Add gh actions to replace travis

.github/workflows/test-and-deploy.yml

@@ -0,0 +1,201 @@
+name: Test and Deploy DSS
+
+on:
+  push:
+    branches:
+      - main
+      - add-gh-actions
+    tags:
+      - '*'
+  pull_request:
+    branches:
+      - main
+
+env:
+  PYTHON_VERSION: '3.12.13'
+  CONTAINER_REGISTRY: icr.io
+  IBM_CLOUD_REGION: us-east
+  DOCKER_IMAGE_NAME: icr.io/git-defenders/detect-secrets-stream
+
+jobs:
+  test:
+    name: Test and Quality Checks
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Set VERSION environment variable
+        run: |
+          if [ -n "${{ github.ref_type == 'tag' && github.ref_name || '' }}" ]; then
+            echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+          else
+            echo "VERSION=github-actions-${{ github.run_number }}-$(date +%Y%m%d-%H%M%S)" >> $GITHUB_ENV
+          fi
+
+      - name: Display build version
+        run: echo "Build Version=${{ env.VERSION }}"
+
+      - name: Cache Trivy
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/trivy
+          key: ${{ runner.os }}-trivy-${{ hashFiles('**/Pipfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-trivy-
+
+      - name: Cache pre-commit
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pre-commit-
+
+      - name: Cache cosign
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/cosign
+          key: ${{ runner.os }}-cosign-${{ hashFiles('**/Makefile') }}
+          restore-keys: |
+            ${{ runner.os }}-cosign-
+
+      - name: Cache pip packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/Pipfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Cache pipenv virtualenv
+        uses: actions/cache@v4
+        with:
+          path: ~/.local/share/virtualenvs
+          key: ${{ runner.os }}-pipenv-${{ env.PYTHON_VERSION }}-${{ hashFiles('**/Pipfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-pipenv-${{ env.PYTHON_VERSION }}-
+
+      - name: Cache IBM Cloud CLI
+        uses: actions/cache@v4
+        with:
+          path: |
+            /usr/local/bin/ibmcloud
+            ~/.bluemix
+          key: ${{ runner.os }}-ibmcloud-${{ hashFiles('**/Makefile') }}
+          restore-keys: |
+            ${{ runner.os }}-ibmcloud-
+
+      - name: Cache Skaffold
+        uses: actions/cache@v4
+        with:
+          path: /usr/local/bin/skaffold
+          key: ${{ runner.os }}-skaffold-latest
+          restore-keys: |
+            ${{ runner.os }}-skaffold-
+
+      - name: Cache Kustomize
+        uses: actions/cache@v4
+        with:
+          path: /usr/local/bin/kustomize
+          key: ${{ runner.os }}-kustomize-latest
+          restore-keys: |
+            ${{ runner.os }}-kustomize-
+
+      - name: Cache container-structure-test
+        uses: actions/cache@v4
+        with:
+          path: /usr/local/bin/container-structure-test
+          key: ${{ runner.os }}-container-structure-test-latest
+          restore-keys: |
+            ${{ runner.os }}-container-structure-test-
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Install dependencies
+        run: make setup
+        env:
+          TRAVIS: true  # Some Makefile targets check for this
+
+      - name: Run tests and quality checks
+        run: make travis-test
+        env:
+          TRAVIS: true
+          GD_VAULT_CONF: /home/runner/vault.prod.conf
+
+  deploy:
+    name: Deploy to Container Registry
+    runs-on: ubuntu-latest
+    needs: test
+    if: |
+      github.event_name == 'push' &&
+      (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/'))
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Set VERSION environment variable
+        run: |
+          if [ -n "${{ github.ref_type == 'tag' && github.ref_name || '' }}" ]; then
+            echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+          else
+            echo "VERSION=github-actions-${{ github.run_number }}-$(date +%Y%m%d-%H%M%S)" >> $GITHUB_ENV
+          fi
+
+      - name: Display build version
+        run: echo "Build Version=${{ env.VERSION }}"
+
+      - name: Cache Trivy
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/trivy
+          key: ${{ runner.os }}-trivy-${{ hashFiles('**/Pipfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-trivy-
+
+      - name: Cache cosign
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/cosign
+          key: ${{ runner.os }}-cosign-${{ hashFiles('**/Makefile') }}
+          restore-keys: |
+            ${{ runner.os }}-cosign-
+
+      - name: Cache pip packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/Pipfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Install deployment dependencies
+        run: make setup
+        env:
+          TRAVIS: true
+
+      - name: Deploy to registry
+        run: make travis-deploy
+        env:
+          IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+          VERSION: ${{ env.VERSION }}

Dockerfiles/Dockerfile.dss

@@ -1,14 +1,14 @@
 # Stage 1, create base
 # Reference from https://github.com/pypa/pipenv/issues/3160#issuecomment-510951442
 
-FROM python:3.12-slim AS base
+FROM python:3.12.13-slim AS base
 
 ENV PYROOT /pyroot
 ENV PYTHONUSERBASE $PYROOT
 ENV PATH $PATH:$PYROOT/bin
 
-RUN pip install pip==25.3
-RUN pip install setuptools==78.1.1
+RUN pip install pip==26.0
+RUN pip install setuptools==82.0.1
 
 RUN apt-get update && \
     apt-get upgrade -y && \
@@ -31,6 +31,7 @@ RUN PIP_USER=1 PIP_IGNORE_INSTALLED=1 pipenv install --system --deploy --ignore-
 # Explicitly install packages that are sometimes skipped by pipenv
 # Use same PIP_USER=1 environment variable to install to /pyroot
 RUN PIP_USER=1 PIP_IGNORE_INSTALLED=1 pip install certifi==2024.12.14 typing-extensions==4.12.2 packaging==24.2 zope.interface==7.2 zope.event==5.0
+
 # Stage 3
 FROM base
 

Makefile

@@ -93,7 +93,7 @@ setup: setup-trivy setup-cosign setup-deploy-tools
 	curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
 	ibmcloud -v
 	ibmcloud plugin install container-service -f
-	ibmcloud plugin install container-registry
+	ibmcloud plugin install container-registry -f
 
 .PHONY: start-local-test-db
 start-local-test-db: stop-local-test-db
@@ -157,7 +157,7 @@ endif
 	# ignore 41002: coverage <6.0b1 resolved (5.5 installed)! it's part of pytest-cov
 	# which does not have a version containing the fix.
 	pipenv check --ignore 41002 --ignore 51499
-	pre-commit run --all-files --show-diff-on-failure
+	pipenv run pre-commit run --all-files --show-diff-on-failure
 
 .PHONY: start-db_metrics
 start-db_metrics:

Pipfile

@@ -25,7 +25,7 @@ click = "==8.1.8"
 flask = "==3.1.1"
 backoff = "==2.2.1"
 boxsdk = {extras = ["jwt"],version = "==3.12.0"}
-cryptography = "==44.0.1"
+cryptography = "==46.0.5"
 hvac = "==2.3.0"
 asyncio = "==3.4.3"
 requests = "==2.32.5"
@@ -36,8 +36,10 @@ gunicorn = "==23.0.0"
 gevent = "==24.11.1"
 zope.interface = "==7.2"
 zope.event = "==5.0"
-pyjwt = "==2.10.1"
-ibm-db = "==3.2.7"
+pyjwt = "==2.12.0"
+ibm-db = "==3.2.8"
+ibm-cloud-sdk-core = "==3.24.4"
+ibm-secrets-manager-sdk = "==2.1.19"
 detect-secrets = {ref = "0.13.1+ibm.64.dss", git = "https://github.com/ibm/detect-secrets.git"}
 pytest = "==8.3.4"
 Werkzeug = "==3.1.5"