chore(ci): workflow updates and Trivy fails (#306)

bcgov · Jan 18, 2024 · 999362a · 999362a
1 parent 036de3a
commit 999362a
Show file tree

Hide file tree

Showing 8 changed files with 123 additions and 210 deletions.
diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml
@@ -0,0 +1,32 @@
+name: .Tests
+
+on:
+  workflow_call:
+    inputs:
+      ### Required
+      target:
+        description: PR number, test or prod
+        required: true
+        type: string
+
+jobs:
+  cypress-e2e:
+    name: Cypress E2E
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        browser: [chrome, firefox]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cypress-io/github-action@v5
+        name: Cypress run
+        with:
+          config: pageLoadTimeout=30000,baseUrl=https://pubcode-${{ inputs.target }}.apps.silver.devops.gov.bc.ca/
+          working-directory: ./frontend
+          browser: ${{ matrix.browser }}
+      - uses: actions/upload-artifact@v3
+        if: failure()
+        with:
+          name: cypress-screenshots
+          path: ./frontend/cypress/screenshots
+          if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn`
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -0,0 +1,39 @@
+name: Analysis
+
+on:
+  push:
+    branches: [main]
+  merge_group:
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review]
+  schedule:
+    - cron: "0 12 * * 0" # 3 AM PST = 12 PM UDT, runs sundays
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # https://github.com/marketplace/actions/aqua-security-trivy
+  trivy:
+    name: Trivy Security Scan
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.16.1
+        with:
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          scan-type: "fs"
+          scanners: "vuln,secret,config"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
diff --git a/.github/workflows/merge-main.yml → .github/workflows/merge.yml b/.github/workflows/merge-main.yml → .github/workflows/merge.yml
@@ -93,32 +93,16 @@ jobs:
           helm dependency update
           helm upgrade --install --wait --atomic pubcode-test --values values.yaml --set-string global.repository=${{ github.repository }}  --set-string api.containers[0].tag="${{ needs.semantic-version.outputs.semanticVersion }}" --set-string frontend.containers[0].tag="${{ needs.semantic-version.outputs.semanticVersion }}" --set-string global.secrets.emailRecipients="${{ secrets.EMAIL_RECIPIENTS }}" --set-string global.secrets.chesTokenURL="${{ secrets.CHES_TOKEN_URL }}" --set-string global.secrets.chesClientID="${{ secrets.CHES_CLIENT_ID }}" --set-string global.secrets.chesClientSecret="${{ secrets.CHES_CLIENT_SECRET }}" --set-string global.secrets.chesAPIURL="${{ secrets.CHES_API_URL }}" --set-string global.secrets.databaseAdminPassword="${{ secrets.DB_PWD }}" --set-string namespace="${{ vars.oc_namespace }}"  --timeout 5m .
 
-  cypress-e2e:
-    name: Cypress end to end test
-    needs:
-      - deploys
-    runs-on: ubuntu-22.04
-    strategy:
-      matrix:
-        browser: [ chrome, firefox, edge ]
-    steps:
-      - uses: actions/checkout@v4
-        name: Checkout
-      - uses: cypress-io/github-action@v5
-        name: Cypress run
-        with:
-          config: pageLoadTimeout=10000,baseUrl=https://pubcode-test.apps.silver.devops.gov.bc.ca/
-          working-directory: ./frontend
-          browser: ${{ matrix.browser }}
-      - uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: cypress-screenshots
-          path: ./frontend/cypress/screenshots
-          if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn`
+  tests:
+    name: Tests
+    needs: [deploys]
+    uses: ./.github/workflows/.tests.yml
+    with:
+      target: test
+
   deploys-prod:
     name: PROD Deployments
-    needs: [semantic-version,cypress-e2e]
+    needs: [semantic-version, tests]
     environment: prod
     runs-on: ubuntu-22.04
     timeout-minutes: 10

diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
@@ -2,7 +2,7 @@ name: Pull Request
 
 on:
   pull_request:
-  workflow_dispatch:
+  merge_group:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -42,14 +42,6 @@ jobs:
     strategy:
       matrix:
         package: [api, frontend, database]
-        include:
-          - package: frontend
-            triggers: ('frontend/')
-          - package: api
-            triggers: ('api/')
-          - package: database
-            triggers: ('database/')
-
     steps:
       - uses: actions/checkout@v4
       - uses: bcgov-nr/action-builder-ghcr@v2.0.1
@@ -58,7 +50,7 @@ jobs:
           tag: ${{ github.sha }}
           tag_fallback: test
           token: ${{ secrets.GITHUB_TOKEN }}
-          triggers: ${{ matrix.triggers }}
+          triggers: ('${{ matrix.package }}/')
 
       - uses: shrink/actions-docker-registry-tag@v3
         with:
@@ -77,12 +69,11 @@ jobs:
       - name: Deploy to OpenShift
         shell: bash
         run: |
-          # Allow pipefail, since we could be catching oc create errors
+          # Expand for deployment steps
           set +o pipefail
     
-          # Login to OpenShift (NOTE: project command is a safeguard)
           oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }}
-          oc project ${{ vars.oc_namespace }}
+          oc project ${{ vars.oc_namespace }} # Safeguard!
 
           # Deploy Helm Chart
           cd charts/pubcode
@@ -121,26 +112,9 @@ jobs:
           --set-string global.env.VITE_SCHEMA_BRANCH=${{ github.event.pull_request.head.ref }}  \
           --set-string namespace="${{ vars.oc_namespace }}" -f values.yaml --timeout 5m  .
 
-  cypress-e2e:
-    name: Cypress end to end test
-    needs:
-      - deploys
-    runs-on: ubuntu-22.04
-    strategy:
-      matrix:
-        browser: [ chrome, edge ]
-    steps:
-      - uses: actions/checkout@v4
-        name: Checkout
-      - uses: cypress-io/github-action@v5
-        name: Cypress run
-        with:
-          config: pageLoadTimeout=10000,baseUrl=https://pubcode-${{ github.event.number }}.apps.silver.devops.gov.bc.ca/
-          working-directory: ./frontend
-          browser: ${{ matrix.browser }}
-      - uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: cypress-screenshots
-          path: ./frontend/cypress/screenshots
-          if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn`
+  tests:
+    name: Tests
+    needs: [deploys]
+    uses: ./.github/workflows/.tests.yml
+    with:
+      target: ${{ github.event.number }}
diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml
diff --git a/.github/workflows/remove-deleted-repos.yaml b/.github/workflows/remove-deleted-repos.yaml
diff --git a/.github/workflows/schedule-jobs.yml → .github/workflows/scheduled.yml b/.github/workflows/schedule-jobs.yml → .github/workflows/scheduled.yml
@@ -94,3 +94,37 @@ jobs:
           # Create a Pull Request
           gh pr create --assignee "mishraomp" --base main --label "chore" --title "Updating the Schema as changes to ministry names were detected." --body "Updating the Schema as changes to ministry names were detected."
 
+  soft-delete-removed-pubcodes:
+    name: Soft Delete pubcodes In the Databse which are removed from the repo.
+    runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: utilities/remove-deleted-pubcode
+    environment: prod
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Add Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+      - name: Install Dependencies
+        run: npm ci
+
+      - uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Process script
+        run: |
+          oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }}
+          oc project ${{ vars.OC_NAMESPACE }}
+
+          # Get API key
+          API_KEY=$(oc get secrets/pubcode --template={{.data.API_KEY}} | base64 -d)
+          API_URL=https://$(oc get route/pubcode-api --template={{.spec.host}})
+          API_KEY="${API_KEY}" API_URL="${API_URL}" node index.js
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml