Skip to content

Release v2.0.0: Run ASH as non-root user, add explicit CI stage #249

Release v2.0.0: Run ASH as non-root user, add explicit CI stage

Release v2.0.0: Run ASH as non-root user, add explicit CI stage #249

name: ASH - Core Pipeline
on:
push:
branches:
- '*'
tags:
- '*'
pull_request:
branches:
- '*'
permissions:
actions: read
checks: write
contents: write
id-token: write
security-events: write
pull-requests: write
env:
PYTHON_VERSION: "3.12"
jobs:
build:
strategy:
matrix:
runner:
# - macos-14 # Docker support on this runner is not working yet, still no options for ARM in hosted :-(
- ubuntu-latest
name: ASH Build & Scan - ${{ matrix.runner }}
runs-on: ${{ matrix.runner }}
env:
IMG_NAME: ${{ github.repository }}
ARCH: ${{ matrix.runner == 'ubuntu-latest' && 'amd64' || 'arm64' }}
SUMMARY_FILE: 'ASH Scan Result Summary - ${{ matrix.runner }}.md'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup docker
if: runner.os == 'macos'
run: |
brew install docker
docker info
- name: Set up Docker Buildx
if: runner.os == 'macos'
uses: docker/setup-buildx-action@v3
with:
platforms: "linux/${{ env.ARCH }}"
# - name: Set container metadata
# id: metadata
# uses: docker/metadata-action@v5
# with:
# images: ${{ env.IMG_NAME }}
# tags: |
# type=raw,value=latest
# type=raw,value=${{ env.ARCH }}
# type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
# - name: Build image
# uses: docker/build-push-action@v5
# with:
# context: '.'
# push: false
# tags: ${{ steps.metadata.outputs.tags }}
# labels: ${{ steps.metadata.outputs.labels }}
- name: Run ASH against itself
id: ash
run: |-
# Disable exit on error
set +e
# Run ASH against itself
./ash --source-dir $(pwd) --output-dir ash_output --container-uid 1001 --container-gid 123 --debug | \
tee ash_stdout.txt
# cat the output contents to build the summary markdown
# strip out the color codes from the output
ASH_STDOUT=$(cat ash_stdout.txt | sed 's/\x1b\[[0-9;]*[mGKHF]//g')
ASH_AGG_RESULTS=$(cat ash_output/aggregated_results.txt | sed 's/\x1b\[[0-9;]*[mGKHF]//g')
# Write the summary markdown to a file
cat << EOF | tee "${{ env.SUMMARY_FILE }}" | tee -a "${GITHUB_STEP_SUMMARY}"
## ASH Scan Output - ${{ env.ARCH }} - ${{ matrix.runner }}
\`\`\`bash
$ cat ash_stdout.txt
${ASH_STDOUT}
\`\`\`
<details>
<summary>Show aggregated_results.txt</summary>
\`\`\`bash
${ASH_AGG_RESULTS}
\`\`\`
</details>
EOF
# Write the summary markdown to the GITHUB_OUTPUT
{
echo 'ASH_OUTPUT<<EOF'
cat "${{ env.SUMMARY_FILE }}"
echo EOF
} >> "$GITHUB_OUTPUT"
# Exit with the highest return code from ASH
set -e
typeset -i ASH_EXIT_CODE
# ASH_EXIT_CODE=`sed -nE "s/.*Highest return code is ([0-9]+)/\1/p" ash_stdout.txt`
ASH_EXIT_CODE=`perl -ne 'print "$1\n" if /Highest return code is ([[:digit:]]+)/' ash_stdout.txt`
echo "Highest return code found is '$ASH_EXIT_CODE'"
if [ $ASH_EXIT_CODE -eq 0 ]; then
echo "ASH scan succeeded"
exit 0
else
echo "ASH scan failed"
exit $ASH_EXIT_CODE
fi
- name: Post ASH output as PR comment
uses: mshick/add-pr-comment@v2
# This does not work for fork runs without setting up a proxy
# Info: https://github.com/mshick/add-pr-comment#proxy-for-fork-based-prshttps://github.com/mshick/add-pr-comment#proxy-for-fork-based-prs
if: github.repository_owner == 'awslabs'
continue-on-error: true
with:
message: |
${{ steps.ash.outputs.ASH_OUTPUT }}
- name: Collect summary
uses: actions/upload-artifact@v4
if: always()
continue-on-error: true
with:
name: Summary
path: "${{ env.SUMMARY_FILE }}"
- name: Collect ash_stdout
uses: actions/upload-artifact@v4
if: always()
continue-on-error: true
with:
name: ash_stdout
path: ash_stdout.txt
if-no-files-found: error
- name: Collect ash_output artifact
uses: actions/upload-artifact@v4
if: always()
continue-on-error: false
with:
name: ash_output
path: ash_output
if-no-files-found: error
build-docs:
name: Build documentation
needs: []
runs-on: ubuntu-latest
if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install dependencies
run: pip install -r requirements.txt
- name: Build documentation
run: mkdocs build --clean
deploy-docs:
name: Deploy documentation
needs: []
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install dependencies
run: pip install -r requirements.txt
- name: Deploy documentation
run: mkdocs gh-deploy --clean --force