twistlock 0.0.0-development

Docker <> Rust interface
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Build

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

permissions:
  contents: read
  checks: write
  pull-requests: write
  issues: write
  packages: write

env:
  CARGO_TERM_COLOR: always
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  APPLICATION_NAME: twistlock
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}

concurrency:
  # each new commit to a PR runs this workflow
  # so we need to avoid a long running older one from overwriting the "pr-<number>-latest"
  group: "${{ github.workflow }} @ ${{ github.ref_name }}"
  cancel-in-progress: true

jobs:
  changes:
    name: Detect changes
    runs-on: ubuntu-latest
    outputs:
      code: ${{ steps.filter.outputs.code }}
    steps:
      - name: Checkout
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

      - name: Check if we actually made changes
        uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # tag=v2.11.1
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          filters: .github/file-filters.yml

  calculate-version:
    name: Calculate version
    runs-on: ubuntu-latest
    needs:
      - changes
    outputs:
      version: ${{ steps.version.outputs.nextversion }}
    if: |
      github.event_name == 'pull_request' &&
      fromJSON(needs.changes.outputs.code) == true
    steps:
      - name: Checkout
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          fetch-depth: 0

      - name: Cache dependencies
        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        env:
          CACHE_NAME: cargo-cache-dependencies
        with:
          path: |
            ~/.cargo
            ./target
          key: ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-cocogitto
          restore-keys: |
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-

      - name: Set up toolchain
        shell: bash
        run: |
          rm ${HOME}/.cargo/bin/rustfmt
          rm ${HOME}/.cargo/bin/cargo-fmt
          rustup update

          cargo --version

      - name: Get binstall
        shell: bash
        run: |
          cd /tmp
          archive="cargo-binstall-x86_64-unknown-linux-musl.tgz"
          wget "https://github.com/cargo-bins/cargo-binstall/releases/latest/download/${archive}"

          tar -xvf "./${archive}"

          rm "./${archive}"

          mv ./cargo-binstall ~/.cargo/bin/

      - name: Install cocogitto to get the next version number
        shell: bash
        run: |
          cargo binstall --no-confirm cocogitto --target x86_64-unknown-linux-musl --pkg-url "{ repo }/releases/download/{ version }/{ name }-{ version }-{ target }.tar.gz" --bin-dir "{ bin }" --pkg-fmt tgz

      - name: Calculate next version
        id: version
        shell: bash
        run: |
          VERSION="$(cog bump --auto --dry-run || true)"

          if [[ -z $VERSION ]]; then
              VERSION="$(git tag --points-at "$(git rev-list --tags --max-count=1)" | sort --reverse | head --lines 1)"

              echo "No version generated, defaulting to latest git tag: ${VERSION}"
          else
              echo "New version: ${VERSION}"
          fi

          # remove v
          VERSION="${VERSION//v/}"

          # store
          echo "nextversion=${VERSION}" >> ${GITHUB_OUTPUT}

  cargo-build:
    name: Cargo build
    runs-on: ubuntu-latest
    needs:
      - changes
    if: |
      github.event_name == 'pull_request' &&
      fromJSON(needs.changes.outputs.code) == true
    steps:
      - name: Checkout
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

      - name: Cache dependencies
        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        env:
          CACHE_NAME: cargo-cache-dependencies
        with:
          path: |
            ~/.cargo
            ./target
          key: ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-build
          restore-keys: |
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-

      - name: Set up toolchain
        shell: bash
        run: |
          rm ${HOME}/.cargo/bin/rustfmt
          rm ${HOME}/.cargo/bin/cargo-fmt
          rustup update

          cargo --version

      - name: Build
        shell: bash
        run: |
          cargo build --all-targets --workspace --verbose

  cargo-fmt:
    name: Cargo fmt
    runs-on: ubuntu-latest
    needs:
      - changes
    if: |
      github.event_name == 'pull_request' &&
      fromJSON(needs.changes.outputs.code) == true
    steps:
      - name: Checkout
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

      - name: Cache dependencies
        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        env:
          CACHE_NAME: cargo-cache-dependencies
        with:
          path: |
            ~/.cargo
            ./target
          key: ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-fmt
          restore-keys: |
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-

      - name: Set up toolchain
        shell: bash
        run: |
          rm ${HOME}/.cargo/bin/rustfmt
          rm ${HOME}/.cargo/bin/cargo-fmt
          rustup update

          cargo --version

      - name: Check formatting
        shell: bash
        run: |
          cargo fmt --all -- --check --verbose

  cargo-test-and-report:
    name: Cargo test (and report)
    runs-on: ubuntu-latest
    needs:
      - changes
    if: fromJSON(needs.changes.outputs.code) == true
    steps:
      - name: Checkout
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

      - name: Cache dependencies
        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        env:
          CACHE_NAME: cargo-cache-dependencies
        with:
          path: |
            ~/.cargo
            ./target
          key: ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-test
          restore-keys: |
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-

      - name: Set up toolchain
        shell: bash
        run: |
          rm ${HOME}/.cargo/bin/rustfmt
          rm ${HOME}/.cargo/bin/cargo-fmt
          rustup update

          cargo --version

      - name: Install llvm-tools-preview
        shell: bash
        run: |
          rustup component add llvm-tools-preview

      - name: Get binstall
        shell: bash
        run: |
          archive="cargo-binstall-x86_64-unknown-linux-musl.tgz"
          wget "https://github.com/ryankurte/cargo-binstall/releases/latest/download/${archive}"

          tar -xvf "./${archive}"

          rm "./${archive}"

          mv ./cargo-binstall ~/.cargo/bin/

      - name: Install nextest, custom test runner, with native support for junit
        shell: bash
        run: |
          cargo binstall --no-confirm cargo-nextest;

      - name: Install grcov
        shell: bash
        run: |
          cargo binstall --no-confirm grcov --pkg-url "{ repo }/releases/download/v{ version }/{ name }-{ target }.tar.bz2" --pkg-fmt tbz2 --bin-dir "{ bin }";

      - name: Build with instrumentation support
        shell: bash
        env:
          RUSTFLAGS: "-C instrument-coverage"
        run: |
          cargo build --all-targets --workspace --verbose

      - name: Run nextest
        shell: bash
        id: tests
        env:
          RUSTFLAGS: "-C instrument-coverage"
          LLVM_PROFILE_FILE: "profiling/profile-%p-%m.profraw"
        run: |
          cargo nextest run --profile ci --no-fail-fast --all-targets --workspace
        continue-on-error: true

      - name: Upload test results
        uses: EnricoMi/publish-unit-test-result-action@4e7013f9576bd22ffdae979dc6e68cb9ec2aeece # v2.7.0
        with:
          check_name: Test results
          github_token: ${{ secrets.GITHUB_TOKEN }}
          junit_files: reports/results.xml

      - name: Run grcov
        shell: bash
        run: |
          grcov $(find profiling -name "profile-*.profraw" -print) --source-dir . --binary-path ./target/debug/ --output-type lcov --branch --ignore-not-existing --llvm --keep-only "src/**" --keep-only "tests/**" --output-path ./reports/lcov.info

      - name: Upload to CodeCov
        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          directory: reports
          fail_ci_if_error: true

      - name: Fail if tests failed
        shell: bash
        if: steps.tests.outcome != 'success'
        run: |
          # the test reporter we use (or any for that matter)
          # all show a report. But we cannot depend on that report because
          # we don't know which subsection it belongs in GitHub
          # so we explicitly fail this one
          # which will fail All Done
          exit 1;

  cargo-clippy-and-report:
    name: Cargo clippy (and report)
    runs-on: ubuntu-latest
    needs:
      - changes
    if: |
      github.event_name == 'pull_request' &&
      fromJSON(needs.changes.outputs.code) == true
    steps:
      - name: Checkout
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

      - name: Cache dependencies
        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        env:
          CACHE_NAME: cargo-cache-dependencies
        with:
          path: |
            ~/.cargo
            ./target
          key: ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-clippy
          restore-keys: |
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-${{ hashFiles('Cargo.lock') }}-
            ${{ runner.os }}-build-${{ env.CACHE_NAME }}-

      - name: Set up toolchain
        shell: bash
        run: |
          rm ${HOME}/.cargo/bin/rustfmt
          rm ${HOME}/.cargo/bin/cargo-fmt
          rustup update

          cargo --version

      - name: Run Clippy for GitHub Actions report
        uses: actions-rs-plus/clippy-check@9035ac35de400d5b7d37b4ce176ebd153e424d29 # v2
        with:
          args: --workspace --all-targets --all-features -- --deny clippy::all --deny clippy::pedantic --deny clippy::cargo

  all-done:
    name: All done
    # this is the job that should be marked as required on GitHub. It's the only one that'll reliably trigger
    # when any upstream fails: success
    # when all upstream skips: pass
    # when all upstream success: success
    # combination of upstream skip and success: success
    runs-on: ubuntu-latest
    needs:
      - calculate-version
      - cargo-build
      - cargo-fmt
      - cargo-clippy-and-report
      - cargo-test-and-report
    if: always()
    steps:
      - name: Fail!
        shell: bash
        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
        run: |
          echo "One / more upstream failed or was cancelled. Failing job..."

          exit 1

      - name: Success!
        shell: bash
        run: |
          echo "Great success!"