-
Notifications
You must be signed in to change notification settings - Fork 0
170 lines (152 loc) · 6.72 KB
/
Copy pathci.yml
File metadata and controls
170 lines (152 loc) · 6.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
name: CI Validation
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
security-events: write
env:
IMAGE_NAME: ghcr.io/devrail-dev/dev-toolchain
IMAGE_TAG: local
jobs:
build-and-validate:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Phase 1: Build the image
- name: Build container image
run: docker build -t ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} .
# Phase 2: Self-validate with make check
- name: Run make check (shellcheck + shfmt)
run: |
docker run --rm \
-v "$(pwd):/workspace" \
-w /workspace \
${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \
make _check
# Phase 2b: Validate tool version manifest
- name: Validate tool version manifest
run: |
docker run --rm \
${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \
bash /opt/devrail/scripts/report-tool-versions.sh \
| jq .
# Phase 2c: Rails 7+ consumer smoke test (issue #25)
# Verifies the image is consumable by modern Rails projects:
# - Gemfile with `platforms: %i[mri windows]` parses (needs Bundler 2.6+).
# - make _lint scopes to RUBY_PATHS — vendor/bundle/ is not scanned.
- name: Rails 7+ smoke test
run: bash tests/smoke-rails.sh
env:
DEVRAIL_IMAGE: ${{ env.IMAGE_NAME }}
DEVRAIL_TAG: ${{ env.IMAGE_TAG }}
# Phase 2d: Plugin loader smoke test (Story 13.2)
# Verifies the v1 plugin manifest validator + loader prelude:
# - validator unit cases (valid + 4 negative fixtures)
# - integration: no plugins / valid plugin / invalid plugin
- name: Plugin loader smoke test
run: bash tests/test-plugin-loader.sh
env:
DEVRAIL_IMAGE: ${{ env.IMAGE_NAME }}
DEVRAIL_TAG: ${{ env.IMAGE_TAG }}
# Phase 2e: Plugin resolver + lockfile smoke test (Story 13.3)
# Drives `make plugins-update` against a local-filesystem git fixture
# (no network) covering: SHA passthrough, tag→SHA, branch rejection,
# lockfile determinism, idempotent fetch, lockfile mismatch, tampering
# detection, missing lockfile, no-plugins regression, unreachable
# source, atomic-lockfile-on-failure.
- name: Plugin resolver smoke test
run: bash tests/test-plugin-resolver.sh
env:
DEVRAIL_IMAGE: ${{ env.IMAGE_NAME }}
DEVRAIL_TAG: ${{ env.IMAGE_TAG }}
# Phase 2f: Plugin build-pipeline smoke test (Story 13.4a)
# Generator unit + host cache mount validation. Story 13.4b will extend
# this with full docker-build pipeline cases.
- name: Plugin build-pipeline smoke test
run: bash tests/test-plugin-build-pipeline.sh
env:
DEVRAIL_IMAGE: ${{ env.IMAGE_NAME }}
DEVRAIL_TAG: ${{ env.IMAGE_TAG }}
# Phase 2g: Plugin execution smoke test (Story 13.5)
# Drives lib/plugin-execute.sh against hand-crafted loader-cache
# fixtures: dispatcher no-op, pass / fail, gate skip / run, paths
# interpolation, per-language override, DEVRAIL_FAIL_FAST short-circuit,
# partial targets, and JSON-shape regression.
- name: Plugin execution smoke test
run: bash tests/test-plugin-execution.sh
env:
DEVRAIL_IMAGE: ${{ env.IMAGE_NAME }}
DEVRAIL_TAG: ${{ env.IMAGE_TAG }}
# Phase 2h: Kotlin reference plugin extraction smoke test (Story 13.7)
# Validates the kotlin reference plugin's manifest against the
# validator, resolves it via file:// URL from the vendored fixture,
# loads it into the plugin cache, and asserts target/gate parity
# with the in-core HAS_KOTLIN behaviour. Does NOT exercise the full
# docker-build of devrail-local:<hash> with real ktlint/detekt/gradle
# downloads — that's a maintainer-run manual check (see fixture
# README).
- name: Kotlin plugin extraction smoke test
run: bash tests/test-kotlin-plugin-extraction.sh
env:
DEVRAIL_IMAGE: ${{ env.IMAGE_NAME }}
DEVRAIL_TAG: ${{ env.IMAGE_TAG }}
# Phase 3: Security scans
# Blocking scan: OS packages only. We control the base image and can act on
# these. ignore-unfixed skips CVEs with no Debian patch available yet.
- name: Run trivy OS package scan (blocking)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
severity: CRITICAL,HIGH
ignore-unfixed: 'true'
vuln-type: os
exit-code: 1
format: table
# Advisory scan: full image (OS + Go binaries + Python packages). Results
# are uploaded to the GitHub Security tab for visibility. Not blocking
# because Go binary CVEs depend on upstream tool releases we don't control.
- name: Run trivy full scan (SARIF, advisory)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
if: always()
with:
image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
severity: CRITICAL,HIGH
ignore-unfixed: 'true'
exit-code: 0
format: sarif
output: trivy-results.sarif
- name: Upload SARIF results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy-results.sarif
- name: Run gitleaks scan
run: |
docker run --rm \
-v "$(pwd):/workspace" \
-w /workspace \
${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \
gitleaks detect --source /workspace --verbose
# Image signing placeholder — actual signing should be added to build.yml
# when images are published to GHCR. CI builds are local-only and not pushed,
# so signing here has no effect. This job serves as documentation of the
# intended cosign verification workflow.
sign-image:
needs: [build-and-validate]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Note on image signing
run: |
echo "Image signing is performed during the build workflow (build.yml)"
echo "when images are published to GHCR. CI only builds locally."
echo ""
echo "Consumers can verify published images with:"
echo " cosign verify \\"
echo " --certificate-oidc-issuer https://token.actions.githubusercontent.com \\"
echo " --certificate-identity-regexp 'github.com/devrail-dev/dev-toolchain' \\"
echo " ghcr.io/devrail-dev/dev-toolchain:v1"