Merge pull request #148 from uptick/sec-96/private-actions

SEC-96 chore(ci): replace uptick/actions with inline workflow steps

Author: uptickmetachu

.github/workflows/release-please.yaml

@@ -5,11 +5,11 @@ on:
       - develop
 
 permissions:
-  actions: read # Read the metrics
-  contents: write # to be able to publish a GitHub release
-  issues: write # to be able to comment on released issues
-  pull-requests: write # to be able to comment on released pull requests
-  id-token: write # to enable use of OIDC for npm provenance / AWS
+  actions: read
+  contents: write
+  issues: write
+  pull-requests: write
+  id-token: write
 
 env:
   MISE_PYTHON_COMPILE: false
@@ -35,7 +35,7 @@ jobs:
     needs: release-please
     if: ${{ needs.release-please.outputs.helm-version }}
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6.0.1
       - name: Publish Helm charts
         uses: stefanprodan/helm-gh-pages@89c6698c192e70ed0e495bee7d3d1ca5b477fe82 # ratchet:stefanprodan/helm-gh-pages@master
         with:
@@ -45,36 +45,66 @@ jobs:
     name: Publishes tag to pypi
     runs-on: ubuntu-latest
     needs: release-please
-    if: ${{ needs.release-please.outputs.cli-release-created}}
+    if: ${{ needs.release-please.outputs.cli-release-created }}
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6.0.1
 
-      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # ratchet:jdx/mise-action@v2
+      - uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # ratchet:jdx/mise-action@v3.5.1
         with:
           install: true
           cache: true
           experimental: true
 
-      - run: |
-          mise run build
+      - run: mise run build
         shell: bash
 
       - name: Publish Pypi Package
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # ratchet:pypa/gh-action-pypi-publish@release/v1
 
   publish_docker_image:
     name: Build and Push Docker Image
-    uses: uptick/actions/.github/workflows/ci.yaml@main # ratchet:exclude
+    runs-on: ubuntu-24.04
     needs: release-please
-    if: ${{ needs.release-please.outputs.server-release-created}}
-    secrets:
-      SECRET_ENV: "${{ secrets.CLUSTER_KEY }}"
-    #https://github.com/uptick/actions/blob/main/.github/workflows/ci.yaml
-    with:
-      aws-iam-role-arn: "arn:aws:iam::610829907584:role/default-github-actions-ci-role"
-      docker-enabled: true
-      docker-context: "."
-      docker-tag: "${{ needs.release-please.outputs.server-version }}"
-      docker-tag-latest: true
-      docker-repository: "610829907584.dkr.ecr.ap-southeast-2.amazonaws.com/gitops"
-      command: echo $SECRET_ENV | base64 -d > cluster.key
+    if: ${{ needs.release-please.outputs.server-release-created }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6.0.1
+        with:
+          fetch-depth: 2
+
+      - name: Set environment variables
+        run: |
+          echo "GIT_SHORT_HASH=$(echo ${{ github.sha }} | cut -c -7)" >> $GITHUB_ENV
+
+      - name: Decode cluster key
+        env:
+          SECRET_ENV: ${{ secrets.CLUSTER_KEY }}
+        run: echo $SECRET_ENV | base64 -d > cluster.key
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # ratchet:aws-actions/configure-aws-credentials@v5.1.1
+        with:
+          role-to-assume: arn:aws:iam::610829907584:role/default-github-actions-ci-role
+          role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}
+          aws-region: ap-southeast-2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # ratchet:docker/setup-buildx-action@v3.12.0
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # ratchet:aws-actions/amazon-ecr-login@v2
+
+      - name: Build and push image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # ratchet:docker/build-push-action@v6
+        with:
+          context: "."
+          file: Dockerfile
+          cache-from: type=gha
+          cache-to: type=gha, mode=max
+          provenance: false
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            610829907584.dkr.ecr.ap-southeast-2.amazonaws.com/gitops:${{ env.GIT_SHORT_HASH }}
+            610829907584.dkr.ecr.ap-southeast-2.amazonaws.com/gitops:latest
+            610829907584.dkr.ecr.ap-southeast-2.amazonaws.com/gitops:${{ needs.release-please.outputs.server-version }}

.github/workflows/test.yml

@@ -6,35 +6,111 @@ on:
   pull_request: ~
 
 permissions:
-  actions: read # Read the metrics
-  contents: write # to be able to publish a GitHub release
-  issues: write # to be able to comment on released issues
-  pull-requests: write # to be able to comment on released pull requests
-  id-token: write # to enable use of OIDC for npm provenance / AWS
+  actions: read
+  contents: write
+  issues: write
+  pull-requests: write
+  id-token: write
+
+env:
+  PYTHONUNBUFFERED: 1
 
 jobs:
   ci:
-    uses: uptick/actions/.github/workflows/ci.yaml@main # ratchet:exclude
-    secrets: inherit
-    with:
-      praise-on-fix: false
-      python-version: 3.12
-      mise: true
-      mise-install: true
-      command: |
-        mise run install
-        mise run ci
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6.0.1
+        with:
+          fetch-depth: 2
+
+      - name: Install Python
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # ratchet:actions/setup-python@v6.1.0
+        with:
+          python-version: "3.12"
+
+      - name: Setup mise
+        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # ratchet:jdx/mise-action@v3.5.1
+        with:
+          install: true
+          cache: true
+          experimental: true
+
+      - name: Run CI
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mise run install
+          mise run ci
+
   build:
     name: Build and Push Docker Image
-    uses: uptick/actions/.github/workflows/ci.yaml@main # ratchet:exclude
-    secrets:
-      SECRET_ENV: "${{ secrets.CLUSTER_KEY }}"
-    #https://github.com/uptick/actions/blob/main/.github/workflows/ci.yaml
-    with:
-      aws-iam-role-arn: "arn:aws:iam::610829907584:role/default-github-actions-ci-role"
-      docker-enabled: true
-      docker-context: "."
-      docker-prefix: test
-      docker-tag-latest: false
-      docker-repository: "610829907584.dkr.ecr.ap-southeast-2.amazonaws.com/gitops"
-      command: echo $SECRET_ENV | base64 -d > cluster.key
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6.0.1
+        with:
+          fetch-depth: 2
+
+      - name: Set environment variables
+        run: |
+          if [[ ${{ github.event_name }} != 'pull_request' ]]; then
+            echo "GIT_SHORT_HASH=$(echo ${{ github.sha }} | cut -c -7)" >> $GITHUB_ENV
+          else
+            echo "GIT_SHORT_HASH=$(echo ${{ github.event.pull_request.head.sha }} | cut -c -7)" >> $GITHUB_ENV
+          fi
+
+      - name: Decode cluster key
+        env:
+          SECRET_ENV: ${{ secrets.CLUSTER_KEY }}
+        run: echo $SECRET_ENV | base64 -d > cluster.key
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # ratchet:aws-actions/configure-aws-credentials@v5.1.1
+        with:
+          role-to-assume: arn:aws:iam::610829907584:role/default-github-actions-ci-role
+          role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}
+          aws-region: ap-southeast-2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # ratchet:docker/setup-buildx-action@v3.12.0
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # ratchet:aws-actions/amazon-ecr-login@v2
+
+      - name: Build and push image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # ratchet:docker/build-push-action@v6
+        with:
+          context: "."
+          file: Dockerfile
+          cache-from: type=gha
+          cache-to: type=gha, mode=max
+          provenance: false
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            610829907584.dkr.ecr.ap-southeast-2.amazonaws.com/gitops:test-${{ env.GIT_SHORT_HASH }}
+
+      - name: Prepare Docker image comment
+        id: docker_comment
+        if: github.event_name == 'pull_request'
+        run: |
+          {
+            echo "comment<<EOF"
+            echo "## Docker Images"
+            echo ""
+            echo "**Commit:** \`${{ github.event.pull_request.head.sha }}\`"
+            echo ""
+            echo "| Tag |"
+            echo "| --- |"
+            echo "| \`610829907584.dkr.ecr.ap-southeast-2.amazonaws.com/gitops:test-${{ env.GIT_SHORT_HASH }}\` |"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Comment Docker images on PR
+        if: github.event_name == 'pull_request'
+        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # ratchet:marocchino/sticky-pull-request-comment@v2.9.2
+        with:
+          header: docker-image-tags
+          message: ${{ steps.docker_comment.outputs.comment }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}