diff --git a/.github/workflows/cerberus-integration.yml b/.github/workflows/cerberus-integration.yml index 2321e88f..59a7ab15 100644 --- a/.github/workflows/cerberus-integration.yml +++ b/.github/workflows/cerberus-integration.yml @@ -6,7 +6,9 @@ on: workflow_run: workflows: ["Docker Build, Publish & Test"] types: [completed] - branches: [main, development, 'feature/**', 'hotfix/**'] # Explicit branch filter prevents unexpected triggers + branches: [main, development, 'feature/**', 'hotfix/**'] + push: + branches: [main, development, 'feature/**', 'hotfix/**'] pull_request: branches: [main, development, 'feature/**', 'hotfix/**'] # Allow manual trigger for debugging @@ -39,9 +41,9 @@ jobs: - name: Determine image tag id: determine-tag env: - EVENT: ${{ github.event.workflow_run.event }} - REF: ${{ github.event.workflow_run.head_branch }} - SHA: ${{ github.event.workflow_run.head_sha }} + EVENT: ${{ github.event.workflow_run.event || github.event_name }} + REF: ${{ github.event.workflow_run.head_branch || github.ref_name }} + SHA: ${{ github.event.workflow_run.head_sha || github.sha }} MANUAL_TAG: ${{ inputs.image_tag }} run: | # Manual trigger uses provided tag @@ -63,6 +65,11 @@ jobs: # Use native pull_requests array (no API calls needed) PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') + # Fallback for direct PR trigger + if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then + PR_NUM="${{ github.event.number }}" + fi + if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then echo "❌ ERROR: Could not determine PR number" echo "Event: $EVENT" diff --git a/.github/workflows/crowdsec-integration.yml b/.github/workflows/crowdsec-integration.yml index 2e8425ad..e4d2e8c8 100644 --- a/.github/workflows/crowdsec-integration.yml +++ b/.github/workflows/crowdsec-integration.yml @@ -6,7 +6,9 @@ on: workflow_run: workflows: ["Docker Build, Publish & Test"] types: [completed] - branches: [main, development, 'feature/**', 'hotfix/**'] # Explicit branch filter prevents unexpected triggers + branches: [main, development, 'feature/**', 'hotfix/**'] + push: + branches: [main, development, 'feature/**', 'hotfix/**'] pull_request: branches: [main, development, 'feature/**', 'hotfix/**'] # Allow manual trigger for debugging @@ -39,9 +41,9 @@ jobs: - name: Determine image tag id: determine-tag env: - EVENT: ${{ github.event.workflow_run.event }} - REF: ${{ github.event.workflow_run.head_branch }} - SHA: ${{ github.event.workflow_run.head_sha }} + EVENT: ${{ github.event.workflow_run.event || github.event_name }} + REF: ${{ github.event.workflow_run.head_branch || github.ref_name }} + SHA: ${{ github.event.workflow_run.head_sha || github.sha }} MANUAL_TAG: ${{ inputs.image_tag }} run: | # Manual trigger uses provided tag @@ -63,6 +65,11 @@ jobs: # Use native pull_requests array (no API calls needed) PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') + # Fallback for direct PR trigger + if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then + PR_NUM="${{ github.event.number }}" + fi + if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then echo "❌ ERROR: Could not determine PR number" echo "Event: $EVENT" diff --git a/.github/workflows/rate-limit-integration.yml b/.github/workflows/rate-limit-integration.yml index 079181a2..1a25e6ff 100644 --- a/.github/workflows/rate-limit-integration.yml +++ b/.github/workflows/rate-limit-integration.yml @@ -6,7 +6,9 @@ on: workflow_run: workflows: ["Docker Build, Publish & Test"] types: [completed] - branches: [main, development, 'feature/**', 'hotfix/**'] # Explicit branch filter prevents unexpected triggers + branches: [main, development, 'feature/**', 'hotfix/**'] + push: + branches: [main, development, 'feature/**', 'hotfix/**'] pull_request: branches: [main, development, 'feature/**', 'hotfix/**'] # Allow manual trigger for debugging @@ -39,9 +41,9 @@ jobs: - name: Determine image tag id: determine-tag env: - EVENT: ${{ github.event.workflow_run.event }} - REF: ${{ github.event.workflow_run.head_branch }} - SHA: ${{ github.event.workflow_run.head_sha }} + EVENT: ${{ github.event.workflow_run.event || github.event_name }} + REF: ${{ github.event.workflow_run.head_branch || github.ref_name }} + SHA: ${{ github.event.workflow_run.head_sha || github.sha }} MANUAL_TAG: ${{ inputs.image_tag }} run: | # Manual trigger uses provided tag @@ -63,6 +65,11 @@ jobs: # Use native pull_requests array (no API calls needed) PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') + # Fallback for direct PR trigger + if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then + PR_NUM="${{ github.event.number }}" + fi + if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then echo "❌ ERROR: Could not determine PR number" echo "Event: $EVENT" @@ -103,7 +110,7 @@ jobs: max_attempts: 3 retry_wait_seconds: 10 command: | - IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}" + IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}" echo "Pulling image: $IMAGE_NAME" docker pull "$IMAGE_NAME" docker tag "$IMAGE_NAME" charon:local @@ -115,12 +122,12 @@ jobs: if: steps.pull_image.outcome == 'failure' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SHA: ${{ steps.image.outputs.sha }} + SHA: ${{ steps.determine-tag.outputs.sha }} run: | echo "⚠️ Registry pull failed, falling back to artifact..." # Determine artifact name based on source type - if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then + if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') ARTIFACT_NAME="pr-image-${PR_NUM}" else @@ -144,7 +151,7 @@ jobs: # Validate image freshness by checking SHA label - name: Validate image SHA env: - SHA: ${{ steps.image.outputs.sha }} + SHA: ${{ steps.determine-tag.outputs.sha }} run: | LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7) echo "Expected SHA: $SHA" diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml index 9d9cee01..6707fa96 100644 --- a/.github/workflows/security-pr.yml +++ b/.github/workflows/security-pr.yml @@ -8,6 +8,11 @@ on: workflows: ["Docker Build, Publish & Test"] types: - completed + branches: [main, development, 'feature/**', 'hotfix/**'] + push: + branches: [main, development, 'feature/**', 'hotfix/**'] + pull_request: + branches: [main, development, 'feature/**', 'hotfix/**'] workflow_dispatch: inputs: @@ -59,8 +64,8 @@ jobs: exit 0 fi - # Extract PR number from workflow_run context - HEAD_SHA="${{ github.event.workflow_run.head_sha }}" + # Extract PR number from context + HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}" echo "🔍 Looking for PR with head SHA: ${HEAD_SHA}" # Query GitHub API for PR associated with this commit @@ -79,9 +84,10 @@ jobs: fi # Check if this is a push event (not a PR) - if [[ "${{ github.event.workflow_run.event }}" == "push" ]]; then + if [[ "${{ github.event.workflow_run.event }}" == "push" || "${{ github.event_name }}" == "push" ]]; then + HEAD_BRANCH="${{ github.event.workflow_run.head_branch || github.ref_name }}" echo "is_push=true" >> "$GITHUB_OUTPUT" - echo "✅ Detected push build from branch: ${{ github.event.workflow_run.head_branch }}" + echo "✅ Detected push build from branch: ${HEAD_BRANCH}" else echo "is_push=false" >> "$GITHUB_OUTPUT" fi @@ -116,6 +122,21 @@ jobs: echo "artifact_exists=false" >> "$GITHUB_OUTPUT" exit 0 fi + elif [[ -z "${RUN_ID}" ]]; then + # If triggered by push/pull_request, RUN_ID is empty. Find recent run for this commit. + HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}" + echo "🔍 Searching for workflow run for SHA: ${HEAD_SHA}" + # Retry a few times as the run might be just starting or finishing + for i in {1..3}; do + RUN_ID=$(gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?head_sha=${HEAD_SHA}&status=success&per_page=1" \ + --jq '.workflow_runs[0].id // empty' 2>/dev/null || echo "") + if [[ -n "${RUN_ID}" ]]; then break; fi + echo "⏳ Waiting for workflow run to appear/complete... ($i/3)" + sleep 5 + done fi echo "run_id=${RUN_ID}" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml index 5ec28828..5faaa628 100644 --- a/.github/workflows/supply-chain-pr.yml +++ b/.github/workflows/supply-chain-pr.yml @@ -7,6 +7,11 @@ on: workflows: ["Docker Build, Publish & Test"] types: - completed + branches: [main, development, 'feature/**', 'hotfix/**'] + push: + branches: [main, development, 'feature/**', 'hotfix/**'] + pull_request: + branches: [main, development, 'feature/**', 'hotfix/**'] workflow_dispatch: inputs: @@ -56,15 +61,15 @@ jobs: exit 0 fi - if [[ "${{ github.event_name }}" != "workflow_run" ]]; then - echo "❌ No PR number provided and not triggered by workflow_run" + if [[ "${{ github.event_name }}" != "workflow_run" && "${{ github.event_name }}" != "push" && "${{ github.event_name }}" != "pull_request" ]]; then + echo "❌ No PR number provided and not triggered by workflow_run/push/pr" echo "pr_number=" >> "$GITHUB_OUTPUT" exit 0 fi - # Extract PR number from workflow_run context - HEAD_SHA="${{ github.event.workflow_run.head_sha }}" - HEAD_BRANCH="${{ github.event.workflow_run.head_branch }}" + # Extract PR number from context + HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}" + HEAD_BRANCH="${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}" echo "🔍 Looking for PR with head SHA: ${HEAD_SHA}" echo "🔍 Head branch: ${HEAD_BRANCH}" @@ -94,9 +99,10 @@ jobs: fi # Check if this is a push event (not a PR) - if [[ "${{ github.event.workflow_run.event }}" == "push" ]]; then + if [[ "${{ github.event.workflow_run.event }}" == "push" || "${{ github.event_name }}" == "push" ]]; then echo "is_push=true" >> "$GITHUB_OUTPUT" - echo "✅ Detected push build from branch: ${{ github.event.workflow_run.head_branch }}" + HEAD_BRANCH="${{ github.event.workflow_run.head_branch || github.ref_name }}" + echo "✅ Detected push build from branch: ${HEAD_BRANCH}" else echo "is_push=false" >> "$GITHUB_OUTPUT" fi @@ -135,10 +141,37 @@ jobs: -H "X-GitHub-Api-Version: 2022-11-28" \ "/repos/${{ github.repository }}/actions/runs/${RUN_ID}/artifacts" \ --jq ".artifacts[] | select(.name == \"${ARTIFACT_NAME}\") | .id" 2>/dev/null || echo "") + else + # If RUN_ID is empty (push/pr trigger), try to find a recent successful run for this SHA + HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}" + echo "🔍 Searching for workflow run for SHA: ${HEAD_SHA}" + # Retry a few times as the run might be just starting or finishing + for i in {1..3}; do + RUN_ID=$(gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?head_sha=${HEAD_SHA}&status=success&per_page=1" \ + --jq '.workflow_runs[0].id // empty' 2>/dev/null || echo "") + if [[ -n "${RUN_ID}" ]]; then + echo "✅ Found Run ID: ${RUN_ID}" + break + fi + echo "⏳ Waiting for workflow run to appear/complete... ($i/3)" + sleep 5 + done + + if [[ -n "${RUN_ID}" ]]; then + ARTIFACT_ID=$(gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/${{ github.repository }}/actions/runs/${RUN_ID}/artifacts" \ + --jq ".artifacts[] | select(.name == \"${ARTIFACT_NAME}\") | .id" 2>/dev/null || echo "") + fi fi if [[ -z "${ARTIFACT_ID}" ]]; then - # Fallback: search recent artifacts + # Fallback for manual or missing info: search recent artifacts by name + echo "🔍 Falling back to search by artifact name..." ARTIFACT_ID=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ diff --git a/.github/workflows/waf-integration.yml b/.github/workflows/waf-integration.yml index ef5428be..1badab28 100644 --- a/.github/workflows/waf-integration.yml +++ b/.github/workflows/waf-integration.yml @@ -6,7 +6,9 @@ on: workflow_run: workflows: ["Docker Build, Publish & Test"] types: [completed] - branches: [main, development, 'feature/**', 'hotfix/**'] # Explicit branch filter prevents unexpected triggers + branches: [main, development, 'feature/**', 'hotfix/**'] + push: + branches: [main, development, 'feature/**', 'hotfix/**'] pull_request: branches: [main, development, 'feature/**', 'hotfix/**'] # Allow manual trigger for debugging @@ -39,9 +41,9 @@ jobs: - name: Determine image tag id: determine-tag env: - EVENT: ${{ github.event.workflow_run.event }} - REF: ${{ github.event.workflow_run.head_branch }} - SHA: ${{ github.event.workflow_run.head_sha }} + EVENT: ${{ github.event.workflow_run.event || github.event_name }} + REF: ${{ github.event.workflow_run.head_branch || github.ref_name }} + SHA: ${{ github.event.workflow_run.head_sha || github.sha }} MANUAL_TAG: ${{ inputs.image_tag }} run: | # Manual trigger uses provided tag @@ -63,6 +65,11 @@ jobs: # Use native pull_requests array (no API calls needed) PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') + # Fallback for direct PR trigger + if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then + PR_NUM="${{ github.event.number }}" + fi + if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then echo "❌ ERROR: Could not determine PR number" echo "Event: $EVENT" @@ -103,7 +110,7 @@ jobs: max_attempts: 3 retry_wait_seconds: 10 command: | - IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}" + IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}" echo "Pulling image: $IMAGE_NAME" docker pull "$IMAGE_NAME" docker tag "$IMAGE_NAME" charon:local @@ -115,12 +122,12 @@ jobs: if: steps.pull_image.outcome == 'failure' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SHA: ${{ steps.image.outputs.sha }} + SHA: ${{ steps.determine-tag.outputs.sha }} run: | echo "⚠️ Registry pull failed, falling back to artifact..." # Determine artifact name based on source type - if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then + if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') ARTIFACT_NAME="pr-image-${PR_NUM}" else @@ -144,7 +151,7 @@ jobs: # Validate image freshness by checking SHA label - name: Validate image SHA env: - SHA: ${{ steps.image.outputs.sha }} + SHA: ${{ steps.determine-tag.outputs.sha }} run: | LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7) echo "Expected SHA: $SHA"