refactor: extract, document, and test pure work selection and payload builders #1138
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Pre-Commit | |
| on: | |
| merge_group: | |
| pull_request: | |
| branches: | |
| - main | |
| - feat/more-attack-cov | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| # Run once a week (see https://crontab.guru) | |
| - cron: "0 0 * * 0" | |
| workflow_dispatch: | |
| concurrency: | |
| cancel-in-progress: true | |
| group: pre-commit-${{ github.workflow }}-${{ github.ref }} | |
| env: | |
| GO_VERSION: "1.26.1" | |
| PYTHON_VERSION: "3.13.5" | |
| # ansible-lint v26 requires Python 3.14 for its pre-commit virtualenv | |
| PYTHON_VERSION_ANSIBLE_LINT: "3.14.3" | |
| TASK_X_REMOTE_TASKFILES: "1" | |
| TASK_VERSION: 3.49.1 | |
| permissions: | |
| actions: read | |
| checks: write | |
| contents: read | |
| pull-requests: write # Allows merge queue updates | |
| jobs: | |
| pre-commit: | |
| name: Pre-commit | |
| runs-on: ubuntu-latest | |
| outputs: | |
| has-fixes: ${{ steps.capture.outputs.has-fixes }} | |
| steps: | |
| - name: Checkout git repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref || github.ref }} | |
| persist-credentials: false | |
| - name: Set up Python ${{ env.PYTHON_VERSION_ANSIBLE_LINT }} (for ansible-lint pre-commit hook) | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION_ANSIBLE_LINT }} | |
| - name: Set up Python ${{ env.PYTHON_VERSION }} | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: 'pip' | |
| cache-dependency-path: '.hooks/requirements.txt' | |
| - name: Install dependencies | |
| run: python3 -m pip install -r .hooks/requirements.txt | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install go module dependencies | |
| run: | | |
| go install mvdan.cc/sh/v3/cmd/shfmt@latest | |
| - name: Cache Ansible collections | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ~/.ansible/collections | |
| key: ${{ runner.os }}-ansible-collections-${{ hashFiles('ansible/requirements.yml') }} | |
| - name: Install Ansible collections | |
| env: | |
| ANSIBLE_GALAXY_SERVER_TIMEOUT: "120" | |
| run: | | |
| for i in 1 2 3 4 5; do | |
| ansible-galaxy collection install -r ansible/requirements.yml --force --no-deps --timeout 120 && exit 0 | |
| echo "Attempt $i/5 failed, retrying in $((i * 10))s..." | |
| sleep $((i * 10)) | |
| done | |
| echo "All attempts failed" | |
| exit 1 | |
| - name: Build and install local collection | |
| working-directory: ansible | |
| run: | | |
| ansible-galaxy collection build --force | |
| ansible-galaxy collection install dreadnode-nimbus_range-*.tar.gz -p ~/.ansible/collections --force --pre | |
| - name: Setup go-task | |
| env: | |
| TASK_VER: ${{ env.TASK_VERSION }} | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| # Download install script pinned to the specific version tag (not floating main) | |
| curl --location --fail --silent \ | |
| "https://raw.githubusercontent.com/go-task/task/v${TASK_VER}/install-task.sh" \ | |
| -o /tmp/install-task.sh | |
| sh /tmp/install-task.sh -d -b /usr/local/bin "v${TASK_VER}" | |
| rm -f /tmp/install-task.sh | |
| task --version | |
| - name: Run pre-commit | |
| id: precommit | |
| run: task -y run-pre-commit | |
| - name: Capture autofix patch | |
| id: capture | |
| if: ${{ failure() && steps.precommit.outcome == 'failure' }} | |
| run: | | |
| if git diff --quiet HEAD; then | |
| echo "pre-commit failed without modifying tracked files; no autofix possible" | |
| echo "has-fixes=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| git diff --binary HEAD > autofix.patch | |
| echo "has-fixes=true" >> "$GITHUB_OUTPUT" | |
| - name: Upload autofix patch | |
| if: ${{ steps.capture.outputs.has-fixes == 'true' }} | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: autofix-patch | |
| path: autofix.patch | |
| retention-days: 1 | |
| if-no-files-found: error | |
| autocommit: | |
| name: Apply pre-commit autofixes to bot PR | |
| needs: pre-commit | |
| if: >- | |
| failure() && | |
| needs.pre-commit.outputs.has-fixes == 'true' && | |
| github.event_name == 'pull_request' && | |
| github.event.pull_request.user.login == 'dreadnode-renovate-bot[bot]' && | |
| !github.event.pull_request.head.repo.fork | |
| runs-on: ubuntu-latest | |
| environment: pre-commit-autofix | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Generate app token | |
| uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 | |
| id: app-token | |
| with: | |
| app-id: "${{ secrets.BOT_APP_ID }}" | |
| private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" | |
| - name: Checkout PR head | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| persist-credentials: false | |
| - name: Download autofix patch | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: autofix-patch | |
| - name: Apply patch and push | |
| env: | |
| HEAD_REF: ${{ github.event.pull_request.head.ref }} | |
| APP_TOKEN: ${{ steps.app-token.outputs.token }} | |
| GIT_AUTHOR_NAME: "${{ secrets.BOT_USERNAME }}[bot]" | |
| GIT_AUTHOR_EMAIL: "${{ secrets.BOT_USER_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com" | |
| GIT_COMMITTER_NAME: "${{ secrets.BOT_USERNAME }}[bot]" | |
| GIT_COMMITTER_EMAIL: "${{ secrets.BOT_USER_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com" | |
| run: | | |
| git apply --index autofix.patch | |
| git commit -m "chore: apply pre-commit autofixes" | |
| AUTH_HEADER="AUTHORIZATION: basic $(printf 'x-access-token:%s' "${APP_TOKEN}" | base64 -w0)" | |
| git -c http.https://github.com/.extraheader="${AUTH_HEADER}" \ | |
| push "https://github.com/${GITHUB_REPOSITORY}.git" "HEAD:${HEAD_REF}" |