DEVOPS-477 :: Add Continuous Integration workflow to active repositories (#3)

Author: ricardo-dematos

.github/actions/build-docker-image/action.yml

@@ -0,0 +1,34 @@
+name: 'Build docker image'
+description: 'Builds a docker image of this application'
+inputs:
+  name:
+    description: 'Name for the docker image'
+    required: true
+    default: '${{ github.repository }}'
+  tag:
+    description: 'Tag for the docker image'
+    required: true
+    default: 'latest'
+  dockerfile:
+    description: 'Path to the Dockerfile'
+    required: true
+    default: 'Dockerfile'
+  archive:
+    description: 'Archive name of the docker image (must include `tar.gz` extension)'
+    required: true
+    default: 'docker.tar.gz'
+runs:
+  using: composite
+  steps:
+    - id: build
+      run: docker build --tag ${{ inputs.name }}:latest --file "${{ inputs.dockerfile }}" .
+      shell: bash
+    - id: tag
+      run: docker tag ${{ inputs.name }}:latest ${{ inputs.name }}:${{ inputs.tag }}
+      shell: bash
+    - id: save
+      run: docker save ${{ inputs.name }}:${{ inputs.tag }} | gzip > "${{ inputs.archive }}"
+      shell: bash
+    - id: test
+      run: tar --list --ungzip --file "${{ inputs.archive }}" 1> /dev/null
+      shell: bash

.github/actions/get-build-version/action.yml

@@ -0,0 +1,23 @@
+name: 'Get build version'
+description: 'Returns the current build version'
+inputs:
+  file:
+    description: 'Path to the python versioning file'
+    required: true
+    default: '__init__.py'
+outputs:
+  release:
+    description: 'Current release version (e.g. xx.yy)'
+    value: '${{ steps.release.outputs.version }}'
+  version:
+    description: 'Current build version (e.g. xx.yy.zz)'
+    value: '${{ steps.build.outputs.version }}'
+runs:
+  using: composite
+  steps:
+    - id: release
+      run: echo "::set-output name=version::$( echo "$( grep --extended-regexp "__version__" "${{ inputs.file }}" | grep --only-matching --extended-regexp "([[:digit:]]+)[.]([[:digit:]]+)" )" )"
+      shell: bash
+    - id: build
+      run: echo "::set-output name=version::$( echo "$( grep --extended-regexp "__version__" "${{ inputs.file }}" | grep --only-matching --extended-regexp "([[:digit:]]+)[.]([[:digit:]]+)[.]([[:digit:]]+)" )" )"
+      shell: bash

.github/workflows/continuous_integration.yml

@@ -0,0 +1,233 @@
+name: 'Continuous Integration'
+
+concurrency:
+  group: 'ci-${{ github.repository_id }}'
+  cancel-in-progress: true
+
+on:
+
+  schedule:
+    - cron: '30 1,13 * * 1-5' # At minute 30 past hour 1 and 13 on every day-of-week from Monday through Friday
+
+jobs:
+
+  static_application_security_testing:
+
+    name: 'Static Application Security Testing (SAST)'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      actions: read
+
+    steps:
+
+      - name: 'Set up steps'
+        id: setup
+        run: |
+          echo "::set-output name=repository::$( echo "${{ github.repository }}" )"
+          echo "::set-output name=repository_owner::$( echo "${{ github.repository_owner }}" )"
+          echo "::set-output name=repository_name::$( echo "${{ github.event.repository.name }}" )"
+          echo "::set-output name=branch::$( echo "${{ github.event.repository.default_branch }}" )"
+        shell: bash
+
+      - name: 'Check out repository'
+        id: checkout
+        uses: actions/checkout@v3
+        with:
+          ref: '${{ steps.setup.outputs.branch }}'
+
+      - name: 'Set up python'
+        id: python
+        uses: actions/setup-python@v4
+        with:
+          token: '${{ secrets.GITHUB_TOKEN }}'
+          python-version: '3.9'
+          cache: 'pip'
+          cache-dependency-path: 'requirements-dev.txt'
+
+      - name: 'Install requirements'
+        id: requirements
+        run: pip install --exists-action w --requirement "requirements-dev.txt"
+        shell: bash
+
+      - name: 'Check code with black'
+        id: black
+        run: black --target-version py39 --line-length 120 --check .
+        shell: bash
+
+      # - name: 'Check code with cspell'
+      #   id: cspell
+      #   uses: check-spelling/[email protected]
+      #   with:
+      #     event_aliases: '{"workflow_dispatch":"push"}'
+      #     spell_check_this: check-spelling/spell-check-this@main
+      #     only_check_changed_files: false
+      #     check_extra_dictionaries: true
+      #     extra_dictionary_limit: 25
+      #     extra_dictionaries:
+      #       cspell:en_US/en_US.txt
+      #       cspell:en_US/hyphenated-words.txt
+      #       cspell:pt_PT/Portuguese-European.txt
+      #       cspell:software-terms/software-terms.txt
+      #       cspell:software-terms/software-tools.txt
+      #       cspell:software-terms/network-protocols.txt
+      #       cspell:software-terms/network-os.txt
+      #       cspell:public-licenses/public-licenses.txt
+      #       cspell:public-licenses/additional-licenses.txt
+      #       cspell:companies/companies.txt
+      #       cspell:aws/aws.txt
+      #       cspell:docker/docker-words.txt
+      #       cspell:git/git.txt
+      #       cspell:django/django.txt
+      #       cspell:npm/npm.txt
+      #       cspell:bash/bash-words.txt
+      #       cspell:python/python.txt
+      #       cspell:python/python-lib.txt
+      #       cspell:python/extra.txt
+      #       cspell:python/additional_words.txt
+      #       cspell:typescript/typescript.txt
+      #       cspell:html/html.txt
+      #       cspell:html-symbol-entities/entities.txt
+      #       cspell:css/css.txt
+      #       cspell:filetypes/filetypes.txt
+
+  unit_testing:
+
+    name: 'Unit Testing'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      actions: read
+
+    steps:
+
+      - name: 'Set up steps'
+        id: setup
+        run: |
+          echo "::set-output name=repository::$( echo "${{ github.repository }}" )"
+          echo "::set-output name=repository_owner::$( echo "${{ github.repository_owner }}" )"
+          echo "::set-output name=repository_name::$( echo "${{ github.event.repository.name }}" )"
+          echo "::set-output name=branch::$( echo "${{ github.event.repository.default_branch }}" )"
+        shell: bash
+
+      - name: 'Check out repository'
+        id: checkout
+        uses: actions/checkout@v3
+        with:
+          ref: '${{ steps.setup.outputs.branch }}'
+
+      - name: 'Set up python'
+        id: python
+        uses: actions/setup-python@v4
+        with:
+          token: '${{ secrets.GITHUB_TOKEN }}'
+          python-version: '3.9'
+          cache: 'pip'
+          cache-dependency-path: 'requirements-dev.txt'
+
+      - name: 'Install requirements'
+        id: requirements
+        run: pip install --exists-action w --requirement "requirements-dev.txt"
+        shell: bash
+
+  dynamic_application_security_testing:
+
+    name: 'Dynamic Application Security Testing (DAST)'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      actions: read
+
+    steps:
+
+      - name: 'Set up steps'
+        id: setup
+        run: |
+          echo "::set-output name=repository::$( echo "${{ github.repository }}" )"
+          echo "::set-output name=repository_owner::$( echo "${{ github.repository_owner }}" )"
+          echo "::set-output name=repository_name::$( echo "${{ github.event.repository.name }}" )"
+          echo "::set-output name=branch::$( echo "${{ github.event.repository.default_branch }}" )"
+        shell: bash
+
+      - name: 'Check out repository'
+        id: checkout
+        uses: actions/checkout@v3
+        with:
+          ref: '${{ steps.setup.outputs.branch }}'
+
+      - name: 'Get build version'
+        id: versioning
+        uses: ./.github/actions/get-build-version
+        with:
+          file: '__init__.py'
+
+      - name: 'Build docker image'
+        id: docker
+        uses: ./.github/actions/build-docker-image
+        with:
+          name: '${{ steps.setup.outputs.repository }}'
+          tag: '${{ steps.versioning.outputs.version }}'
+          dockerfile: 'Dockerfile'
+          archive: '${{ steps.setup.outputs.repository_name }}-docker.tar.gz'
+
+  report:
+
+    name: 'Report'
+    runs-on: ubuntu-latest
+
+    needs: [static_application_security_testing, unit_testing, dynamic_application_security_testing]
+
+    if: ${{ always() }}
+
+    permissions:
+      contents: read
+      actions: read
+
+    steps:
+
+      - name: 'Set up steps'
+        id: setup
+        run: |
+          echo "::set-output name=repository::$( echo "${{ github.repository }}" )"
+          echo "::set-output name=repository_owner::$( echo "${{ github.repository_owner }}" )"
+          echo "::set-output name=repository_name::$( echo "${{ github.event.repository.name }}" )"
+          echo "::set-output name=branch::$( echo "${{ github.event.repository.default_branch }}" )"
+          echo "::set-output name=channel::$( echo "#development" )"
+        shell: bash
+
+      - name: 'Check out repository'
+        id: checkout
+        uses: actions/checkout@v3
+        with:
+          ref: '${{ steps.setup.outputs.branch }}'
+
+      - name: 'Get build version'
+        id: versioning
+        uses: ./.github/actions/get-build-version
+        with:
+          file: '__init__.py'
+
+      - name: 'Get workflow status'
+        id: workflow
+        uses: martialonline/workflow-status@v3
+
+      - name: Notify channel '#${{ steps.setup.outputs.channel }}'
+        id: notify
+        if: ${{ always() && (steps.workflow.outputs.status == 'failure') }}
+        uses: adamkdean/[email protected]
+        env:
+          SLACK_WEBHOOK_URL: '${{ secrets.SLACK_WEBHOOK_URL }}'
+        with:
+          channel: '${{ steps.setup.outputs.channel }}'
+          status: '${{ steps.workflow.outputs.status }}'
+          success_text:   '  [*SUCCESS*] <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }} (${{ steps.setup.outputs.repository }})>'
+          failure_text:   '  [*FAILURE*] <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }} (${{ steps.setup.outputs.repository }})>'
+          cancelled_text: '[*CANCELLED*] <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }} (${{ steps.setup.outputs.repository }})>'
+          fields: |
+            [
+               { "title": "Version", "value": "${{ steps.versioning.outputs.version }}", "short": true }
+              ,{ "title":  "Branch", "value": "<${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}|${{ steps.setup.outputs.branch }}>", "short": true }
+            ]