Skip to content

Bump zgosalvez/github-actions-ensure-sha-pinned-actions from 3.0.17 to 3.0.20 #1926

Bump zgosalvez/github-actions-ensure-sha-pinned-actions from 3.0.17 to 3.0.20

Bump zgosalvez/github-actions-ensure-sha-pinned-actions from 3.0.17 to 3.0.20 #1926

Workflow file for this run

name: CI
on:
push:
branches:
- develop
pull_request:
branches:
- develop
types:
- opened
- reopened
- synchronize
- labeled
workflow_dispatch:
env:
CHART_DIR: "charts/activiti-cloud-full-example"
jobs:
pre-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check dependabot build
uses: Activiti/Activiti/.github/actions/check-ext-build@7700f0283a9ff5181581a350d2520e55c61c1c60 # 8.6.0
- name: Setup Helm Docs
uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@1713976b6d7dc48dfe74f441c9bf1ae9481cbb45 # v8.6.1
with:
version: 1.13.1
- name: Run Checkov
uses: bridgecrewio/checkov-action@e1bb78184f5dd3690fb1089d6c4f51295f9dff48 # v12.1839.0
with:
framework: kubernetes
- name: pre-commit
uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@1713976b6d7dc48dfe74f441c9bf1ae9481cbb45 # v8.6.1
with:
skip_checkout: true
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@c3a2b64f69b7a1542a68f44d9edbd9ec3fc1455e # v3.0.20
build:
runs-on: ubuntu-latest
needs: pre-checks
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Build
uses: Alfresco/alfresco-build-tools/.github/actions/helm-build-chart@1713976b6d7dc48dfe74f441c9bf1ae9481cbb45 # v8.6.1
with:
chart-dir: ${{ env.CHART_DIR }}
- uses: Alfresco/alfresco-build-tools/.github/actions/resolve-preview-name@1713976b6d7dc48dfe74f441c9bf1ae9481cbb45 # v8.6.1
id: resolve-preview
- name: Setup Cluster
uses: Alfresco/alfresco-build-tools/.github/actions/setup-kind@1713976b6d7dc48dfe74f441c9bf1ae9481cbb45 # v8.6.1
- name: Compute Keycloak Client Secret
id: compute-keycloak-secret
shell: bash
run: echo "result=$(uuidgen)" >> $GITHUB_OUTPUT
- name: Execute helm upgrade dry-run
env:
CHART_DIR: ${{ env.CHART_DIR }}
NAMESPACE: ${{ steps.resolve-preview.outputs.preview-name }}
DOMAIN: "example"
KEYCLOAK_SECRET: ${{ steps.compute-keycloak-secret.outputs.result }}
shell: bash
run: |
NAMESPACE_LOWERCASE=$(echo ${NAMESPACE} | tr "[:upper:]" "[:lower:]")
helm upgrade $NAMESPACE_LOWERCASE $CHART_DIR \
--install \
--set global.gateway.domain=$DOMAIN \
--set global.keycloak.clientSecret=$KEYCLOAK_SECRET \
--namespace $NAMESPACE_LOWERCASE \
--wait \
--dry-run
parse-next-release:
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'push'
outputs:
next-release: ${{ steps.parse-next-release.outputs.next-release }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Parse next release
id: parse-next-release
uses: Alfresco/alfresco-build-tools/.github/actions/helm-parse-next-release@1713976b6d7dc48dfe74f441c9bf1ae9481cbb45 # v8.6.1
with:
chart-dir: ${{ env.CHART_DIR }}
publish:
needs: parse-next-release
if: github.event_name == 'push'
uses: Alfresco/alfresco-build-tools/.github/workflows/helm-publish-new-package-version.yml@1713976b6d7dc48dfe74f441c9bf1ae9481cbb45 # v8.6.1
with:
next-version: ${{ needs.parse-next-release.outputs.next-release }}
chart-dir: charts/activiti-cloud-full-example
helm-charts-repo: Activiti/activiti-cloud-helm-charts
helm-charts-repo-branch: gh-pages
secrets: inherit
promote:
if: github.event_name == 'push'
needs:
- publish
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.publish.outputs.version }}
DEVELOPMENT_BRANCH: ${{ github.ref_name }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: echo ACTIVITI_CLOUD_APPLICATION_VERSION=`yq .runtime-bundle.image.tag charts/activiti-cloud-full-example/values.yaml` >> $GITHUB_ENV
- uses: Alfresco/alfresco-build-tools/.github/actions/jx-updatebot-pr@1713976b6d7dc48dfe74f441c9bf1ae9481cbb45 # v8.6.1
env:
GH_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
with:
version: ${{ env.VERSION }}
auto-merge: 'true'
labels: 'be-propagation,${{ env.DEVELOPMENT_BRANCH }}'
base-branch-name: ${{ env.DEVELOPMENT_BRANCH }}
git-username: ${{ secrets.BOT_GITHUB_USERNAME }}
git-token: ${{ secrets.BOT_GITHUB_TOKEN }}
git-author-name: ${{ secrets.BOT_GITHUB_USERNAME }}
notify:
runs-on: ubuntu-latest
needs:
- build
- publish
- promote
if: always() && failure() && github.event_name == 'push'
steps:
- name: Teams Notification
uses: Alfresco/alfresco-build-tools/.github/actions/send-teams-notification@1713976b6d7dc48dfe74f441c9bf1ae9481cbb45 # v8.6.1
with:
webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK }}