ci.yml

name: CI

# About steps requiring the GITGUARDIAN_API_KEY:
#
# For security reasons, secrets are not available when a workflow is triggered by a pull request from a fork. This
# causes all steps requiring the GITGUARDIAN_API_KEY to fail. To avoid this, we skip those steps when we are triggered
# by a pull request from a fork.

on:
  pull_request:
  push:
    branches:
      - '*'
    tags-ignore:
      - '*'
    paths-ignore:
      - 'doc/**'
      - 'README.md'

jobs:
  lint:
    name: Lint package
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Python 3.8
        uses: actions/setup-python@v5
        with:
          python-version: 3.8

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          python -m pip install pipenv==2023.10.3 pre-commit
          pipenv install --dev --skip-lock

      - uses: actions/cache@v3
        with:
          path: ~/.cache/pre-commit
          key: pre-commit|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}

      - name: Install pre-commit hooks
        run: pre-commit install --install-hooks

      - name: Skip ggshield hooks when running from a fork
        # See note about steps requiring the GITGUARDIAN_API at the top of this file
        if: ${{ github.event.pull_request.head.repo.fork }}
        run: |
          echo "SKIP=ggshield,ggshield-local" >> $GITHUB_ENV

      - name: Run pre-commit checks
        run: |
          pre-commit run --show-diff-on-failure --all-files
        env:
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

      - name: Check commit messages
        if: github.event_name == 'pull_request'
        run: |
          PR_REF="${GITHUB_REF%/merge}/head"
          git fetch origin "$PR_REF"
          if git log --format=%s "origin/$GITHUB_BASE_REF..FETCH_HEAD" | grep '^fixup!' ; then
              echo 'Error: this pull request contains fixup commits. Squash them.'
              exit 1
          fi
          # In case `git log` fails
          exit "${PIPESTATUS[0]}"

  build:
    name: Build and Test
    runs-on: ${{ matrix.os }}
    env:
      # We skip pipenv lockfile by default, because a Pipfile.lock should only
      # be used for the Python version it was generated for.
      PIPENV_SKIP_LOCK: 1
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-2022]
        python-version: ['3.8', '3.9', '3.10', '3.11']
    steps:
      - uses: actions/checkout@v4
        with:
          # Get enough commits to run `ggshield secret scan commit-range` on ourselves
          fetch-depth: 10

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}

      - name: Use Pipfile.lock on locked version of Python
        # Keep version in sync with scripts/update-pipfile-lock/Dockerfile
        if: matrix.python-version == '3.10'
        run: |
          echo "PIPENV_SKIP_LOCK=0" >> $GITHUB_ENV

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          python -m pip install --upgrade pipenv==2023.10.3
          pipenv install --system --dev
          # Hack: workaround urllib3 still being installed on windows-2022 builder
          pip install --force-reinstall 'urllib3<2'
      - name: Install Windows dev dependencies
        if: matrix.os == 'windows-2022'
        run: |
          # Those are win32-only dependencies from pytest
          python -m pip install atomicwrites colorama

      - name: Override base Docker image used for functional tests on Windows
        if: matrix.os == 'windows-2022'
        # This is required because GitHub Windows runner is not configured to
        # run Linux-based Docker images
        shell: bash
        run: |
          echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV

      - name: Ensure a clean package installation
        run: |
          pip install build wheel check-wheel-contents
          python -m build --wheel
          # The created wheel (.whl) file will be found and analyzed within the `dist/` folder
          check-wheel-contents dist/

      - name: Run unit tests
        run: |
          coverage run --source ggshield -m pytest --disable-pytest-warnings --disable-socket tests/unit

      - name: Gather coverage report
        run: |
          coverage report --fail-under=80
          coverage xml

      - uses: codecov/codecov-action@v3
        with:
          file: ./coverage.xml
          flags: unittests
          name: codecov-umbrella
          fail_ci_if_error: false

      - name: Run functional tests
        # See note about steps requiring the GITGUARDIAN_API at the top of this file
        if: ${{ !github.event.pull_request.head.repo.fork }}
        shell: bash
        run: |
          make functest
        env:
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
          GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
          TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }}

  build-standalone:
    name: Standalone exe
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        os:
          - ubuntu-latest
          - macos-latest
          - windows-2022
          - macos-14
    steps:
      - uses: actions/checkout@v4
        with:
          # Get enough commits to run `ggshield secret scan commit-range` on ourselves
          fetch-depth: 10

      - name: Set up Python 3.10
        uses: actions/setup-python@v4
        with:
          python-version: '3.10'

      - name: Install normal dependencies
        run: |
          python -m pip install --upgrade pip
          python -m pip install --upgrade pipenv==2023.10.3
          pipenv install --system --dev
        env:
          # Disable lock otherwise Windows-only dependencies like colorama are not installed
          PIPENV_SKIP_LOCK: 1

      - name: Install standalone-specific dependencies
        run: |
          python -m pip install --upgrade pyinstaller

      - name: Build
        shell: bash
        run: |
          scripts/build-standalone-exe

      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: ggshield-standalone-${{ matrix.os }}
          path: |
            dist/ggshield-standalone-*.gz
            dist/ggshield-standalone-*.zip

      - name: Override base Docker image used for functional tests on Windows
        if: matrix.os == 'windows-2022'
        # This is required because GitHub Windows runner is not configured to
        # run Linux-based Docker images
        shell: bash
        run: |
          echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV

      - name: Functional tests
        shell: bash
        # See note about steps requiring the GITGUARDIAN_API at the top of this file
        if: ${{ !github.event.pull_request.head.repo.fork }}
        run: |
          scripts/build-standalone-exe functests
        env:
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
          GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
          TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }}

  build_packages:
    # This job ensures the build-packages script is tested on each build, not only at release time
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      # Warning: changes on this step should be reflected in workflows/tag.yml
      - name: Install packaging tools
        shell: bash
        run: |
          curl -L https://github.com/goreleaser/nfpm/releases/download/v2.15.0/nfpm_amd64.deb -o nfpm_amd64.deb
          sudo dpkg -i nfpm_amd64.deb

          pip install shiv==1.0.1 build

      # Append the abbreviated git sha1 to the version number to avoid confusing
      # these packages with those produced at release time
      - name: Fake version number
        shell: bash
        run: |
          version=$(git describe --tags | sed -e 's/^v//' -e 's/-[0-9]*-g/+/')
          echo "Set version number to '$version'"
          sed -i "s/__version__ = .*/__version__ = \"$version\"/" ggshield/__init__.py

      - name: Create packages
        shell: bash
        run: scripts/build-packages/build-packages

      # Make packages downloadable from the workflow page
      - name: Upload packages
        uses: actions/upload-artifact@v3
        with:
          name: packages
          path: |
            dist
            packages

  test_github_secret_scan_action:
    name: Test GitHub action for `secret scan`
    # See note about steps requiring the GITGUARDIAN_API at the top of this file
    if: ${{ !github.event.pull_request.head.repo.fork }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Scan commits for hardcoded secrets
        uses: ./actions-unstable/secret
        env:
          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
          GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}

  test_github_iac_scan_action:
    name: Test GitHub action for `iac scan`
    # See note about steps requiring the GITGUARDIAN_API at the top of this file
    if: ${{ !github.event.pull_request.head.repo.fork }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Scan commits for IaC vulnerabilities
        uses: ./actions-unstable/iac
        with:
          args: .
        env:
          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
          GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}

  test_github_sca_scan_action:
    name: Test GitHub action for `sca scan`
    # See note about steps requiring the GITGUARDIAN_API at the top of this file
    if: ${{ !github.event.pull_request.head.repo.fork }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Scan commits for SCA vulnerabilities
        uses: ./actions-unstable/sca
        with:
          args: .
        env:
          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
          GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}

  dockerhub-unstable:
    name: Push Docker image to Docker Hub
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    needs:
      - lint
      - build
      - test_github_iac_scan_action
      - test_github_sca_scan_action
      - test_github_secret_scan_action
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Build and push
        uses: docker/build-push-action@v1
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
          repository: gitguardian/ggshield
          tags: unstable

  github_packages-unstable:
    name: Push Docker image to GitHub Packages
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    needs:
      - lint
      - build
      - test_github_iac_scan_action
      - test_github_sca_scan_action
      - test_github_secret_scan_action
    steps:
      - name: Check out the repo
        uses: actions/checkout@v4
      - name: Push to GitHub Packages
        uses: docker/build-push-action@v1
        with:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: docker.pkg.github.com
          repository: gitguardian/ggshield/ggshield
          tags: unstable