.github/workflows/gerrit-verify.yaml - onap/cps - Gitiles

 ---
 name: Call Gerrit Verify

 # yamllint disable-line rule:truthy
 on:
   workflow_dispatch:
     inputs:
       GERRIT_BRANCH:
         description: "Branch that change is against"
         required: true
         type: string
       GERRIT_CHANGE_ID:
         description: "The ID for the change"
         required: true
         type: string
       GERRIT_CHANGE_NUMBER:
         description: "The Gerrit number"
         required: true
         type: string
       GERRIT_CHANGE_URL:
         description: "URL to the change"
         required: true
         type: string
       GERRIT_EVENT_TYPE:
         description: "Type of Gerrit event"
         required: true
         type: string
       GERRIT_PATCHSET_NUMBER:
         description: "The patch number for the change"
         required: true
         type: string
       GERRIT_PATCHSET_REVISION:
         description: "The revision sha"
         required: true
         type: string
       GERRIT_PROJECT:
         description: "Project in Gerrit"
         required: true
         type: string
       GERRIT_REFSPEC:
         description: "Gerrit refspec of change"
         required: true
         type: string
     secrets:
       GERRIT_SSH_PRIVKEY:
         description: "SSH Key for the authorized user account"
         required: true

 concurrency:
   # yamllint disable-line rule:line-length
   group: gerrit-verify-${{ github.workflow }}-${{ github.event.inputs.GERRIT_BRANCH}}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }}
   cancel-in-progress: true

 jobs:
   prepare:
     runs-on: ubuntu-latest
     steps:
       - name: Clear votes
         # yamllint disable-line rule:line-length
         uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
         with:
           host: ${{ vars.GERRIT_SERVER }}
           username: ${{ vars.GERRIT_SSH_USER }}
           key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
           known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
           gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
           gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
           vote-type: clear
           comment-only: true
       - name: Allow replication
         run: sleep 10s

   actionlint:
     needs: prepare
     runs-on: ubuntu-latest
     steps:
       - name: Gerrit Checkout
         # yamllint disable-line rule:line-length
         uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
         with:
           gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
           gerrit-project: ${{ inputs.GERRIT_PROJECT }}
           gerrit-url: ${{ vars.GERRIT_URL }}
           delay: "0s"
       - name: Download actionlint
         id: get_actionlint
         # yamllint disable-line rule:line-length
         run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
         shell: bash
       - name: Check workflow files
         run: ${{ steps.get_actionlint.outputs.executable }} -color
         shell: bash

   # run pre-commit tox env separately to get use of more parallel processing
   pre-commit:
     needs: prepare
     runs-on: ubuntu-latest
     steps:
       - name: Gerrit Checkout
         # yamllint disable-line rule:line-length
         uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
         with:
           gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
           gerrit-project: ${{ inputs.GERRIT_PROJECT }}
           gerrit-url: ${{ vars.GERRIT_URL }}
           delay: "0s"
       # yamllint disable-line rule:line-length
       - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: "3.11"
       - name: Run static analysis and format checkers
         run: pipx run pre-commit run --all-files --show-diff-on-failure

   checkov-scan:
     needs: prepare
     runs-on: ubuntu-latest
     steps:
       - name: Gerrit Checkout
         # yamllint disable-line rule:line-length
         uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
         with:
           gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
           gerrit-project: ${{ inputs.GERRIT_PROJECT }}
           gerrit-url: ${{ vars.GERRIT_URL }}
           delay: "0s"
           submodules: "true"
       - name: Checkov GitHub Action
         uses: bridgecrewio/checkov-action@v12
         with:
           output_format: cli,sarif
           output_file_path: console,results.sarif

   vote:
     if: ${{ always() }}
     needs: [prepare, actionlint, pre-commit, checkov-scan]
     runs-on: ubuntu-latest
     steps:
       - name: Get conclusion
         uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3
       - name: Set vote
         # yamllint disable-line rule:line-length
         uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
         with:
           host: ${{ vars.GERRIT_SERVER }}
           username: ${{ vars.GERRIT_SSH_USER }}
           key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
           known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
           gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
           gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
           vote-type: ${{ env.WORKFLOW_CONCLUSION }}
           comment-only: true
	---
	name: Call Gerrit Verify

	# yamllint disable-line rule:truthy
	on:
	workflow_dispatch:
	inputs:
	GERRIT_BRANCH:
	description: "Branch that change is against"
	required: true
	type: string
	GERRIT_CHANGE_ID:
	description: "The ID for the change"
	required: true
	type: string
	GERRIT_CHANGE_NUMBER:
	description: "The Gerrit number"
	required: true
	type: string
	GERRIT_CHANGE_URL:
	description: "URL to the change"
	required: true
	type: string
	GERRIT_EVENT_TYPE:
	description: "Type of Gerrit event"
	required: true
	type: string
	GERRIT_PATCHSET_NUMBER:
	description: "The patch number for the change"
	required: true
	type: string
	GERRIT_PATCHSET_REVISION:
	description: "The revision sha"
	required: true
	type: string
	GERRIT_PROJECT:
	description: "Project in Gerrit"
	required: true
	type: string
	GERRIT_REFSPEC:
	description: "Gerrit refspec of change"
	required: true
	type: string
	secrets:
	GERRIT_SSH_PRIVKEY:
	description: "SSH Key for the authorized user account"
	required: true

	concurrency:
	# yamllint disable-line rule:line-length
	group: gerrit-verify-${{ github.workflow }}-${{ github.event.inputs.GERRIT_BRANCH}}-${{ github.event.inputs.GERRIT_CHANGE_ID \|\| github.run_id }}
	cancel-in-progress: true

	jobs:
	prepare:
	runs-on: ubuntu-latest
	steps:
	- name: Clear votes
	# yamllint disable-line rule:line-length
	uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
	with:
	host: ${{ vars.GERRIT_SERVER }}
	username: ${{ vars.GERRIT_SSH_USER }}
	key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
	known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
	gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
	gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
	vote-type: clear
	comment-only: true
	- name: Allow replication
	run: sleep 10s

	actionlint:
	needs: prepare
	runs-on: ubuntu-latest
	steps:
	- name: Gerrit Checkout
	# yamllint disable-line rule:line-length
	uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
	with:
	gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
	gerrit-project: ${{ inputs.GERRIT_PROJECT }}
	gerrit-url: ${{ vars.GERRIT_URL }}
	delay: "0s"
	- name: Download actionlint
	id: get_actionlint
	# yamllint disable-line rule:line-length
	run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
	shell: bash
	- name: Check workflow files
	run: ${{ steps.get_actionlint.outputs.executable }} -color
	shell: bash

	# run pre-commit tox env separately to get use of more parallel processing
	pre-commit:
	needs: prepare
	runs-on: ubuntu-latest
	steps:
	- name: Gerrit Checkout
	# yamllint disable-line rule:line-length
	uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
	with:
	gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
	gerrit-project: ${{ inputs.GERRIT_PROJECT }}
	gerrit-url: ${{ vars.GERRIT_URL }}
	delay: "0s"
	# yamllint disable-line rule:line-length
	- uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
	with:
	python-version: "3.11"
	- name: Run static analysis and format checkers
	run: pipx run pre-commit run --all-files --show-diff-on-failure

	checkov-scan:
	needs: prepare
	runs-on: ubuntu-latest
	steps:
	- name: Gerrit Checkout
	# yamllint disable-line rule:line-length
	uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
	with:
	gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
	gerrit-project: ${{ inputs.GERRIT_PROJECT }}
	gerrit-url: ${{ vars.GERRIT_URL }}
	delay: "0s"
	submodules: "true"
	- name: Checkov GitHub Action
	uses: bridgecrewio/checkov-action@v12
	with:
	output_format: cli,sarif
	output_file_path: console,results.sarif

	vote:
	if: ${{ always() }}
	needs: [prepare, actionlint, pre-commit, checkov-scan]
	runs-on: ubuntu-latest
	steps:
	- name: Get conclusion
	uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3
	- name: Set vote
	# yamllint disable-line rule:line-length
	uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
	with:
	host: ${{ vars.GERRIT_SERVER }}
	username: ${{ vars.GERRIT_SSH_USER }}
	key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
	known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
	gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
	gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
	vote-type: ${{ env.WORKFLOW_CONCLUSION }}
	comment-only: true