From 4ead93364e896ff1acc5a598348fdd0576f09f5e Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Thu, 1 May 2025 11:55:16 +1000 Subject: [PATCH 1/4] build: add github action to build and publish Semgrep wheel artifact Signed-off-by: Carl Flottmann --- .github/workflows/build_semgrep_wheel.yaml | 55 ++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/build_semgrep_wheel.yaml diff --git a/.github/workflows/build_semgrep_wheel.yaml b/.github/workflows/build_semgrep_wheel.yaml new file mode 100644 index 000000000..851c0f5d0 --- /dev/null +++ b/.github/workflows/build_semgrep_wheel.yaml @@ -0,0 +1,55 @@ +# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +name: Build Semgrep Wheel Artifact + +on: workflow_dispatch + +permissions: + contents: read + +jobs: + build-semgrep-wheel: + name: Build Semgrep wheel + runs-on: ubuntu-latest + defaults: + run: + shell: bash + + steps: + - name: Install git # for cloning Semgrep repository + run: | + sudo apt-get install git + + - name: Clone Semgrep v1.113.0 repository + run: | + git init + git remote add origin https://github.com/semgrep/semgrep.git + git fetch --depth 1 origin 4729a05d24bf9cee8face447e8a6d418037d61d8 + git checkout FETCH_HEAD + git submodule update --init --recursive --depth 1 + + - name: Build wheel through docker + run: | + docker build --target semgrep-wheel -t semgrep . + docker create --name temp semgrep + mkdir -p dist/ + docker cp temp:/semgrep/cli/dist/ dist/ + docker container rm temp + + - name: Get wheel name + run: | + WHEELS=($(find ./dist -type f -name "*manylinux*.whl")) + if [ "${WHEELS[@]}" -ne 1]; then + echo "Expected a single wheel file built by semgrep dockerfile" + exit 1 + fi + echo "WHEEL_PATH=${WHEELS[0]}" >> "$GITHUB_ENV" + + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: semgrep_wheel_manylinux.whl + path: ${{ env.WHEEL_PATH }} + if-no-files-found: error + compression-level: 0 # don't compress the wheel file + retention-days: 90 # uploaded wheel valid for 90 days, before workflow must be run again From b33f73f2695ce72c7a73671d113494beee94cb99 Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Mon, 12 May 2025 14:58:30 +1000 Subject: [PATCH 2/4] build: testing github action works using push trigger Signed-off-by: Carl Flottmann --- .github/workflows/build_semgrep_wheel.yaml | 58 +++++++++++----------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/build_semgrep_wheel.yaml b/.github/workflows/build_semgrep_wheel.yaml index 851c0f5d0..215075aaa 100644 --- a/.github/workflows/build_semgrep_wheel.yaml +++ b/.github/workflows/build_semgrep_wheel.yaml @@ -3,7 +3,7 @@ name: Build Semgrep Wheel Artifact -on: workflow_dispatch +on: [push, workflow_dispatch] permissions: contents: read @@ -12,44 +12,44 @@ jobs: build-semgrep-wheel: name: Build Semgrep wheel runs-on: ubuntu-latest + permissions: + packages: write # to push the docker image defaults: run: shell: bash steps: - - name: Install git # for cloning Semgrep repository - run: | - sudo apt-get install git - - - name: Clone Semgrep v1.113.0 repository - run: | - git init - git remote add origin https://github.com/semgrep/semgrep.git - git fetch --depth 1 origin 4729a05d24bf9cee8face447e8a6d418037d61d8 - git checkout FETCH_HEAD - git submodule update --init --recursive --depth 1 + # To update the semgrep version, please apply the following changes: + # - change the version tag in the 'name' description + # - change the 'ref' field to use the commit hash of that tag + - name: Check out Semgrep v1.113.0 repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + repository: semgrep/semgrep.git + ref: 4729a05d24bf9cee8face447e8a6d418037d61d8 # v1.113.0 + fetch-depth: 1 # only need most recent commits to this tag + submodules: recursive # semgrep uses many of their own ocaml submodules, which are required to build - name: Build wheel through docker + # we build to the 'semgrep-wheel' target as we don't need the performance testing, and want to extract the wheel run: | docker build --target semgrep-wheel -t semgrep . docker create --name temp semgrep - mkdir -p dist/ - docker cp temp:/semgrep/cli/dist/ dist/ + mkdir -p wheels/ + docker cp temp:/semgrep/cli/dist/. wheels/ docker container rm temp - - name: Get wheel name + # - name: Log in to GitHub Container Registry + # run: docker login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} + + # The manylinux image will be a static binary built using musl, suitable for Oracle linux + - name: Build and push semgrep wheel image run: | - WHEELS=($(find ./dist -type f -name "*manylinux*.whl")) - if [ "${WHEELS[@]}" -ne 1]; then - echo "Expected a single wheel file built by semgrep dockerfile" - exit 1 - fi - echo "WHEEL_PATH=${WHEELS[0]}" >> "$GITHUB_ENV" - - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: semgrep_wheel_manylinux.whl - path: ${{ env.WHEEL_PATH }} - if-no-files-found: error - compression-level: 0 # don't compress the wheel file - retention-days: 90 # uploaded wheel valid for 90 days, before workflow must be run again + cd wheels + WHEEL=$(find . -type f -name 'semgrep-*manylinux*.whl') + echo "FROM scratch + COPY ${WHEEL} /semgrep_wheel.whl" >> Dockerfile.semgrep + docker build -t ghcr.io/macaron/macaron-deps:latest -f Dockerfile.semgrep . + + + # docker push ghcr.io/macaron/macaron-deps:latest From ecc05f53788d34475f539a2a666aa24d2d58df9d Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Mon, 12 May 2025 15:33:26 +1000 Subject: [PATCH 3/4] build: confirmed action worked, publish image to macaron repo Signed-off-by: Carl Flottmann --- .github/workflows/build_semgrep_wheel.yaml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build_semgrep_wheel.yaml b/.github/workflows/build_semgrep_wheel.yaml index 215075aaa..a1078cf32 100644 --- a/.github/workflows/build_semgrep_wheel.yaml +++ b/.github/workflows/build_semgrep_wheel.yaml @@ -20,8 +20,8 @@ jobs: steps: # To update the semgrep version, please apply the following changes: - # - change the version tag in the 'name' description - # - change the 'ref' field to use the commit hash of that tag + # change the version tag in the 'name' description + # change the 'ref' field to use the commit hash of that tag - name: Check out Semgrep v1.113.0 repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: @@ -39,8 +39,8 @@ jobs: docker cp temp:/semgrep/cli/dist/. wheels/ docker container rm temp - # - name: Log in to GitHub Container Registry - # run: docker login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} + - name: Log in to GitHub Container Registry + run: docker login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} # The manylinux image will be a static binary built using musl, suitable for Oracle linux - name: Build and push semgrep wheel image @@ -50,6 +50,4 @@ jobs: echo "FROM scratch COPY ${WHEEL} /semgrep_wheel.whl" >> Dockerfile.semgrep docker build -t ghcr.io/macaron/macaron-deps:latest -f Dockerfile.semgrep . - - - # docker push ghcr.io/macaron/macaron-deps:latest + docker push ghcr.io/macaron/macaron-deps:latest From a6b499a03ac04f2c70a8a2bde680615af880c58f Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Mon, 12 May 2025 16:37:25 +1000 Subject: [PATCH 4/4] build: remove test trigger that used push action Signed-off-by: Carl Flottmann --- .github/workflows/build_semgrep_wheel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_semgrep_wheel.yaml b/.github/workflows/build_semgrep_wheel.yaml index a1078cf32..c2a15c532 100644 --- a/.github/workflows/build_semgrep_wheel.yaml +++ b/.github/workflows/build_semgrep_wheel.yaml @@ -3,7 +3,7 @@ name: Build Semgrep Wheel Artifact -on: [push, workflow_dispatch] +on: workflow_dispatch permissions: contents: read