BRE-564] Agalles/scan examples (#363)

* moving templates to a directory where they will be scanned and disabling them from running * running from the template directory to avoid any unintended consequences of fake workflows * adding files referenced by the example workflows * add passing example workflows * adding third example that passes linter * updating workflow files to pass linter * adding newline * reducing number of times actions/checkout is used * temporarily disabling new validation step * fixing broken workflow changes * re adding relevant changes
10 months ago · 7649f13cf9
8 changed files with 314 additions and 32 deletions
--- a/.github/templates/workflow-templates/ci.yaml
+++ b/.github/templates/workflow-templates/ci.yaml
@ -17,11 +17,11 @@ permissions: # Sets permissions of the GITHUB_TOKEN
				@@ -17,11 +17,11 @@ permissions: # Sets permissions of the GITHUB_TOKEN
 jobs:
  version:
    name: Calculate version
-    uses: ./.github/workflows/_version.yml # Path to an existing github action
+    uses: ./.github/templates/workflow-templates/example-references/_version.yml # Path to an existing github action

  test:
    name: Run test
-    uses: ./.github/workflows/_test.yml
+    uses: ./.github/templates/workflow-templates/example-references/_test.yml
    with: # Parameters specific to this action that need to be defined in order for the step to be completed
      project-name: Billing.Test
      project-path: ./test/Billing.Test
@ -31,7 +31,7 @@ jobs:
				@@ -31,7 +31,7 @@ jobs:
    needs:  # This job will not run until test and version jobs are complete
      - test
      - version
-    uses: ./.github/workflows/_build.yml
+    uses: ./.github/templates/workflow-templates/example-references/_build.yml
    with:
      project-name: Billing
      project-path: ./src/Billing
@ -43,7 +43,7 @@ jobs:
				@@ -43,7 +43,7 @@ jobs:
      - test
      - version
      - build
-    uses: ./.github/workflows/_docker.yml
+    uses: ./.github/templates/workflow-templates/example-references/_docker.yml
    with:
      project-name: Billing
      project-path: ./src/Billing
--- a/.github/templates/workflow-templates/example-references/_build.yml
+++ b/.github/templates/workflow-templates/example-references/_build.yml
@ -0,0 +1,64 @@
				@@ -0,0 +1,64 @@
+name: _build
+run-name: Build ${{ inputs.project-name }}
+
+on:
+  workflow_call:
+    inputs:
+      project-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+      version:
+        type: string
+        required: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up .NET
+        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+
+      - name: Cache NuGet packages
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Install dependencies
+        run: dotnet restore ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Build
+        run: dotnet build --verbosity minimal ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Publish
+        run: |
+          echo "Publish"
+          dotnet publish ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj \
+            -c Release --no-restore \
+            -o ./tmp/publish-${{ inputs.project-name }} -p:Version=${{ inputs.version }}
+
+      - name: Create artifact
+        run: |
+          cd ./tmp/publish-${{ inputs.project-name }}
+          zip -r ${{ inputs.project-name }}.zip .
+          mv ${{ inputs.project-name }}.zip ../../
+          pwd
+          ls -atlh ../../
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: ${{ inputs.project-name }}.zip
+          path: ./${{ inputs.project-name }}.zip
+          if-no-files-found: error
--- a/.github/templates/workflow-templates/example-references/_docker.yml
+++ b/.github/templates/workflow-templates/example-references/_docker.yml
@ -0,0 +1,83 @@
				@@ -0,0 +1,83 @@
+name: _docker
+run-name: "Build ${{ inputs.project-name }} docker image and push ${{ inputs.push-docker-image }} to ACR"
+
+on:
+  workflow_call:
+    inputs:
+      project-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+      version:
+        type: string
+        required: false
+      push-docker-image:
+        type: boolean
+        required: false
+        default: false
+      image-name:
+        type: string
+        required: true
+
+jobs:
+  docker:
+    name: Docker
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Log in to Azure
+        if: ${{ inputs.push-docker-image }}
+        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.6.1
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Log in to ACR
+        if: ${{ inputs.push-docker-image }}
+        run: az acr login -n bitwardenprod
+
+      - name: Generate Docker image tag
+        id: tag
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          IMAGE_TAG=$VERSION
+          # IMAGE_TAG=$(echo "${GITHUB_REF#refs/heads/}" | sed "s#/#-#g")  # slash safe branch name
+          # if [[ "$IMAGE_TAG" == "main" ]]; then
+          #   IMAGE_TAG=$VERSION
+          # fi
+          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Generate tag list
+        id: tag-list
+        env:
+          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
+          IMAGE_NAME: ${{ inputs.image-name }}
+        run: echo "tags=bitwardenprod.azurecr.io/${IMAGE_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+
+      - name: Get build artifact
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ inputs.project-name }}.zip
+
+      - name: Set up build artifact
+        run: |
+          mkdir -p ${{ inputs.project-path }}/obj/build-output/publish
+          unzip ${{ inputs.project-name }}.zip \
+            -d ${{ inputs.project-path }}/obj/build-output/publish
+
+      - name: Build Docker image
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        with:
+          context: ${{ inputs.project-path }}
+          file: ${{ inputs.project-path }}/Dockerfile
+          platforms: linux/amd64
+          push: ${{ inputs.push-docker-image }}
+          tags: ${{ steps.tag-list.outputs.tags }}
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false
--- a/.github/templates/workflow-templates/example-references/_test.yml
+++ b/.github/templates/workflow-templates/example-references/_test.yml
@ -0,0 +1,75 @@
				@@ -0,0 +1,75 @@
+name: _test
+run-name: Test ${{ inputs.project-name }}
+
+on:
+  workflow_call:
+    inputs:
+      project-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+
+jobs:
+  check-test-secrets:
+    name: Check for test secrets
+    runs-on: ubuntu-22.04
+    outputs:
+      available: ${{ steps.check-test-secrets.outputs.available }}
+    permissions:
+      contents: read
+
+    steps:
+      - name: Check
+        id: check-test-secrets
+        run: |
+          if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then
+            echo "available=true" >> $GITHUB_OUTPUT;
+          else
+            echo "available=false" >> $GITHUB_OUTPUT;
+          fi
+
+  testing:
+    name: Test
+    runs-on: ubuntu-22.04
+    needs: check-test-secrets
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up .NET
+        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+
+      - name: Cache NuGet packages
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Install dependencies
+        run: dotnet restore --locked-mode ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Build
+        run: dotnet build --verbosity minimal ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Test
+        run: dotnet test ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj --no-build --logger "trx;LogFileName=mothership-test-results.trx"
+
+      - name: Report test results
+        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }}
+        with:
+          name: Test Results
+          path: "**/*-test-results.trx"
+          reporter: dotnet-trx
+          fail-on-error: true
--- a/.github/templates/workflow-templates/example-references/_version.yml
+++ b/.github/templates/workflow-templates/example-references/_version.yml
@ -0,0 +1,68 @@
				@@ -0,0 +1,68 @@
+name: _version
+run-name: Calculate version
+
+on:
+  workflow_call:
+    inputs:
+      is-release:
+        type: boolean
+        default: false
+    outputs:
+      version:
+        description: "version to be built"
+        value: ${{ jobs.version.outputs.version }}
+
+jobs:
+  version:
+    name: Calculate version
+    runs-on: ubuntu-22.04
+    outputs:
+      version: ${{ steps.version.outputs.value }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Generate version
+        id: version
+        run: |
+          ls -la
+          git fetch --prune --tags
+
+          echo "Calculating next version..."
+
+          base_version=$(cat Directory.build.props |
+            grep -o "<BaseVersion>.*</BaseVersion>" |
+            grep -Eo "[0-9]+\.[0-9]+"
+          )
+          major_version=$(echo $base_version | grep -Eo "[0-9]+" | head -1)
+          minor_version=$(echo $base_version | grep -Eo "[0-9]+" | sed -n 2p)
+
+          latest_tag_version=$(git tag --sort=committerdate --list | tail -1)
+          echo "  latest_tag_version: $latest_tag_version"
+
+          major_latest_tag_version=$(echo $latest_tag_version | grep -Eo "[0-9]+" | head -1)
+          echo "  major_latest_tag_version: $major_latest_tag_version"
+
+          minor_latest_tag_version=$(echo $latest_tag_version | grep -Eo "[0-9]+" | sed -n 2p)
+          echo "  minor_latest_tag_version: $minor_latest_tag_version"
+
+          if [[ "$major_latest_tag_version" != "$major_version" ]] || \
+          [[ "$minor_latest_tag_version" != "$minor_version" ]]; then
+            patch_version="0"
+          else
+            patch_version=$((${latest_tag_version##*.} + 1))
+          fi
+
+          echo "  patch_version: $patch_version"
+
+          version_suffix=$patch_version
+
+          if [[ "${{ inputs.is-release }}" == "false" ]]; then
+            version_suffix=$version_suffix-${GITHUB_SHA:0:7}
+          fi
+
+          echo "  version: $base_version.$version_suffix"
+          echo "value=$base_version.$version_suffix" >> $GITHUB_OUTPUT
+          echo "Done"
--- a/.github/templates/workflow-templates/example.yaml
+++ b/.github/templates/workflow-templates/example.yaml
@ -17,17 +17,16 @@ on: # Describes when to run the workflow
				@@ -17,17 +17,16 @@ on: # Describes when to run the workflow
      - ".github/workflows/**"

  # Pull_request_target: #We strongly discourage using this unless absolutely necessary as it requires access to certain Github secrets.
-    # If using this, include the .github/workflows/check-run.yml job as
+    # If using this, include the .github/workflows/check-run.yml job and target only the main branch
    # More info at https://github.blog/news-insights/product-news/github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks

  pull_request: # When a pull request event occurs
    types: [opened, synchronize, unlabeled, labeled, unlabeled, reopened, edited]
    branches: ["main"] # Branches where a pull request will trigger the workflow
-      - ".github/workflows/**"
+

  release: # Runs your workflow when release activity in your repository occurs
-    types:
-      - [published, created]
+    types: [published, created]

  merge_group: # Runs required status checks on merge groups created by merge queue
    types: [checks_requested]
@ -40,14 +39,14 @@ on: # Describes when to run the workflow
				@@ -40,14 +39,14 @@ on: # Describes when to run the workflow
 env: # Environment variables set for this step but not accessible by all workflows, steps or jobs.
  _AZ_REGISTRY: "ACMEprod.azurecr.io"
  INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
-  VERSION: ${{ inputs.version }}

 jobs: # A workflow run is made up of one or more jobs that can run sequentially or in parallel
-
  first-job:
    name: First Job Name
+    uses: ./.github/templates/workflow-templates/example-references/_version.yml # Path to an existing github action
    if: github.event.pull_request.draft == false # prevent part of a job from running on a draft PR
-    runs-on: ubuntu-22.04 # The type of runner that the job will run on
+    secrets: inherit # When called by another workflow, pass all the calling workflow's secrets to the called workflow
+    # "secrets" is only available for a reusable workflow call with "uses"
    strategy: # Create multiple job runs for each of a set of variables
      fail-fast: false # If true, cancel entire run if any job in the matrix fails
      matrix:  # Matrix of variables used to define multiple job runs
@ -68,27 +67,29 @@ jobs: # A workflow run is made up of one or more jobs that can run sequentially
				@@ -68,27 +67,29 @@ jobs: # A workflow run is made up of one or more jobs that can run sequentially
      packages: read # Permits an action to access packages on GitHub Packages
      pull-requests: write # Permits an action to add a label to a pull request

-    https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/setting-a-default-shell-and-working-directory
+  # steps: when a reusable workflow is called with "uses", "steps" is not available
+  second-job:
+    name: Second Job Name
+    runs-on: ubuntu-22.04 # The type of runner that the job will run on, not available if "uses" is used
    defaults:
      run: # Set the default shell and working directory
        shell: bash
        working-directory: "home/WorkingDirectory"
-    secrets: inherit # When called by another workflow, pass all the calling workflow's secrets to the called workflow

+    needs:
+      - first-job  # This job will wait until first-job completes
+  #     #   # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/setting-a-default-shell-and-working-directory
    steps:
      - name: Descriptive step name
      # NOT RECOMMENDED if: always() # run even if previous steps failed or the workflow is canceled, this can cause a workflow run to hang indefinitely
-      # if: failure() # run when any previous step of a job fails
+        if: failure() # run when any previous step of a job fails
      # if: '!cancelled()' # run even if previous steps failed
-
-        # Always pin a public action version to a full git SHA, followed by the version number in a comment.  Version pins are insecure and can introduce vulnerabilities into workflows.
-        uses: actions/checkout@11bd71901bbsdflakceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 Always pin a public action version to a full git SHA, followed by the version number in a comment.  Version pins are insecure and can introduce vulnerabilities into workflows.
        with: # Parameters specific to this action that need to be defined in order for the step to be completed
          fetch-depth: 0 # Full git history for actions that rely on whether a change has occurred
          ref: ${{ github.event.pull_request.head.sha }}
          creds: ${{ secrets.SECRETS_OR_CREDENTIALS }}
      - name: Another descriptive step name
-        if: ${{ matrix.node }}
        # Run a script instead of an existing github action
        run: |
          whoami
@ -97,11 +98,3 @@ jobs: # A workflow run is made up of one or more jobs that can run sequentially
				@@ -97,11 +98,3 @@ jobs: # A workflow run is made up of one or more jobs that can run sequentially
          npm --version
          echo "GitHub ref: $GITHUB_REF"
          echo "GitHub event: $GITHUB_EVENT"
-
-  # This job is relatively simple and just imports a previously written action to be used in this workflow
-  second-job:
-    name: Second Job Name
-    runs-on: ubuntu-22.04
-    uses: bitwarden/gh-actions/.github/workflows/action-name.yml@main # Location and branch of bitwarden-owned action being used
-    needs:
-      - first-job  # This job will wait until first-job completes
--- a/.github/templates/workflow-templates/scan.yaml
+++ b/.github/templates/workflow-templates/scan.yaml
@ -21,6 +21,7 @@ on:
				@@ -21,6 +21,7 @@ on:
      - "hotfix-rc"
  pull_request_target: # When a pull request event occurs. Default is opened or reopened unless otherwise specified, as below:
    types: [opened, synchronize] # Other options include labeled, unlabeled, reopened
+    branches: 'main'

 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@ -85,12 +86,6 @@ jobs:
				@@ -85,12 +86,6 @@ jobs:
          java-version: 17
          distribution: "zulu"
        # This step checks out a copy of your repository
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0 # Full git history for actions that rely on whether a change has occurred
-          ref: ${{  github.event.pull_request.head.sha }}
-
      - name: Set up .NET
        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
        # Install a tool without a Github Action
--- a/.github/workflows/workflow-linter.yml
+++ b/.github/workflows/workflow-linter.yml
@ -49,3 +49,7 @@ jobs:
				@@ -49,3 +49,7 @@ jobs:
      - name: Lint
        if: steps.changed-workflows.outputs.all_changed_files_count != 0
        run: bwwl lint -f .github/workflows
+      
+      - name: Validate examples
+        if: steps.changed-workflows.outputs.all_changed_files_count != 0
+        run: bwwl lint -f .github/templates/workflow-templates # validate that example workflows still meet bitwarden standards