chore(audit): add audit.toml file & downgrade lockfile to v3 #162
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test, Build and Deploy wasm-oidc-plugin | |
on: | |
push: | |
branches: | |
- main | |
env: | |
CARGO_TERM_COLOR: always | |
jobs: | |
cargo-deny: | |
runs-on: ubuntu-latest | |
container: | |
image: antonengelhardt/rust-docker-tools | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Rust version | |
run: rustc --version && cargo --version | |
- name: Cargo Deny | |
uses: EmbarkStudios/cargo-deny-action@v2 | |
clippy: | |
runs-on: ubuntu-latest | |
container: | |
image: antonengelhardt/rust-docker-tools | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up cargo cache | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/bin/ | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
target/ | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- name: Rust version | |
run: rustc --version && cargo --version | |
- name: Clippy | |
run: cargo clippy --release --all-targets --target=wasm32-wasip1 -- -D warnings | |
fmt: | |
runs-on: ubuntu-latest | |
container: | |
image: antonengelhardt/rust-docker-tools | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Rust version | |
run: rustc --version && cargo --version | |
- name: Fmt | |
run: cargo fmt -- --check | |
test: | |
runs-on: ubuntu-latest | |
container: | |
image: antonengelhardt/rust-docker-tools | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up cargo cache | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/bin/ | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
target/ | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- name: Rust version | |
run: rustc --version && cargo --version | |
- name: Test | |
run: cargo test --workspace | |
build: | |
runs-on: ubuntu-latest | |
container: | |
image: ghcr.io/antonengelhardt/rust-docker-tools | |
needs: [cargo-deny, clippy, fmt, test] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up cargo cache | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/bin/ | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
target/ | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- name: Build wasm-oidc-plugin | |
run: | | |
cargo build --target wasm32-wasip1 --release | |
- name: Upload plugin as artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: plugin | |
path: target/wasm32-wasi/release/wasm_oidc_plugin.wasm | |
docker-image: | |
needs: [cargo-deny, clippy, fmt, test] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Login | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
- name: Pull previous image to cache | |
run: docker pull antonengelhardt/wasm-oidc-plugin:latest | |
- name: Push to Docker Hub | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
push: true | |
tags: antonengelhardt/wasm-oidc-plugin:latest | |
ghcr-image: | |
runs-on: ubuntu-latest | |
needs: [cargo-deny, clippy, fmt, test] | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Login | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push to GHCR | |
run: | | |
docker pull ghcr.io/antonengelhardt/wasm-oidc-plugin:latest # Pull the image to cache | |
docker build -t ghcr.io/antonengelhardt/wasm-oidc-plugin:latest . | |
docker push ghcr.io/antonengelhardt/wasm-oidc-plugin:latest | |
deploy-demo: | |
needs: ghcr-image | |
environment: demo | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions-hub/kubectl@master | |
env: | |
KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }} | |
with: | |
args: rollout restart deployment wasm-oidc-plugin -n wasm-oidc-plugin | |
# changelog-and-release: | |
# runs-on: ubuntu-latest | |
# permissions: | |
# contents: write | |
# steps: | |
# - name: Checkout code | |
# uses: actions/checkout@v4 | |
# with: | |
# ssh-key: ${{ secrets.RELEASE_DEPLOY_KEY }} | |
# - name: Exit if latest commit is release commit (to avoid infinite loop) | |
# run: | | |
# if git log -1 --pretty=%B | grep -q "chore(release): prepare for"; then | |
# echo "Latest commit is a release commit, exiting..." | |
# echo "EXIT=1" >> $GITHUB_ENV | |
# exit 0 | |
# fi | |
# - name: Get most recent merged PR and calculate the next tag | |
# if: env.EXIT != '1' | |
# id: get_pr | |
# run: | | |
# MOST_RECENTLY_MERGED_PR=$(curl -s -H 'Accept: application/vnd.github.v3+json' "https://api.github.com/repos/antonengelhardt/wasm-oidc-plugin/pulls?state=closed" | \ | |
# jq '[.[] | select(.merged_at != null)] | max_by(.merged_at)') | |
# PR_NUMBER=$(echo $MOST_RECENTLY_MERGED_PR | jq -r '.number') | |
# LABELS=$(curl -s -H 'Accept: application/vnd.github.v3+json' "https://api.github.com/repos/antonengelhardt/wasm-oidc-plugin/issues/$PR_NUMBER" | jq -r '.labels[].name') | |
# # Set SEMVER_BUMP based on the presence of labels | |
# if [[ $LABELS == *"major"* ]]; then | |
# SEMVER_BUMP="major" | |
# elif [[ $LABELS == *"minor"* ]]; then | |
# SEMVER_BUMP="minor" | |
# elif [[ $LABELS == *"bug"* ]]; then | |
# SEMVER_BUMP="patch" | |
# elif [[ $LABELS == *"patch"* ]]; then | |
# SEMVER_BUMP="patch" | |
# else | |
# SEMVER_BUMP="none" | |
# echo "EXIT=1" >> $GITHUB_ENV | |
# exit 0 # exit if no labels are found, which means no version bump is required | |
# fi | |
# # Output the SEMVER_BUMP value | |
# echo "SEMVER_BUMP is set to: $SEMVER_BUMP" | |
# # LATEST_TAG=$(git describe --tags --abbrev=0) | |
# LATEST_TAG=$(curl "https://api.github.com/repos/antonengelhardt/wasm-oidc-plugin/tags" | jq -r '.[0].name') | |
# # Function to bump version numbers | |
# bump_version() { | |
# local IFS=. | |
# local -a parts=($1) | |
# case "$2" in | |
# major) | |
# ((parts[0]++)) | |
# parts[1]=0 | |
# parts[2]=0 | |
# ;; | |
# minor) | |
# ((parts[1]++)) | |
# parts[2]=0 | |
# ;; | |
# patch) | |
# ((parts[2]++)) | |
# ;; | |
# *) | |
# echo "Error: Unknown version bump type '$2'" | |
# exit 1 | |
# ;; | |
# esac | |
# echo "${parts[0]}.${parts[1]}.${parts[2]}" | |
# } | |
# current_version=${LATEST_TAG:1} | |
# # Bump the version based on the SEMVER_BUMP | |
# new_version=$(bump_version "$current_version" "$SEMVER_BUMP") | |
# echo "VERSION=$new_version" >> $GITHUB_ENV | |
# # Append 'v' prefix if required to maintain the same version format | |
# NEW_TAG="v$new_version" | |
# echo "New tag after bump is: $NEW_TAG" | |
# echo "NEW_TAG=$NEW_TAG" >> $GITHUB_ENV | |
# - name: Bump Version on Cargo.toml | |
# if: env.EXIT != '1' | |
# run: sed -i "s/^version = \".*\"/version = \"${{ env.VERSION }}\"/" Cargo.toml | |
# - name: Git Cliff | |
# if: env.EXIT != '1' | |
# id: generate_changelog | |
# uses: orhun/git-cliff-action@v3 | |
# with: | |
# config: cliff.toml | |
# args: -l --prepend CHANGELOG.md --strip header | |
# env: | |
# GITHUB_REPO: ${{ github.repository }} | |
# - name: sed [unreleased] with new version in CHANGELOG.md | |
# if: env.EXIT != '1' | |
# run: sed -i "s/\[unreleased\]/${{ env.NEW_TAG }}/" CHANGELOG.md | |
# - name: sed [unreleased] with new version in RELEASE_NOTES.md | |
# if: env.EXIT != '1' | |
# run: | | |
# cat ${{ steps.generate_changelog.outputs.changelog }} > RELEASE_NOTES.md | |
# sed -i "s/\[unreleased\]/${{ env.NEW_TAG }}/" RELEASE_NOTES.md | |
# - name: Print Changelog | |
# if: env.EXIT != '1' | |
# run: cat ${{ steps.generate_changelog.outputs.changelog }} && echo "##" && cat CHANGELOG.md | |
# - name: Commit Version and CHANGELOG.md | |
# if: env.EXIT != '1' | |
# run: | | |
# git checkout origin/main | |
# git config user.name "github-actions[bot]" | |
# git config user.email "github-actions[bot]@users.noreply.github.com" | |
# set +e | |
# git add Cargo.toml CHANGELOG.md | |
# cargo check | |
# git add Cargo.lock | |
# git commit -m "chore(release): prepare for ${{ env.NEW_TAG }}" | |
# git push origin HEAD:main | |
# - name: Create a tag on main | |
# if: env.EXIT != '1' | |
# run: | | |
# git checkout origin/main | |
# git config user.email "github-actions[bot]@users.noreply.github.com" | |
# git config user.name "github-actions[bot]" | |
# git tag ${{ env.NEW_TAG }} | |
# git push origin ${{ env.NEW_TAG }} | |
# - name: Create Release | |
# uses: actions/create-release@v1 | |
# if: env.EXIT != '1' | |
# env: | |
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# with: | |
# tag_name: ${{ env.NEW_TAG }} | |
# release_name: ${{ env.NEW_TAG }} | |
# body_path: RELEASE_NOTES.md | |
# draft: false | |
# prerelease: false |