File: control.yml

package info (click to toggle)
openvas-scanner 23.35.3-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 22,416 kB
  • sloc: ansic: 41,615; xml: 6,251; pascal: 3,723; yacc: 1,250; sh: 1,068; makefile: 333; sql: 273; javascript: 12
file content (166 lines) | stat: -rw-r--r-- 6,394 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
 
name: CI

on:
  workflow_dispatch:
    inputs:
      release:
        description: "Use 'major' for incompatible changes, 'minor' for new features, and 'patch' for fixes or 'no_release' to trigger the pipeline without doing a release."
        type: choice
        options:
          - "no_release"
          - "major"
          - "minor"
          - "patch"
        required: true
        default: "no_release"
  push:
    branches: [ main]
    tags: ["v*"]
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
      - closed
  repository_dispatch:
  schedule:
    # rebuild image every sunday
    - cron: "0 0 * * 0"

# Grants rights to push to the Github container registry.
# The main workflow has to set the permissions.
permissions:
  contents: read
  packages: write
  id-token: write
  pull-requests: write

jobs:
  # sets the release kind when it wasn't triggered by an workflow dispatch
  # this prevents us from having to pass down all labels, event_name, etc
  # to init.yml
  adapt_release:
    runs-on: ubuntu-latest
    outputs:
      kind: ${{ steps.kind.outputs.kind}}
    steps:
      - name: "Debug"
        run: |
          echo "${{ github.event_name }}"
          echo "${{ github.event.pull_request.merged }}"
          echo "${{ github.event.pull_request.labels }}"
      - name: "set KIND = no_release"
        run: echo "KIND=no_release" >> $GITHUB_ENV
      - name: "override KIND = ${{ inputs.release }}"
        if: github.event_name == 'workflow_dispatch'
        run: echo "KIND=${{ inputs.release }}" >> $GITHUB_ENV
      - name: "override KIND = major"
        if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'major_release')
        run: echo "KIND=major" >> $GITHUB_ENV
      - name: "override KIND = minor"
        if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'minor_release')
        run: echo "KIND=minor" >> $GITHUB_ENV
      - name: "override KIND = patch"
        if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'patch_release')
        run: echo "KIND=patch" >> $GITHUB_ENV
      - id: kind
        run: |
          echo "kind=${{ env.KIND }}">> "$GITHUB_OUTPUT"
  init:
    needs: [adapt_release]
    uses: ./.github/workflows/init.yaml
    with:
      release: ${{ needs.adapt_release.outputs.kind }}
  unittests:
    name: unit-tests
    uses: ./.github/workflows/tests.yml
  build:
    uses: ./.github/workflows/build.yml
  linting:
    uses: ./.github/workflows/linting.yml
  build-rs-amd64:
    uses: ./.github/workflows/build-rs.yaml
    with:
      arch: amd64
      runner: ubuntu-latest
  build-rs-arm64:
    uses: ./.github/workflows/build-rs.yaml
    with:
      arch: arm64
      runner: self-hosted-generic-arm64
  # maybe create functional tests for arm64 as well?
  functional:
    needs: [build-rs-amd64]
    uses: ./.github/workflows/functional.yaml
  container:
    needs: [build, init, build-rs-arm64, build-rs-amd64]
    uses: ./.github/workflows/push-container.yml
    secrets:
      dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
      dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}}
      cosign_key_opensight: ${{ secrets.COSIGN_KEY_OPENSIGHT }}
      cosign_password_opensight: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }}
      greenbone_bot_token: ${{ secrets.GREENBONE_BOT_TOKEN }}
      greenbone_registry: ${{ vars.GREENBONE_REGISTRY }}
      greenbone_registry_user: ${{ secrets.GREENBONE_REGISTRY_USER }}
      greenbone_registry_token: ${{ secrets.GREENBONE_REGISTRY_TOKEN }}
      greenbone_registry_read_user: ${{ secrets.GREENBONE_REGISTRY_READ_USER }}
      greenbone_registry_read_token: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }}
      greenbone_registry_replication_user: ${{ secrets.GREENBONE_REGISTRY_REPLICATION_USER }}
      greenbone_registry_replication_token: ${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }}
      mattermost_webhook_url: ${{ secrets.MATTERMOST_WEBHOOK_URL }}
    with:
      is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}}
      is_version_tag: ${{needs.init.outputs.docker_build_is_version }}
  container-testing:
    name: container
    needs: [init, build ]
    uses: ./.github/workflows/push-container-testing.yml
    secrets:
      dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
      dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}}
    with:
      is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}}
      is_version_tag: ${{needs.init.outputs.docker_build_is_version}}
  container-oldstable:
    name: container
    needs: [init, build ]
    uses: ./.github/workflows/push-container-oldstable.yml
    secrets:
      dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
      dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}}
    with:
      is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}}
      is_version_tag: ${{needs.init.outputs.docker_build_is_version}}
  release:
    permissions:
      contents: write
    # we release after container build so that we can release on a closed pr as we don't push the release container yet
    # instead it is pushed after the tag is created.
    needs: [functional, build-rs-arm64, init]
    if: ( needs.init.outputs.release_kind == 'major' || needs.init.outputs.release_kind == 'minor' || needs.init.outputs.release_kind == 'patch' )
    uses: ./.github/workflows/release.yml
    with:
      new_version: ${{ needs.init.outputs.release_new_version }}
      latest_version: ${{ needs.init.outputs.release_latest_version }}
      release_kind: ${{ needs.init.outputs.release_kind }}
      release_ref: ${{ needs.init.outputs.release_ref }}
      project: ${{ needs.init.outputs.release_project }}
      repository: ${{ github.repository }}
    secrets:
      token: ${{ secrets.GREENBONE_BOT_TOKEN }}
      name: ${{ secrets.GREENBONE_BOT }}
      email: ${{ secrets.GREENBONE_BOT_MAIL }}
      gpg_key: ${{ secrets.GPG_KEY }}
      gpg_pass: ${{ secrets.GPG_PASSPHRASE }}
  helm:
    if: github.event_name != 'pull_request' && vars.IMAGE_REGISTRY != ''
    needs: [container, init]
    permissions:
      packages: write
    uses: ./.github/workflows/push-helm-chart.yml
    secrets:
      user: ${{ secrets.GREENBONE_BOT }}
      token: ${{ secrets.GITHUB_TOKEN }}
    with:
      registry: ${{ vars.IMAGE_REGISTRY }}