Firebladee · Firebladee · May 25, 2021 · May 25, 2021 · May 25, 2021 · May 25, 2021
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,96 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  schedule:
+    - cron: '16 14 * * *'
+  push:
+    branches: [ "master" ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+  pull_request:
+    branches: [ "master" ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
+        with:
+          cosign-release: 'v1.11.0'
+
+
+      # Workaround: https://github.com/docker/build-push-action/issues/461
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml
@@ -0,0 +1,99 @@
+---
+name: Pull
+
+on: # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - master
+    tags:
+      - v*.*.*
+  pull_request:
+    branches:
+      - master
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: fireblade/libvirt
+
+jobs:
+  yamllint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install yamllint
+        run: pip install yamllint
+      - name: Lint yaml files
+        run: yamllint .
+
+  hadolint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Build and scan image
+        uses: ISID/build-and-scan-image@main
+        with:
+          tag: "libvirt"
+          path: "."
+          dockle-severity: FATAL
+          trivy-severity: CRITICAL
+
+  Rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # If running on a self-hosted runner, check it meets the requirements
+      # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0
+        with:
+          ruby-version: 3.0
+
+    # This step is not necessary if you add the gem to your Gemfile
+      - name: Install Code Scanning integration
+        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Rubocop run
+        run: |
+          bash -c "
+            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+            [[ $? -ne 2 ]]
+          "
+
+      - name: Upload Sarif output
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: rubocop.sarif
+
+  rspec:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.1.3
+          bundler-cache: true
+      - run: bundle exec rspec
+
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run Shellcheck
+        uses: ludeeus/action-shellcheck@master
+
+#  build-test:
+
+#  testinfra:
+
+#  docker-build:
diff --git a/.hadolint.yaml b/.hadolint.yaml
@@ -1,2 +1,3 @@
+---
 trustedRegistries:
   - docker.io
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
diff --git a/concourse.yaml b/concourse.yaml
@@ -1,4 +1,5 @@
 ---
+# yamllint disable rule:line-length
 groups:
   - name: master
     jobs:
@@ -45,6 +46,7 @@ resources:
       password: ((nexus_password))
       insecure_registries:
         - http://((nexus_ip)):((nexus_docker_port))
+        - http://((nexus_ip)):((nexus_docker_group_port))
 
   - name: docker-build
     type: docker-image
@@ -55,6 +57,7 @@ resources:
       password: ((nexus_password))
       insecure_registries:
         - http://((nexus_ip)):((nexus_docker_port))
+        - http://((nexus_ip)):((nexus_docker_group_port))
 
   - name: docker-hub
     type: docker-image
@@ -154,7 +157,7 @@ jobs:
                 start_docker
                 cd resource-git
                 # rake
-        
+
   - name: shellcheck
     public: true
     plan:
@@ -183,36 +186,11 @@ jobs:
         passed:
           - hadolint
         trigger: true
-      #- put: docker-temp
-      #  params:
-      #    build: resource-git
-      #    build_args:
-      #      from: ((nexus_ip)):((nexus_docker_group_port))/centos:7
-
-      - task: docker-temp-build
-        privileged: true
-        config:
-          platform: linux
-          image_resource:
-            type: docker-image
-            source:
-              repository: ((nexus_ip)):((nexus_docker_group_port))/amidos/dcind
-              insecure_registries:
-                - http://((nexus_ip)):((nexus_docker_group_port))
-          inputs:
-            - name: resource-git
-          run:
-            path: sh
-            args:
-              - -exc
-              - |
-                source /docker-lib.sh
-                start_docker ((nexus_ip)):((nexus_docker_port))
-
-                cd resource-git
-                docker build --build-arg from="((nexus_ip)):((nexus_docker_group_port))/library/centos:7" -t ((nexus_ip)):((nexus_docker_port))/testing .
-                docker push ((nexus_ip)):((nexus_docker_port))/testing
-                exit
+      - put: docker-temp
+        params:
+          build: resource-git
+          build_args:
+            from: ((nexus_ip)):((nexus_docker_group_port))/library/centos:7
 
   - name: testinfra
     public: true
@@ -249,11 +227,15 @@ jobs:
       - put: docker-build
         params:
           build: resource-git
+          build_args:
+            from: ((nexus_ip)):((nexus_docker_group_port))/library/centos:7
           tag_file: version/version
           tag_as_latest: true
       - put: docker-hub
         params:
           build: resource-git
+          build_args:
+            from: ((nexus_ip)):((nexus_docker_group_port))/library/centos:7
           tag_file: version/version
           tag_as_latest: true
       - put: version
@@ -345,7 +327,9 @@ jobs:
         trigger: true
       - put: docker-temp
         params:
-          build: resource-git-dev/
+          build: resource-git-dev
+          build_args:
+            from: ((nexus_ip)):((nexus_docker_group_port))/library/centos:7
 
   - name: testinfra-dev
     public: true