From 98277689f5336c80b02355cde6c5adad7bec239f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9sar=20Arroba?= <19954079+cesararroba@users.noreply.github.com> Date: Tue, 5 May 2026 17:08:34 +0200 Subject: [PATCH] ci: reduce GitHub Actions consumption across CI workflows (#11007) --- .github/workflows/api-code-quality.yml | 10 ++ .../workflows/api-container-build-push.yml | 2 +- .github/workflows/api-container-checks.yml | 30 +++--- .github/workflows/api-security.yml | 10 ++ .github/workflows/api-tests.yml | 8 ++ .github/workflows/conventional-commit.yml | 2 - .github/workflows/create-backport-label.yml | 4 - .github/workflows/find-secrets.yml | 9 +- .../workflows/mcp-container-build-push.yml | 2 +- .github/workflows/mcp-container-checks.yml | 30 +++--- .github/workflows/mcp-pypi-release.yml | 21 ++++ .../nightly-arm64-container-builds.yml | 98 +++++++++++++++++++ .github/workflows/pr-check-changelog.yml | 7 +- .../workflows/pr-check-compliance-mapping.yml | 7 +- .github/workflows/pr-conflict-checker.yml | 7 +- .../sdk-check-duplicate-test-names.yml | 3 + .github/workflows/sdk-code-quality.yml | 16 +++ .../workflows/sdk-container-build-push.yml | 74 ++------------ .github/workflows/sdk-container-checks.yml | 36 +++---- .github/workflows/sdk-security.yml | 16 +++ .github/workflows/sdk-tests.yml | 14 +++ .github/workflows/ui-container-build-push.yml | 2 +- .github/workflows/ui-container-checks.yml | 30 +++--- .github/workflows/ui-e2e-tests-v2.yml | 4 + .github/workflows/ui-tests.yml | 6 ++ .github/zizmor.yml | 1 + 26 files changed, 300 insertions(+), 149 deletions(-) create mode 100644 .github/workflows/nightly-arm64-container-builds.yml diff --git a/.github/workflows/api-code-quality.yml b/.github/workflows/api-code-quality.yml index 1724e51d70..d7bb27aa0a 100644 --- a/.github/workflows/api-code-quality.yml +++ b/.github/workflows/api-code-quality.yml @@ -5,10 +5,20 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/workflows/api-code-quality.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/workflows/api-code-quality.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/api-container-build-push.yml b/.github/workflows/api-container-build-push.yml index e6403ed689..ee73f97f1c 100644 --- a/.github/workflows/api-container-build-push.yml +++ b/.github/workflows/api-container-build-push.yml @@ -158,7 +158,7 @@ jobs: tags: | ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }} cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }} # Create and push multi-architecture manifest create-manifest: diff --git a/.github/workflows/api-container-checks.yml b/.github/workflows/api-container-checks.yml index 5b59939db9..a7705fdeef 100644 --- a/.github/workflows/api-container-checks.yml +++ b/.github/workflows/api-container-checks.yml @@ -5,10 +5,16 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-container-checks.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-container-checks.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -57,16 +63,7 @@ jobs: api-container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - arch: amd64 - - platform: linux/arm64 - runner: ubuntu-24.04-arm - arch: arm64 + runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read @@ -119,23 +116,22 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build container for ${{ matrix.arch }} + - name: Build container if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: ${{ env.API_WORKING_DIR }} push: false load: true - platforms: ${{ matrix.platform }} - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }} - - name: Scan container with Trivy for ${{ matrix.arch }} + - name: Scan container with Trivy if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }}-${{ matrix.arch }} + image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/api-security.yml b/.github/workflows/api-security.yml index 7b8dc72cb1..d3bb9e6108 100644 --- a/.github/workflows/api-security.yml +++ b/.github/workflows/api-security.yml @@ -5,10 +5,20 @@ on: branches: - "master" - "v5.*" + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/workflows/api-security.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - "master" - "v5.*" + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/workflows/api-security.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/api-tests.yml b/.github/workflows/api-tests.yml index 3d4e7e1799..4aec3af59e 100644 --- a/.github/workflows/api-tests.yml +++ b/.github/workflows/api-tests.yml @@ -5,10 +5,18 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/conventional-commit.yml b/.github/workflows/conventional-commit.yml index 5fc31003a4..b0d6946387 100644 --- a/.github/workflows/conventional-commit.yml +++ b/.github/workflows/conventional-commit.yml @@ -4,8 +4,6 @@ on: pull_request: branches: - 'master' - - 'v3' - - 'v4.*' - 'v5.*' types: - 'opened' diff --git a/.github/workflows/create-backport-label.yml b/.github/workflows/create-backport-label.yml index d7aa5709ae..a9ee7f7f95 100644 --- a/.github/workflows/create-backport-label.yml +++ b/.github/workflows/create-backport-label.yml @@ -43,14 +43,11 @@ jobs: echo "Processing release tag: $RELEASE_TAG" - # Remove 'v' prefix if present (e.g., v3.2.0 -> 3.2.0) VERSION_ONLY="${RELEASE_TAG#v}" - # Check if it's a minor version (X.Y.0) if [[ "$VERSION_ONLY" =~ ^([0-9]+)\.([0-9]+)\.0$ ]]; then echo "Release $RELEASE_TAG (version $VERSION_ONLY) is a minor version. Proceeding to create backport label." - # Extract X.Y from X.Y.0 (e.g., 5.6 from 5.6.0) MAJOR="${BASH_REMATCH[1]}" MINOR="${BASH_REMATCH[2]}" TWO_DIGIT_VERSION="${MAJOR}.${MINOR}" @@ -62,7 +59,6 @@ jobs: echo "Label name: $LABEL_NAME" echo "Label description: $LABEL_DESC" - # Check if label already exists if gh label list --repo ${{ github.repository }} --limit 1000 | grep -q "^${LABEL_NAME}[[:space:]]"; then echo "Label '$LABEL_NAME' already exists." else diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml index 88f84d6729..e166dbb673 100644 --- a/.github/workflows/find-secrets.yml +++ b/.github/workflows/find-secrets.yml @@ -37,10 +37,13 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 + # PRs only need the diff range; push to master/release walks the new range from event.before. + # 50 is enough headroom for the longest realistic PR/push chain without paying for a full clone. + fetch-depth: 50 persist-credentials: false - - name: Scan for secrets with TruffleHog + - name: Scan diff for secrets with TruffleHog + # Action auto-injects --since-commit/--branch from event payload; passing them in extra_args produces duplicate flags. uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4 with: - extra_args: '--results=verified,unknown' + extra_args: --results=verified,unknown diff --git a/.github/workflows/mcp-container-build-push.yml b/.github/workflows/mcp-container-build-push.yml index 90157db9ab..1e1338e61c 100644 --- a/.github/workflows/mcp-container-build-push.yml +++ b/.github/workflows/mcp-container-build-push.yml @@ -152,7 +152,7 @@ jobs: org.opencontainers.image.created=${{ github.event_name == 'release' && github.event.release.published_at || github.event.head_commit.timestamp }} ${{ github.event_name == 'release' && format('org.opencontainers.image.version={0}', env.RELEASE_TAG) || '' }} cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }} # Create and push multi-architecture manifest create-manifest: diff --git a/.github/workflows/mcp-container-checks.yml b/.github/workflows/mcp-container-checks.yml index b205232b0c..5b750f0998 100644 --- a/.github/workflows/mcp-container-checks.yml +++ b/.github/workflows/mcp-container-checks.yml @@ -5,10 +5,16 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'mcp_server/**' + - '.github/workflows/mcp-container-checks.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'mcp_server/**' + - '.github/workflows/mcp-container-checks.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -56,16 +62,7 @@ jobs: mcp-container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - arch: amd64 - - platform: linux/arm64 - runner: ubuntu-24.04-arm - arch: arm64 + runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read @@ -112,23 +109,22 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build MCP container for ${{ matrix.arch }} + - name: Build MCP container if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: ${{ env.MCP_WORKING_DIR }} push: false load: true - platforms: ${{ matrix.platform }} - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }} - - name: Scan MCP container with Trivy for ${{ matrix.arch }} + - name: Scan MCP container with Trivy if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }}-${{ matrix.arch }} + image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/mcp-pypi-release.yml b/.github/workflows/mcp-pypi-release.yml index cccda1f664..92015873b5 100644 --- a/.github/workflows/mcp-pypi-release.yml +++ b/.github/workflows/mcp-pypi-release.yml @@ -86,11 +86,32 @@ jobs: with: python-version: ${{ env.PYTHON_VERSION }} + # The MCP server version (mcp_server/pyproject.toml) is decoupled from the Prowler release + # version: it only changes when MCP code changes. mcp-bump-version.yml normally keeps it in + # sync with mcp_server/CHANGELOG.md, but this publish workflow still runs on every release. + # Pre-flight PyPI check covers the legitimate "no MCP changes for this release" case (and any + # workflow_dispatch re-runs) without failing with HTTP 400 (version exists). + - name: Check if prowler-mcp version already exists on PyPI + id: pypi-check + working-directory: ${{ env.WORKING_DIRECTORY }} + run: | + MCP_VERSION=$(grep '^version' pyproject.toml | head -1 | sed -E 's/^version[[:space:]]*=[[:space:]]*"([^"]+)".*/\1/') + echo "mcp_version=${MCP_VERSION}" >> "$GITHUB_OUTPUT" + if curl -fsS "https://pypi.org/pypi/prowler-mcp/${MCP_VERSION}/json" >/dev/null 2>&1; then + echo "skip=true" >> "$GITHUB_OUTPUT" + echo "::notice title=Skipping prowler-mcp publish::Version ${MCP_VERSION} already exists on PyPI; bump mcp_server/pyproject.toml to publish a new release." + else + echo "skip=false" >> "$GITHUB_OUTPUT" + echo "::notice title=Publishing prowler-mcp::Version ${MCP_VERSION} not on PyPI yet; proceeding." + fi + - name: Build prowler-mcp package + if: steps.pypi-check.outputs.skip != 'true' working-directory: ${{ env.WORKING_DIRECTORY }} run: uv build - name: Publish prowler-mcp package to PyPI + if: steps.pypi-check.outputs.skip != 'true' uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/ diff --git a/.github/workflows/nightly-arm64-container-builds.yml b/.github/workflows/nightly-arm64-container-builds.yml new file mode 100644 index 0000000000..c3ad0a92d5 --- /dev/null +++ b/.github/workflows/nightly-arm64-container-builds.yml @@ -0,0 +1,98 @@ +name: 'Nightly: ARM64 Container Builds' + +# Mitigation for amd64-only PR container-checks: build amd64+arm64 nightly against +# master to keep arm-specific Dockerfile regressions caught quickly. Build only — +# no push, no Trivy (weekly checks already cover that). + +on: + schedule: + - cron: '0 4 * * *' + workflow_dispatch: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +permissions: {} + +jobs: + build-arm64: + if: github.repository == 'prowler-cloud/prowler' + runs-on: ubuntu-24.04-arm + timeout-minutes: 60 + permissions: + contents: read + strategy: + fail-fast: false + matrix: + include: + - component: sdk + context: . + dockerfile: ./Dockerfile + image_name: prowler + - component: api + context: ./api + dockerfile: ./api/Dockerfile + image_name: prowler-api + - component: ui + context: ./ui + dockerfile: ./ui/Dockerfile + image_name: prowler-ui + target: prod + build_args: | + NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX + - component: mcp + context: ./mcp_server + dockerfile: ./mcp_server/Dockerfile + image_name: prowler-mcp + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + + - name: Build ${{ matrix.component }} container (linux/arm64) + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + with: + context: ${{ matrix.context }} + file: ${{ matrix.dockerfile }} + target: ${{ matrix.target }} + push: false + load: false + platforms: linux/arm64 + tags: ${{ matrix.image_name }}:nightly-arm64 + build-args: ${{ matrix.build_args }} + cache-from: type=gha,scope=arm64 + cache-to: type=gha,mode=min,scope=arm64 + + notify-failure: + needs: build-arm64 + if: failure() && github.event_name == 'schedule' + runs-on: ubuntu-latest + timeout-minutes: 5 + permissions: + contents: read + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - name: Notify Slack on failure + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 + with: + method: chat.postMessage + token: ${{ secrets.SLACK_BOT_TOKEN }} + payload: | + channel: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }} + text: ":rotating_light: Nightly arm64 container build failed for prowler — <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|view run>" + errors: true diff --git a/.github/workflows/pr-check-changelog.yml b/.github/workflows/pr-check-changelog.yml index fa01ba4cbe..076ffea55c 100644 --- a/.github/workflows/pr-check-changelog.yml +++ b/.github/workflows/pr-check-changelog.yml @@ -41,10 +41,15 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 + fetch-depth: 1 # zizmor: ignore[artipacked] persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch + - name: Fetch PR base ref for tj-actions/changed-files + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: git fetch --depth=1 origin "${BASE_REF}" + - name: Get changed files id: changed-files uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 diff --git a/.github/workflows/pr-check-compliance-mapping.yml b/.github/workflows/pr-check-compliance-mapping.yml index be934d5983..d906a522f1 100644 --- a/.github/workflows/pr-check-compliance-mapping.yml +++ b/.github/workflows/pr-check-compliance-mapping.yml @@ -45,10 +45,15 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 + fetch-depth: 1 # zizmor: ignore[artipacked] persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch + - name: Fetch PR base ref for tj-actions/changed-files + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: git fetch --depth=1 origin "${BASE_REF}" + - name: Get changed files id: changed-files uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 diff --git a/.github/workflows/pr-conflict-checker.yml b/.github/workflows/pr-conflict-checker.yml index 667f807be8..d8036f1432 100644 --- a/.github/workflows/pr-conflict-checker.yml +++ b/.github/workflows/pr-conflict-checker.yml @@ -36,9 +36,14 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 + fetch-depth: 1 persist-credentials: false + - name: Fetch PR base ref for tj-actions/changed-files + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: git fetch --depth=1 origin "${BASE_REF}" + - name: Get changed files id: changed-files uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 diff --git a/.github/workflows/sdk-check-duplicate-test-names.yml b/.github/workflows/sdk-check-duplicate-test-names.yml index 17c595ca11..e5e5506df3 100644 --- a/.github/workflows/sdk-check-duplicate-test-names.yml +++ b/.github/workflows/sdk-check-duplicate-test-names.yml @@ -5,6 +5,9 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'tests/providers/**/*_test.py' + - '.github/workflows/sdk-check-duplicate-test-names.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/sdk-code-quality.yml b/.github/workflows/sdk-code-quality.yml index b777ee1657..87c6598942 100644 --- a/.github/workflows/sdk-code-quality.yml +++ b/.github/workflows/sdk-code-quality.yml @@ -5,10 +5,26 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/workflows/sdk-code-quality.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/workflows/sdk-code-quality.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/sdk-container-build-push.yml b/.github/workflows/sdk-container-build-push.yml index 8a2bba691c..c55c3cceca 100644 --- a/.github/workflows/sdk-container-build-push.yml +++ b/.github/workflows/sdk-container-build-push.yml @@ -3,9 +3,7 @@ name: 'SDK: Container Build and Push' on: push: branches: - - 'v3' # For v3-latest - - 'v4.6' # For v4-latest - - 'master' # For latest + - 'master' paths-ignore: - '.github/**' - '!.github/workflows/sdk-container-build-push.yml' @@ -56,7 +54,6 @@ jobs: timeout-minutes: 5 outputs: prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }} - prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }} latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }} stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }} permissions: @@ -92,32 +89,13 @@ jobs: PROWLER_VERSION="$(poetry version -s 2>/dev/null)" echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}" - # Extract major version PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}" - echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}" - - # Set version-specific tags - case ${PROWLER_VERSION_MAJOR} in - 3) - echo "latest_tag=v3-latest" >> "${GITHUB_OUTPUT}" - echo "stable_tag=v3-stable" >> "${GITHUB_OUTPUT}" - echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable" - ;; - 4) - echo "latest_tag=v4-latest" >> "${GITHUB_OUTPUT}" - echo "stable_tag=v4-stable" >> "${GITHUB_OUTPUT}" - echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable" - ;; - 5) - echo "latest_tag=latest" >> "${GITHUB_OUTPUT}" - echo "stable_tag=stable" >> "${GITHUB_OUTPUT}" - echo "✓ Prowler v5 detected - tags: latest, stable" - ;; - *) - echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}" - exit 1 - ;; - esac + if [[ "${PROWLER_VERSION_MAJOR}" != "5" ]]; then + echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}" + exit 1 + fi + echo "latest_tag=latest" >> "${GITHUB_OUTPUT}" + echo "stable_tag=stable" >> "${GITHUB_OUTPUT}" notify-release-started: if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch') @@ -228,7 +206,7 @@ jobs: tags: | ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-${{ matrix.arch }} cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }} # Create and push multi-architecture manifest create-manifest: @@ -386,39 +364,3 @@ jobs: payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json" step-outcome: ${{ steps.outcome.outputs.outcome }} update-ts: ${{ needs.notify-release-started.outputs.message-ts }} - - dispatch-v3-deployment: - needs: [setup, container-build-push] - if: always() && needs.setup.outputs.prowler_version_major == '3' && needs.setup.result == 'success' && needs.container-build-push.result == 'success' - runs-on: ubuntu-latest - timeout-minutes: 5 - permissions: - contents: read - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 - with: - egress-policy: audit - - - name: Calculate short SHA - id: short-sha - run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT - - - name: Dispatch v3 deployment (latest) - if: github.event_name == 'push' - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 - with: - token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }} - repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }} - event-type: dispatch - client-payload: '{"version":"v3-latest","tag":"${{ steps.short-sha.outputs.short_sha }}"}' - - - name: Dispatch v3 deployment (release) - if: github.event_name == 'release' - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 - with: - token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }} - repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }} - event-type: dispatch - client-payload: '{"version":"release","tag":"${{ needs.setup.outputs.prowler_version }}"}' diff --git a/.github/workflows/sdk-container-checks.yml b/.github/workflows/sdk-container-checks.yml index 3474df676e..218c4e7ebc 100644 --- a/.github/workflows/sdk-container-checks.yml +++ b/.github/workflows/sdk-container-checks.yml @@ -5,10 +5,22 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'Dockerfile*' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-container-checks.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'Dockerfile*' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-container-checks.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -56,16 +68,7 @@ jobs: sdk-container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - arch: amd64 - - platform: linux/arm64 - runner: ubuntu-24.04-arm - arch: arm64 + runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read @@ -132,23 +135,22 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build SDK container for ${{ matrix.arch }} + - name: Build SDK container if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . push: false load: true - platforms: ${{ matrix.platform }} - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }} - - name: Scan SDK container with Trivy for ${{ matrix.arch }} + - name: Scan SDK container with Trivy if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }}-${{ matrix.arch }} + image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/sdk-security.yml b/.github/workflows/sdk-security.yml index ceb6b1db1c..81504a4ec1 100644 --- a/.github/workflows/sdk-security.yml +++ b/.github/workflows/sdk-security.yml @@ -5,10 +5,26 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/workflows/sdk-security.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/workflows/sdk-security.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/sdk-tests.yml b/.github/workflows/sdk-tests.yml index 0646e5f8b5..d3cdc1be29 100644 --- a/.github/workflows/sdk-tests.yml +++ b/.github/workflows/sdk-tests.yml @@ -5,10 +5,24 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/ui-container-build-push.yml b/.github/workflows/ui-container-build-push.yml index 6fab2d1efb..d8db786d49 100644 --- a/.github/workflows/ui-container-build-push.yml +++ b/.github/workflows/ui-container-build-push.yml @@ -151,7 +151,7 @@ jobs: tags: | ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }} cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }} # Create and push multi-architecture manifest create-manifest: diff --git a/.github/workflows/ui-container-checks.yml b/.github/workflows/ui-container-checks.yml index eb7b508b58..d6ebaf46a3 100644 --- a/.github/workflows/ui-container-checks.yml +++ b/.github/workflows/ui-container-checks.yml @@ -5,10 +5,16 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'ui/**' + - '.github/workflows/ui-container-checks.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'ui/**' + - '.github/workflows/ui-container-checks.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -57,16 +63,7 @@ jobs: ui-container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - arch: amd64 - - platform: linux/arm64 - runner: ubuntu-24.04-arm - arch: arm64 + runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read @@ -114,7 +111,7 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build UI container for ${{ matrix.arch }} + - name: Build UI container if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: @@ -122,18 +119,17 @@ jobs: target: prod push: false load: true - platforms: ${{ matrix.platform }} - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }} build-args: | NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX - - name: Scan UI container with Trivy for ${{ matrix.arch }} + - name: Scan UI container with Trivy if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }}-${{ matrix.arch }} + image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/ui-e2e-tests-v2.yml b/.github/workflows/ui-e2e-tests-v2.yml index 2a91e460be..883f07e2d8 100644 --- a/.github/workflows/ui-e2e-tests-v2.yml +++ b/.github/workflows/ui-e2e-tests-v2.yml @@ -15,6 +15,10 @@ on: - 'ui/**' - 'api/**' # API changes can affect UI E2E +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml index c11e90b8f4..6d71a9eedf 100644 --- a/.github/workflows/ui-tests.yml +++ b/.github/workflows/ui-tests.yml @@ -5,10 +5,16 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'ui/**' + - '.github/workflows/ui-tests.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'ui/**' + - '.github/workflows/ui-tests.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 931ef1b94c..ed0d3682d8 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -8,6 +8,7 @@ rules: - docs-bump-version.yml - issue-triage.lock.yml - mcp-container-build-push.yml + - nightly-arm64-container-builds.yml - pr-merged.yml - prepare-release.yml - sdk-bump-version.yml