Refactor CI (#5060)

* workflows: add docker image scan for CI workflow * enter debug mode * update mod-wsgi dependency * add Trivy image scanner for cvat/ui image * add trivyignore file * update trivyignore file * try scan without trivyignore * remove trivy scanner * add workflow that updates yarn.lock file for PRs from Snyk * remove extra empty lines * revert changes for mod-wsgi version * remove deprecated set-output for workflows * update upload-artifact action * update upload-artifact action * test another github action for getting changed files * fix typo * debug * debug * debug * debug * debug * debug * debug * debug * debug * debug * revert changes for bandit linter * remove debug changes * remove debug changes * remove debug changes * remove debug changes * exit debug mode

Refactor CI (#5060)
* workflows: add docker image scan for CI workflow * enter debug mode * update mod-wsgi dependency * add Trivy image scanner for cvat/ui image * add trivyignore file * update trivyignore file * try scan without trivyignore * remove trivy scanner * add workflow that updates yarn.lock file for PRs from Snyk * remove extra empty lines * revert changes for mod-wsgi version * remove deprecated set-output for workflows * update upload-artifact action * update upload-artifact action * test another github action for getting changed files * fix typo * debug * debug * debug * debug * debug * debug * debug * debug * debug * debug * revert changes for bandit linter * remove debug changes * remove debug changes * remove debug changes * remove debug changes * exit debug mode
4cd43a27 · Kirill Sizov · GitHub · e4e8da28 · 4cd43a27 · 4cd43a27
15 changed file
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
@@ -41,7 +41,7 @@ jobs:

      - name: Upload artifacts
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: bandit_report
          path: bandit_report
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -76,7 +76,7 @@ jobs:

      - name: Upload artifacts
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: black_report
          path: black_report
--- a/.github/workflows/cache.yml
+++ b/.github/workflows/cache.yml
@@ -31,8 +31,8 @@ jobs:
          echo Default branch is ${DEFAULT_BRANCH}
          echo Workflow will try to get cache from commit: ${SHA}

-          echo ::set-output name=default_branch::${DEFAULT_BRANCH}
-          echo ::set-output name=sha::${SHA}
+          echo "default_branch=${DEFAULT_BRANCH}" >> $GITHUB_OUTPUT
+          echo "sha=${SHA}" >> $GITHUB_OUTPUT

      - uses: actions/cache@v3
        id: server-cache-action

--- a/.github/workflows/comment.yml
+++ b/.github/workflows/comment.yml
@@ -25,7 +25,7 @@ jobs:
          then
            ALLOW="true"
          fi
-          echo ::set-output name=allow::${ALLOW}
+          echo "allow=${ALLOW}" >> $GITHUB_OUTPUT

      - name: Verify that author of comment is collaborator
        if: steps.check-author.outputs.allow == ''
@@ -38,7 +38,7 @@ jobs:
        id: get-ref
        run: |
          SHA=$(gh api /repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} | jq -r '.head.sha')
-          echo ::set-output name=ref::${SHA}
+          echo "ref=${SHA}" >> $GITHUB_OUTPUT

      - name: Send comment. Test are executing
        id: send-status
@@ -51,7 +51,7 @@ jobs:
            /repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments \
            -f body="${BODY}" | jq '.id')

-          echo ::set-output name=cid::${COMMENT_ID}
+          echo "cid=${COMMENT_ID}" >> $GITHUB_OUTPUT

  run-full:
    needs: verify_author

--- a/.github/workflows/eslint.yml
+++ b/.github/workflows/eslint.yml
@@ -39,7 +39,7 @@ jobs:

      - name: Upload artifacts
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: eslint_report
          path: eslint_report
--- a/.github/workflows/full.yml
+++ b/.github/workflows/full.yml
@@ -38,8 +38,9 @@ jobs:
          done
          echo Default branch is ${DEFAULT_BRANCH}
          echo Workflow will try to get cache from commit: ${SHA}
-          echo ::set-output name=default_branch::${DEFAULT_BRANCH}
-          echo ::set-output name=sha::${SHA}
+
+          echo "default_branch=${DEFAULT_BRANCH}" >> $GITHUB_OUTPUT
+          echo "sha=${SHA}" >> $GITHUB_OUTPUT

  build:
    needs: search_cache
@@ -210,7 +211,7 @@ jobs:

      - name: Uploading "cvat" container logs as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: container_logs
          path: "${{ github.workspace }}/rest_api"
@@ -270,7 +271,7 @@ jobs:

      - name: Uploading "cvat" container logs as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: container_logs
          path: "${{ github.workspace }}/unit_testing"
@@ -373,14 +374,14 @@ jobs:

      - name: Uploading "cvat" container logs as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: container_logs
          path: ${{ github.workspace }}/tests/cvat_${{ matrix.specs }}.log

      - name: Uploading cypress screenshots as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: cypress_screenshots_${{ matrix.specs }}
          path: ${{ github.workspace }}/tests/cypress/screenshots
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@@ -47,7 +47,7 @@ jobs:

      - name: Upload artifacts
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: hadolint_report
          path: hadolint_report
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -23,7 +23,7 @@ jobs:
          PR_FILES="$PR_FILES_AM $PR_FILES_RENAMED"
          for FILE in $PR_FILES; do
              if [[ $FILE == helm-chart/* ]] ; then
-                echo "::set-output name=helm_dir_changed::true"
+                echo "helm_dir_changed=true" >> $GITHUB_OUTPUT
                break
              fi
          done

--- a/.github/workflows/isort.yml
+++ b/.github/workflows/isort.yml
@@ -76,7 +76,7 @@ jobs:

      - name: Upload artifacts
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: isort_report
          path: isort_report
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -41,8 +41,8 @@ jobs:
          echo Default branch is ${DEFAULT_BRANCH}
          echo Workflow will try to get cache from commit: ${SHA}

-          echo ::set-output name=default_branch::${DEFAULT_BRANCH}
-          echo ::set-output name=sha::${SHA}
+          echo "default_branch=${DEFAULT_BRANCH}" >> $GITHUB_OUTPUT
+          echo "sha=${SHA}" >> $GITHUB_OUTPUT

  build:
    needs: search_cache
@@ -178,7 +178,7 @@ jobs:

      - name: Uploading "cvat" container logs as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: container_logs
          path: "${{ github.workspace }}/rest_api_testing"
@@ -237,7 +237,7 @@ jobs:

      - name: Uploading "cvat" container logs as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: container_logs
          path: "${{ github.workspace }}/unit_testing"
@@ -328,14 +328,14 @@ jobs:

      - name: Uploading "cvat" container logs as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: container_logs
          path: ${{ github.workspace }}/tests/cvat_${{ matrix.specs }}.log

      - name: Uploading cypress screenshots as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: cypress_screenshots_${{ matrix.specs }}
          path: ${{ github.workspace }}/tests/cypress/screenshots

--- a/.github/workflows/pylint.yml
+++ b/.github/workflows/pylint.yml
@@ -44,7 +44,7 @@ jobs:

      - name: Upload artifacts
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: pylint_report
          path: pylint_report
--- a/.github/workflows/remark.yml
+++ b/.github/workflows/remark.yml
@@ -25,7 +25,7 @@ jobs:

      - name: Upload artifacts
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: remark_report
          path: remark_report
--- a/.github/workflows/schedule.yml
+++ b/.github/workflows/schedule.yml
@@ -34,8 +34,8 @@ jobs:
          echo Last CI-nightly workflow run time: $last_night_date
          echo Last commit time in develop branch: $last_commit_date

-          echo ::set-output name=last_commit_time::${last_commit_time}
-          echo ::set-output name=last_night_time::${last_night_time}
+          echo "last_commit_time=${last_commit_time}" >> $GITHUB_OUTPUT
+          echo "last_night_time=${last_night_time}" >> $GITHUB_OUTPUT

  search_cache:
    needs: check_updates
@@ -66,8 +66,8 @@ jobs:
          echo Default branch is ${DEFAULT_BRANCH}
          echo Workflow will try to get cache from commit: ${SHA}

-          echo ::set-output name=default_branch::${DEFAULT_BRANCH}
-          echo ::set-output name=sha::${SHA}
+          echo "default_branch=${DEFAULT_BRANCH}" >> $GITHUB_OUTPUT
+          echo "sha=${SHA}" >> $GITHUB_OUTPUT

  build:
    needs: search_cache
@@ -258,7 +258,7 @@ jobs:
          docker-compose -f docker-compose.yml -f docker-compose.dev.yml -f docker-compose.ci.yml down -v

      - name: Uploading code coverage results as an artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: coverage_results
          path: |
@@ -345,7 +345,7 @@ jobs:
             echo Response from server is incorrect, output:
             cat /tmp/server_response
          fi
-          echo ::set-output name=status_code::${status_code}
+          echo "status_code=${status_code}" >> $GITHUB_OUTPUT

      - name: Fail on bad response from server
        if: steps.wait-server.outputs.status_code != '200'
@@ -389,20 +389,20 @@ jobs:

      - name: Uploading cypress screenshots as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: cypress_screenshots
          path: ${{ github.workspace }}/tests/cypress/screenshots

      - name: Uploading "cvat" container logs as an artifact
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: cvat_container_logs
          path: ${{ github.workspace }}/tests/cvat.log

      - name: Uploading code coverage results as an artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: coverage_results
          path: ${{ github.workspace }}/tests/.nyc_output

--- a/.github/workflows/stylelint.yml
+++ b/.github/workflows/stylelint.yml
@@ -41,7 +41,7 @@ jobs:

      - name: Upload artifacts
        if: failure()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3.1.1
        with:
          name: stylelint_report
          path: stylelint_report
--- a/.github/workflows/update-yarn-lock.yml
+++ b/.github/workflows/update-yarn-lock.yml
+# The purpose of this workflow: update yarn.lock file for PRs that come from Snyk
+name: Update yarn.lock file
+on:
+  pull_request:
+    types: ['opened', 'reopened']
+    paths:
+      - '**/package.json'
+      - 'package.json'
+    branches:
+      - 'develop'
+
+jobs:
+  update:
+    if: startsWith(github.event.pull_request.head.ref, 'snyk-')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-node@v3
+        with:
+            node-version: '16.x'
+
+      - name: Update yarn.lock file
+        run: yarn
+
+      - uses: stefanzweifel/git-auto-commit-action@v4.15.2
+        with:
+          commit_message: Update yarn.lock file
+          file_pattern: yarn.lock