${{ steps.filter_on_some.outputs.trivyscan }}
steps:
- name: Checkout
uses: actions/checkout@v4
# NOTE: We're detecting the changed files within a job so that we can gate execution of other jobs.
# We use dorny/paths-filter which doesn't work like the conventional 'paths' and 'paths_exclude',
# we can't do the following:
# paths:
# - '**'
# - '!dev/**'
# - 'dev/setup-env.sh'
#
# Which would include all files whilst removing all "dev/" files except "dev/setup-env.sh".
# We have to use two filters:
# * first filter includes all changed files and removes "dev/" files
# * second filter explicitly adds 'dev/setup-env.sh'
# We use the logical OR of the filters outputs to gate jobs.
- name: Paths matching on every filter rule
# For safety use the commit of dorny/paths-filter@v3
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
id: filter_on_every
with:
# Filter changed files, 'every' means the file is matched only if it matches all filter rules.
# NOTE: currently seeing: Warning: Unexpected input(s) 'predicate-quantifier', valid inputs are..
# this can be ignored, filtering works as expected.
predicate-quantifier: 'every'
list-files: 'json'
filters: |
stackhpc:
- '**'
- '!dev/**'
- '!**/*.md'
- '!.gitignore'
- '!.github/workflows/**'
- name: Paths matching on any filter rule
# For safety use the commit of dorny/paths-filter@v3
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
id: filter_on_some
with:
# Filter changed files, 'some' means the file is matched if any one of the filter rules match.
# NOTE: currently seeing: Warning: Unexpected input(s) 'predicate-quantifier', valid inputs are..
# this can be ignored, filtering works as expected.
predicate-quantifier: 'some'
list-files: 'json'
filters: |
stackhpc:
- 'dev/setup-env.sh'
- '.github/workflows/stackhpc.yml'
extra_on_push:
- 'environments/.stackhpc/tofu/cluster_image.auto.tfvars.json'
- 'ansible/roles/doca/**'
- 'ansible/roles/cuda/**'
- 'ansible/roles/slurm_recompile/**' # runs on cuda group
- 'ansible/roles/lustre/**'
- '.github/workflows/extra.yml'
extra_on_pull_request:
- 'environments/.stackhpc/tofu/cluster_image.auto.tfvars.json'
- 'ansible/roles/doca/**'
- 'ansible/roles/cuda/**'
- 'ansible/roles/lustre/**'
- '.github/workflows/extra.yml'
trivyscan:
- 'environments/.stackhpc/tofu/cluster_image.auto.tfvars.json'
- name: Paths matched output
# NOTE: This is a debug step, it shows what files were matched by the filters.
# It's useful because dorny/paths-filter doesn't work like the conventional 'paths' and 'paths_exclude'
run: >
echo '{ "stackhpc_every_files": ${{ steps.filter_on_every.outputs.stackhpc_files }} }' | jq -r '.';
echo '{ "stackhpc_some_files": ${{ steps.filter_on_some.outputs.stackhpc_files }} }' | jq -r '.';
echo '{ "extra_on_push_files": ${{ steps.filter_on_some.outputs.extra_on_push_files }} }' | jq -r '.';
echo '{ "extra_on_pull_request_files": ${{ steps.filter_on_some.outputs.extra_on_pull_request_files }} }' | jq -r '.';
echo '{ "trivyscan_files": ${{ steps.filter_on_some.outputs.trivyscan_files }} }' | jq -r '.'
stackhpc:
name: Test deployment and reimage on OpenStack
needs: files_changed
if: |
needs.files_changed.outputs.stackhpc == 'true'
uses: ./.github/workflows/stackhpc.yml
secrets: inherit
extra:
name: Test extra build
needs: files_changed
if: |
github.event_name != 'pull_request' && needs.files_changed.outputs.extra_on_push == 'true' ||
github.event_name == 'pull_request' && needs.files_changed.outputs.extra_on_pull_request == 'true'
uses: ./.github/workflows/extra.yml
secrets: inherit
trivyscan:
name: Trivy scan image for vulnerabilities
needs: files_changed
if: |
github.event_name == 'pull_request' &&
needs.files_changed.outputs.trivyscan == 'true'
uses: ./.github/workflows/trivyscan.yml
secrets: inherit