Merge pull request #162 from bcgov/pipeline-test #77
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Main Merge | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- ".**" | |
- "**.md" | |
- "**.yml" | |
- "**.yaml" | |
env: | |
REGISTRY: ghcr.io | |
NAME: esra | |
jobs: | |
codeql: | |
name: Semantic Code Analysis | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
- name: Initialize | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: javascript | |
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | |
# If this step fails, then you should remove it and run the build manually (see below) | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@v2 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
# https://github.com/snyk/snyk | |
snyk: | |
name: Dependency Report | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
- name: Run Snyk to check for vulnerabilities | |
uses: snyk/actions/node@master | |
continue-on-error: true # To make sure that SARIF upload gets called | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
args: --all-projects --severity-threshold=high --sarif-file-output=snyk.sarif | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: snyk.sarif | |
sonarcloud: | |
name: Static Analysis | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
# Disable shallow clone for SonarCloud analysis | |
with: | |
fetch-depth: 0 | |
- name: Backend Tests | |
run: | | |
cd frontend | |
npm ci | |
npm run test:cov | |
- name: Frontend Tests | |
run: | | |
cd frontend | |
npm ci | |
npm run test:cov | |
# - name: SonarCloud Scan | |
# uses: SonarSource/sonarcloud-github-action@master | |
# env: | |
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
# with: | |
# args: > | |
# -Dsonar.exclusions=**/test/**,.github/**/* | |
# -Dsonar.organization=bcgov-sonarcloud | |
# -Dsonar.javascript.lcov.reportPaths=backend/coverage/lcov.info,frontend/coverage/lcov.info | |
# -Dsonar.cobertura.reportPaths=backend/coverage/cobertura-coverage.xml,frontend/coverage/cobertura-coverage.xml | |
# -Dsonar.project.monorepo.enabled=true | |
# -Dsonar.projectKey=greenfield-template | |
# -Dsonar.sources=backend,frontend | |
# -Dsonar.tests=backend/test,frontend/test | |
# https://github.com/marketplace/actions/aqua-security-trivy | |
trivy-backend: | |
name: Backend Image Report | |
runs-on: ubuntu-18.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
# Backend container scan | |
- name: Trivy Image Scan | |
uses: aquasecurity/trivy-action@0.3.0 | |
with: | |
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:test-backend | |
ignore-unfixed: true | |
severity: CRITICAL | |
format: "sarif" | |
output: "trivy-results-backend.sarif" | |
- name: Upload Trivy results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results-backend.sarif" | |
# https://github.com/marketplace/actions/aqua-security-trivy | |
trivy-frontend: | |
name: Frontend Image Report | |
runs-on: ubuntu-18.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
# Frontend container scan | |
- name: Trivy Image Scan | |
uses: aquasecurity/trivy-action@0.3.0 | |
with: | |
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:test-frontend | |
ignore-unfixed: true | |
severity: CRITICAL | |
format: "sarif" | |
output: "trivy-results-frontend.sarif" | |
- name: Upload Trivy results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results-frontend.sarif" | |
# https://github.com/marketplace/actions/aqua-security-trivy | |
trivy-repo: | |
name: Repository Report | |
runs-on: ubuntu-18.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@0.3.0 | |
with: | |
scan-type: "fs" | |
ignore-unfixed: true | |
format: "sarif" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
# https://github.com/marketplace/actions/aqua-security-trivy | |
trivy-rhel-ubi: | |
name: Base Image Report | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
- name: Trivy Vulnerability Scan | |
uses: aquasecurity/trivy-action@0.3.0 | |
with: | |
image-ref: registry.access.redhat.com/ubi8/ubi | |
ignore-unfixed: true | |
severity: CRITICAL | |
format: "sarif" | |
output: "trivy-results.sarif" | |
- name: Upload Trivy results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
cleanup-ghcr: | |
name: Cleanup Container Registry | |
runs-on: ubuntu-latest | |
steps: | |
# https://github.com/marketplace/actions/ghcr-io-container-cleanup | |
- name: Delete old packages | |
uses: davahome/ghcr-cleanup@v1 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
package: ${{ github.event.repository.name }} | |
owner: orgs/bcgov | |
skip_tags: prod-frontend,prod-backend | |
deploy-test: | |
name: TEST Deployment | |
runs-on: ubuntu-latest | |
environment: | |
name: test | |
env: | |
ZONE: test | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Deploy | |
run: | | |
# Login to OpenShift and select project | |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }} | |
oc project ${{ secrets.OC_NAMESPACE }} | |
# Clear stale images for import/replacement | |
if [ $(oc get is -l app=${{ env.NAME }}-${{ env.ZONE }} -o name | grep -v database | wc -l) -gt 0 ]; then | |
oc delete is -l app=${{ env.NAME }}-${{ env.ZONE }} | |
fi | |
# Process and apply deployment templates | |
oc process -f .github/openshift/deploy.database.yml -p ZONE=${{ env.ZONE }} | oc apply -f - | |
oc process -f .github/openshift/deploy.backend.yml -p ZONE=${{ env.ZONE }} \ | |
-p PROMOTE=${{ github.repository }}:${{ env.ZONE }}-backend | oc apply -f - | |
oc process -f .github/openshift/deploy.frontend.yml -p ZONE=${{ env.ZONE }} \ | |
-p PROMOTE=${{ github.repository }}:${{ env.ZONE }}-frontend | oc apply -f - | |
# Follow any active rollouts (see deploymentconfigs) | |
oc rollout status dc/${{ env.NAME }}-${{ env.ZONE }}-database -w | |
oc rollout status dc/${{ env.NAME }}-${{ env.ZONE }}-backend -w | |
oc rollout status dc/${{ env.NAME }}-${{ env.ZONE }}-frontend -w | |
# Remove completed build runs, build pods and deployment pods | |
for p in $(oc get po | grep "Completed" | awk '{print $1}') | |
do | |
oc delete po ${p} | |
done | |
zap-backend: | |
name: Backend Pen Tests | |
needs: | |
- deploy-test | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: ZAP Scan | |
uses: zaproxy/action-full-scan@v0.3.0 | |
with: | |
target: https://${{ env.NAME }}-test-backend.apps.silver.devops.gov.bc.ca/ | |
cmd_options: "-a" | |
allow_issue_writing: false | |
fail_action: false | |
zap-frontend: | |
name: Frontend Pen Tests | |
needs: | |
- deploy-test | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: ZAP Scan | |
uses: zaproxy/action-full-scan@v0.4.0 | |
with: | |
target: https://${{ env.NAME }}-test-frontend.apps.silver.devops.gov.bc.ca/ | |
cmd_options: "-a" | |
allow_issue_writing: false | |
fail_action: false | |
deploy-prod: | |
name: PROD Deployment | |
needs: | |
- zap-backend | |
- zap-frontend | |
runs-on: ubuntu-latest | |
environment: | |
name: prod | |
env: | |
ZONE: prod | |
PREV: test | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Deploy | |
run: | | |
# Login to OpenShift and select project | |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }} | |
oc project ${{ secrets.OC_NAMESPACE }} | |
# Clear stale images for import/replacement | |
if [ $(oc get is -l app=${{ env.NAME }}-${{ env.ZONE }} -o name | grep -v database | wc -l) -gt 0 ]; then | |
oc delete is -l app=${{ env.NAME }}-${{ env.ZONE }} | |
fi | |
# Process and apply deployment templates | |
oc process -f .github/openshift/deploy.database.yml -p ZONE=${{ env.ZONE }} | oc apply -f - | |
oc process -f .github/openshift/deploy.backend.yml -p ZONE=${{ env.ZONE }} \ | |
-p PROMOTE=${{ github.repository }}:${{ env.PREV }}-backend | oc apply -f - | |
oc process -f .github/openshift/deploy.frontend.yml -p ZONE=${{ env.ZONE }} \ | |
-p PROMOTE=${{ github.repository }}:${{ env.PREV }}-frontend | oc apply -f - | |
# Follow any active rollouts (see deploymentconfigs) | |
oc rollout status dc/${{ env.NAME }}-${{ env.ZONE }}-database -w | |
oc rollout status dc/${{ env.NAME }}-${{ env.ZONE }}-backend -w | |
oc rollout status dc/${{ env.NAME }}-${{ env.ZONE }}-frontend -w | |
# Remove completed build runs, build pods and deployment pods | |
for p in $(oc get po | grep "Completed" | awk '{print $1}') | |
do | |
oc delete po ${p} | |
done | |
- name: Promote Backend Image to PROD | |
uses: shrink/actions-docker-registry-tag@v2 | |
with: | |
registry: ghcr.io | |
repository: ${{ github.repository }} | |
target: ${{ env.PREV }}-backend | |
tags: | | |
prod-backend | |
- name: Promote Frontend Image to PROD | |
uses: shrink/actions-docker-registry-tag@v2 | |
with: | |
registry: ghcr.io | |
repository: ${{ github.repository }} | |
target: ${{ env.PREV }}-frontend | |
tags: | | |
prod-frontend |