Replace zizmor pip install with GitHub Action and add input parameters #1419
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CI/CD | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| issue_comment: | |
| types: | |
| - created | |
| pull_request_review_comment: | |
| types: | |
| - created | |
| issues: | |
| types: | |
| - opened | |
| - assigned | |
| pull_request_review: | |
| types: | |
| - submitted | |
| workflow_dispatch: # checkov:skip=CKV_GHA_7:workflow_dispatch inputs are required to select the pipeline | |
| inputs: | |
| workflow: | |
| required: true | |
| type: choice | |
| options: | |
| - lint | |
| - analyze | |
| - build | |
| - release | |
| - update | |
| description: Choose the workflow to run | |
| default: lint | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| shell: bash -euo pipefail {0} | |
| working-directory: . | |
| jobs: | |
| go-lint-and-scan: | |
| if: > | |
| github.event_name == 'push' | |
| || (github.event_name == 'pull_request' && github.event.action != 'ready_for_review') | |
| || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'lint') | |
| permissions: | |
| contents: read | |
| security-events: write | |
| uses: ./.github/workflows/go-package-lint-and-scan.yml | |
| with: | |
| package-path: . | |
| go-version: stable | |
| github-actions-lint-and-scan: | |
| if: > | |
| github.event_name == 'push' | |
| || (github.event_name == 'pull_request' && github.event.action != 'ready_for_review') | |
| || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'lint') | |
| permissions: | |
| contents: read | |
| uses: ./.github/workflows/github-actions-lint-and-scan.yml | |
| with: | |
| search-path: .github/workflows | |
| go-version: stable | |
| python-version: 3.x | |
| docker-lint-and-scan: | |
| if: > | |
| github.event_name == 'push' | |
| || (github.event_name == 'pull_request' && github.event.action != 'ready_for_review') | |
| || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'lint') | |
| permissions: | |
| contents: write | |
| uses: ./.github/workflows/docker-lint-and-scan.yml | |
| docker-build-and-push: | |
| if: > | |
| github.event_name == 'workflow_dispatch' && inputs.workflow == 'build' | |
| permissions: | |
| contents: write | |
| packages: write | |
| uses: ./.github/workflows/docker-build-and-push.yml | |
| with: | |
| registry: ghcr.io | |
| registry-user: ${{ github.repository_owner }} | |
| image-name: ${{ github.repository }} | |
| platforms: linux/amd64,linux/arm64 | |
| context: ./src | |
| file: ./src/Dockerfile | |
| push: true | |
| secrets: | |
| DOCKER_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_TOKEN: ${{ secrets.GHCR_TOKEN }} | |
| github-codeql-analysis: | |
| if: > | |
| github.event_name == 'push' | |
| || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'analyze') | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| uses: ./.github/workflows/github-codeql-analysis.yml | |
| with: | |
| language: > | |
| ["go"] | |
| claude-code-review: | |
| if: > | |
| github.event_name == 'pull_request' | |
| && github.event.pull_request.draft == false | |
| && (github.event.action == 'opened' || github.event.action == 'ready_for_review') | |
| && (! startsWith(github.head_ref, 'dependabot/')) | |
| && (! startsWith(github.head_ref, 'renovate/')) | |
| && (! (failure() || cancelled())) | |
| needs: | |
| - go-lint-and-scan | |
| - github-actions-lint-and-scan | |
| - docker-lint-and-scan | |
| - update-readme-md | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| id-token: write | |
| actions: read | |
| uses: ./.github/workflows/claude-code-review.yml | |
| secrets: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| claude-code-bot: | |
| if: > | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) | |
| || (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) | |
| || (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) | |
| || (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| id-token: write | |
| actions: read | |
| uses: ./.github/workflows/claude-code-bot.yml | |
| secrets: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| github-release: | |
| if: > | |
| github.event_name == 'workflow_dispatch' && inputs.workflow == 'release' | |
| permissions: | |
| contents: write | |
| uses: ./.github/workflows/github-release.yml | |
| with: | |
| create-new-tag: false | |
| secrets: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| dependabot-auto-merge: | |
| if: > | |
| github.event_name == 'pull_request' | |
| && github.event.pull_request.user.login == 'dependabot[bot]' | |
| needs: | |
| - go-lint-and-scan | |
| - github-actions-lint-and-scan | |
| - docker-lint-and-scan | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| actions: read | |
| uses: ./.github/workflows/dependabot-auto-merge.yml | |
| with: | |
| unconditional: true | |
| secrets: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| update-readme-md: | |
| if: > | |
| github.event_name == 'push' | |
| || (github.event_name == 'pull_request' && github.event.action != 'ready_for_review') | |
| || (github.event_name == 'workflow_dispatch' && inputs.workflow == 'update') | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| runs-on: ubuntu-slim | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 | |
| ref: ${{ github.head_ref || github.ref_name }} | |
| persist-credentials: true | |
| - name: Set up Go | |
| uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version: stable | |
| - name: Setup Node.js | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 | |
| with: | |
| node-version: latest | |
| - name: Install dependencies | |
| run: | | |
| go mod download | |
| - name: Build the Go program | |
| env: | |
| VERSION: ${{ github.ref_name || github.head_ref || 'unknown' }} | |
| run: | | |
| go build -ldflags "-X main.version=${VERSION}" -o src/build_readme_md src/build_readme_md.go | |
| - name: Update README.md | |
| run: | | |
| ./src/build_readme_md | |
| - name: Prettify README.md | |
| run: | | |
| npx prettier --write ./README.md | |
| - name: Commit and push the changes | |
| uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 | |
| with: | |
| add: ./README.md | |
| message: Update README.md | |
| push: true | |
| github_token: ${{ secrets.GITHUB_TOKEN }} |