feat(platform): add Windows support, migrate to new Zenable CLI #328
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "CI" | |
| permissions: | |
| contents: read | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: '47 5 * * 0' | |
| env: | |
| python_version: "3.13" | |
| defaults: | |
| run: | |
| shell: 'bash --noprofile --norc -Eeuo pipefail {0}' | |
| jobs: | |
| lint: | |
| name: Lint | |
| if: false # Temporarily disabled while iterating on Windows support | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: 'false' | |
| - name: Bootstrap repository | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| python-version: ${{ env.python_version }} | |
| - name: Lint | |
| run: task -v lint | |
| test: | |
| name: Test | |
| if: false # Temporarily disabled while iterating on Windows support | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| # Necessary for hooks to succeed during tests for commits/schedule | |
| if: github.event_name != 'pull_request' | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: 'false' | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| # Necessary for hooks to succeed during tests for PRs | |
| if: github.event_name == 'pull_request' | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| fetch-depth: 0 | |
| persist-credentials: 'false' | |
| - name: Bootstrap repository | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| python-version: ${{ env.python_version }} | |
| - name: Validate the repo | |
| run: task -v validate | |
| - name: Install license compliance tool | |
| run: | | |
| mkdir "${RUNNER_TEMP}/bin" | |
| # Install grant via curl until official Docker image is available | |
| # See: https://github.com/anchore/grant/issues/222 | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grant/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin" | |
| chmod +x "${RUNNER_TEMP}/bin/grant" | |
| echo "${RUNNER_TEMP}/bin" | tee -a "${GITHUB_PATH}" | |
| - name: Run the tests | |
| run: task -v test | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run SBOM generation | |
| run: task -v sbom | |
| - name: Upload SBOM artifacts | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: sbom-files | |
| path: | | |
| sbom.*.json | |
| if-no-files-found: error | |
| - name: Check license compliance | |
| run: task -v license-check | |
| - name: Upload license check results | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: license-check-results | |
| path: license-check.json | |
| if-no-files-found: error | |
| - name: Run vulnerability scan | |
| run: task -v vulnscan | |
| - name: Upload vulnerability scan results | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: vuln-scan-results | |
| path: vulns.json | |
| if-no-files-found: error | |
| windows-smoke-test: | |
| name: Windows Smoke Test | |
| runs-on: windows-latest | |
| env: | |
| ZENABLE_LOGLEVEL: DEBUG | |
| steps: | |
| # Note: no checkout step. The cookiecutter template directory contains | |
| # characters (pipe, quotes) that are illegal on NTFS, so we cannot check | |
| # out the repo on Windows. Instead, cookiecutter fetches the template | |
| # directly from the remote branch. | |
| - name: Setup uv | |
| uses: astral-sh/setup-uv@v4 | |
| with: | |
| python-version: ${{ env.python_version }} | |
| - name: Install Task | |
| uses: go-task/setup-task@v1 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate project from template | |
| shell: bash | |
| env: | |
| RUN_POST_HOOK: 'true' | |
| SKIP_GIT_PUSH: 'true' | |
| TEMPLATE_REF: ${{ github.event.pull_request.head.sha || github.sha }} | |
| run: | | |
| git config --global user.name "CI Automation" | |
| git config --global user.email "ci@zenable.io" | |
| # The template directory name contains NTFS-illegal characters | |
| # (double quotes, pipe). Use Python to extract the zip, renaming | |
| # the template dir to {{cookiecutter.project_name}} which is | |
| # NTFS-safe and renders identically for defaults (no spaces). | |
| zipUrl="https://github.com/${{ github.repository }}/archive/${TEMPLATE_REF}.zip" | |
| tmpdir=$(mktemp -d) | |
| curl -fsSL "$zipUrl" -o "$tmpdir/template.zip" | |
| repoDir=$(python3 -c " | |
| import zipfile, os, sys | |
| zf, dest = zipfile.ZipFile(sys.argv[1]), sys.argv[2] | |
| for info in zf.infolist(): | |
| parts = info.filename.split('/') | |
| # Only rename the top-level template dir (index 1) which has | |
| # NTFS-illegal chars (pipe, quotes). Nested cookiecutter dirs | |
| # like {{cookiecutter.project_slug}} are NTFS-safe and must be | |
| # preserved so cookiecutter renders them correctly. | |
| safe = [] | |
| for i, p in enumerate(parts): | |
| if i == 1 and '{{cookiecutter.' in p: | |
| safe.append('{{cookiecutter.project_name}}') | |
| else: | |
| safe.append(p) | |
| target = os.path.join(dest, *[s for s in safe if s]) | |
| if info.is_dir(): | |
| os.makedirs(target, exist_ok=True) | |
| else: | |
| os.makedirs(os.path.dirname(target), exist_ok=True) | |
| with zf.open(info) as s, open(target, 'wb') as d: | |
| d.write(s.read()) | |
| print(os.path.join(dest, os.listdir(dest)[0])) | |
| " "$tmpdir/template.zip" "$tmpdir/src") | |
| uvx --with gitpython cookiecutter "$repoDir" --no-input --output-dir "$RUNNER_TEMP" | |
| - name: Verify generated project | |
| shell: pwsh | |
| run: | | |
| $project = Join-Path $env:RUNNER_TEMP "replace-me" | |
| # Verify the project directory was created | |
| if (-not (Test-Path $project)) { | |
| Write-Error "Project directory not found at $project" | |
| exit 1 | |
| } | |
| # Verify key files exist | |
| $requiredFiles = @( | |
| "pyproject.toml", | |
| "Taskfile.yml", | |
| "Dockerfile", | |
| "CLAUDE.md", | |
| ".github/project.yml", | |
| ".github/workflows/ci.yml" | |
| ) | |
| foreach ($file in $requiredFiles) { | |
| $filePath = Join-Path $project $file | |
| if (-not (Test-Path $filePath)) { | |
| Write-Error "Required file missing: $file" | |
| exit 1 | |
| } | |
| } | |
| # Verify no unrendered cookiecutter variables remain | |
| $pattern = '\{\{\s*cookiecutter\.' | |
| $matches = Get-ChildItem -Path $project -Recurse -File -Exclude '.git' | | |
| Where-Object { $_.FullName -notmatch '[\\/]\.git[\\/]' } | | |
| Select-String -Pattern $pattern | |
| if ($matches) { | |
| Write-Error "Unrendered cookiecutter variables found:" | |
| $matches | ForEach-Object { Write-Error $_.ToString() } | |
| exit 1 | |
| } | |
| # Verify git repo was initialized and has a commit | |
| $gitDir = Join-Path $project ".git" | |
| if (-not (Test-Path $gitDir)) { | |
| Write-Error "Git repository not initialized" | |
| exit 1 | |
| } | |
| Push-Location $project | |
| $commitCount = git rev-list --count HEAD 2>$null | |
| Pop-Location | |
| if ($commitCount -lt 1) { | |
| Write-Error "No commits found in generated project" | |
| exit 1 | |
| } | |
| Write-Host "Windows smoke test passed: project generated and verified successfully" | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Initialize generated project | |
| shell: bash | |
| run: | | |
| cd "$RUNNER_TEMP/replace-me" | |
| task -v init | |
| - name: Run tests | |
| shell: bash | |
| run: | | |
| cd "$RUNNER_TEMP/replace-me" | |
| task -v test | |
| - name: Build Docker image | |
| shell: bash | |
| run: | | |
| cd "$RUNNER_TEMP/replace-me" | |
| task -v build | |
| - name: Verify Docker image | |
| shell: bash | |
| run: | | |
| docker run --rm --entrypoint python3 zenable-io/replace-me:latest \ | |
| -c "from replace_me import __version__; print(__version__)" | |
| - name: Verify zenable CLI | |
| shell: bash | |
| run: | | |
| export PATH="$HOME/.zenable/bin:$PATH" | |
| zenable version | |
| finalizer: | |
| # This gives us something to set as required in the repo settings. Some projects use dynamic fan-outs using matrix strategies and the fromJSON function, so | |
| # you can't hard-code what _should_ run vs not. Having a finalizer simplifies that so you can just check that the finalizer succeeded, and if so, your | |
| # requirements have been met | |
| # Example: https://x.com/JonZeolla/status/1877344137713766516 | |
| name: Finalize the pipeline | |
| runs-on: ubuntu-24.04 | |
| # Keep this aligned with the above jobs | |
| needs: [lint, test, windows-smoke-test] # lint and test temporarily disabled | |
| if: always() # Ensure it runs even if "needs" fails or is cancelled | |
| steps: | |
| - name: Check for failed or cancelled jobs | |
| run: | | |
| if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" || | |
| "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then | |
| echo "One or more required jobs failed or was cancelled. Marking finalizer as failed." | |
| exit 1 | |
| fi | |
| - name: Checkout the repository | |
| uses: actions/checkout@v6 | |
| - name: Scan workflow logs for warnings and errors | |
| run: scripts/scan_workflow_logs.sh ${{ github.run_id }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Finalize | |
| run: echo "Pipeline complete!" |