diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml new file mode 100644 index 0000000..3c32741 --- /dev/null +++ b/.github/workflows/.tests.yml @@ -0,0 +1,32 @@ +name: .Tests + +on: + workflow_call: + inputs: + ### Required + target: + description: PR number, test or prod + required: true + type: string + +jobs: + cypress-e2e: + name: Cypress E2E + runs-on: ubuntu-22.04 + strategy: + matrix: + browser: [chrome, firefox] + steps: + - uses: actions/checkout@v4 + - uses: cypress-io/github-action@v5 + name: Cypress run + with: + config: pageLoadTimeout=30000,baseUrl=https://pubcode-${{ inputs.target }}.apps.silver.devops.gov.bc.ca/ + working-directory: ./frontend + browser: ${{ matrix.browser }} + - uses: actions/upload-artifact@v3 + if: failure() + with: + name: cypress-screenshots + path: ./frontend/cypress/screenshots + if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn` diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml new file mode 100644 index 0000000..09f828c --- /dev/null +++ b/.github/workflows/analysis.yml @@ -0,0 +1,39 @@ +name: Analysis + +on: + push: + branches: [main] + merge_group: + pull_request: + types: [opened, reopened, synchronize, ready_for_review] + schedule: + - cron: "0 12 * * 0" # 3 AM PST = 12 PM UDT, runs sundays + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + # https://github.com/marketplace/actions/aqua-security-trivy + trivy: + name: Trivy Security Scan + if: github.event_name != 'pull_request' || !github.event.pull_request.draft + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.16.1 + with: + format: "sarif" + output: "trivy-results.sarif" + ignore-unfixed: true + scan-type: "fs" + scanners: "vuln,secret,config" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge.yml similarity index 86% rename from .github/workflows/merge-main.yml rename to .github/workflows/merge.yml index b12c31c..6a58083 100644 --- a/.github/workflows/merge-main.yml +++ b/.github/workflows/merge.yml @@ -93,32 +93,16 @@ jobs: helm dependency update helm upgrade --install --wait --atomic pubcode-test --values values.yaml --set-string global.repository=${{ github.repository }} --set-string api.containers[0].tag="${{ needs.semantic-version.outputs.semanticVersion }}" --set-string frontend.containers[0].tag="${{ needs.semantic-version.outputs.semanticVersion }}" --set-string global.secrets.emailRecipients="${{ secrets.EMAIL_RECIPIENTS }}" --set-string global.secrets.chesTokenURL="${{ secrets.CHES_TOKEN_URL }}" --set-string global.secrets.chesClientID="${{ secrets.CHES_CLIENT_ID }}" --set-string global.secrets.chesClientSecret="${{ secrets.CHES_CLIENT_SECRET }}" --set-string global.secrets.chesAPIURL="${{ secrets.CHES_API_URL }}" --set-string global.secrets.databaseAdminPassword="${{ secrets.DB_PWD }}" --set-string namespace="${{ vars.oc_namespace }}" --timeout 5m . - cypress-e2e: - name: Cypress end to end test - needs: - - deploys - runs-on: ubuntu-22.04 - strategy: - matrix: - browser: [ chrome, firefox, edge ] - steps: - - uses: actions/checkout@v4 - name: Checkout - - uses: cypress-io/github-action@v5 - name: Cypress run - with: - config: pageLoadTimeout=10000,baseUrl=https://pubcode-test.apps.silver.devops.gov.bc.ca/ - working-directory: ./frontend - browser: ${{ matrix.browser }} - - uses: actions/upload-artifact@v3 - if: failure() - with: - name: cypress-screenshots - path: ./frontend/cypress/screenshots - if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn` + tests: + name: Tests + needs: [deploys] + uses: ./.github/workflows/.tests.yml + with: + target: test + deploys-prod: name: PROD Deployments - needs: [semantic-version,cypress-e2e] + needs: [semantic-version, tests] environment: prod runs-on: ubuntu-22.04 timeout-minutes: 10 diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 4464caa..1152aa7 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -2,7 +2,7 @@ name: Pull Request on: pull_request: - workflow_dispatch: + merge_group: concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -42,14 +42,6 @@ jobs: strategy: matrix: package: [api, frontend, database] - include: - - package: frontend - triggers: ('frontend/') - - package: api - triggers: ('api/') - - package: database - triggers: ('database/') - steps: - uses: actions/checkout@v4 - uses: bcgov-nr/action-builder-ghcr@v2.0.1 @@ -58,7 +50,7 @@ jobs: tag: ${{ github.sha }} tag_fallback: test token: ${{ secrets.GITHUB_TOKEN }} - triggers: ${{ matrix.triggers }} + triggers: ('${{ matrix.package }}/') - uses: shrink/actions-docker-registry-tag@v3 with: @@ -77,12 +69,11 @@ jobs: - name: Deploy to OpenShift shell: bash run: | - # Allow pipefail, since we could be catching oc create errors + # Expand for deployment steps set +o pipefail - # Login to OpenShift (NOTE: project command is a safeguard) oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }} - oc project ${{ vars.oc_namespace }} + oc project ${{ vars.oc_namespace }} # Safeguard! # Deploy Helm Chart cd charts/pubcode @@ -121,26 +112,9 @@ jobs: --set-string global.env.VITE_SCHEMA_BRANCH=${{ github.event.pull_request.head.ref }} \ --set-string namespace="${{ vars.oc_namespace }}" -f values.yaml --timeout 5m . - cypress-e2e: - name: Cypress end to end test - needs: - - deploys - runs-on: ubuntu-22.04 - strategy: - matrix: - browser: [ chrome, edge ] - steps: - - uses: actions/checkout@v4 - name: Checkout - - uses: cypress-io/github-action@v5 - name: Cypress run - with: - config: pageLoadTimeout=10000,baseUrl=https://pubcode-${{ github.event.number }}.apps.silver.devops.gov.bc.ca/ - working-directory: ./frontend - browser: ${{ matrix.browser }} - - uses: actions/upload-artifact@v3 - if: failure() - with: - name: cypress-screenshots - path: ./frontend/cypress/screenshots - if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn` + tests: + name: Tests + needs: [deploys] + uses: ./.github/workflows/.tests.yml + with: + target: ${{ github.event.number }} diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml deleted file mode 100644 index c30ee47..0000000 --- a/.github/workflows/prod.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Prod Deploy - -on: - workflow_dispatch: - inputs: - tag: - description: 'Tag to deploy, it would be the latest tag that went into PROD.' - required: true - default: 'prod' - -concurrency: - group: ${{ github.workflow }} - cancel-in-progress: true - -jobs: - deploys: - name: PROD Deployments - environment: prod - runs-on: ubuntu-22.04 - timeout-minutes: 10 - steps: - - uses: actions/checkout@v4 - - name: Deploy - shell: bash - run: | - # Allow pipefail, since we could be catching oc create errors - set +o pipefail - - # Login to OpenShift (NOTE: project command is a safeguard) - oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }} - oc project ${{ vars.oc_namespace }} - - # Deploy Helm Chart - cd charts/pubcode - helm dependency update - helm upgrade --install --wait --atomic pubcode --values values.yaml --set-string global.repository=${{ github.repository }} --set-string api.containers[0].tag="${{ github.event.inputs.tag }}" --set-string frontend.containers[0].tag="${{ github.event.inputs.tag }}" --set-string global.secrets.emailRecipients="${{ secrets.EMAIL_RECIPIENTS }}" --set-string global.secrets.chesTokenURL="${{ secrets.CHES_TOKEN_URL }}" --set-string global.secrets.chesClientID="${{ secrets.CHES_CLIENT_ID }}" --set-string global.secrets.chesClientSecret="${{ secrets.CHES_CLIENT_SECRET }}" --set-string global.secrets.chesAPIURL="${{ secrets.CHES_API_URL }}" --set-string global.secrets.databaseAdminPassword="${{ secrets.DB_PWD }}" --set-string namespace="${{ vars.oc_namespace }}" --timeout 5m . - - - name: Create Release - uses: softprops/action-gh-release@v1 - continue-on-error: true - env: - GITHUB_TOKEN: ${{ github.token }} - with: - token: ${{ github.token }} - tag_name: ${{ github.event.inputs.tag }} - name: Release-${{ github.event.inputs.tag }} diff --git a/.github/workflows/remove-deleted-repos.yaml b/.github/workflows/remove-deleted-repos.yaml deleted file mode 100644 index 0a0605f..0000000 --- a/.github/workflows/remove-deleted-repos.yaml +++ /dev/null @@ -1,42 +0,0 @@ -name: Remove Deleted pubcodes from the api - -on: - workflow_dispatch: - #schedule: # * is a special character in YAML, so you have to quote this string, every day at 8am GMT - # - cron: "5 8 * * *" - -jobs: - soft-delete-removed-pubcodes: - name: Soft Delete pubcodes In the Databse which are removed from the repo. - runs-on: ubuntu-22.04 - defaults: - run: - working-directory: utilities/remove-deleted-pubcode - environment: prod - steps: - - name: Check out repository - uses: actions/checkout@v4 - - - name: Add Node.js - uses: actions/setup-node@v4 - with: - node-version: "20.x" - - name: Install Dependencies - run: npm ci - - - uses: actions/cache@v3 - with: - path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- - - - name: Process script - run: | - oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }} - oc project ${{ vars.OC_NAMESPACE }} - - # Get API key - API_KEY=$(oc get secrets/pubcode --template={{.data.API_KEY}} | base64 -d) - API_URL=https://$(oc get route/pubcode-api --template={{.spec.host}}) - API_KEY="${API_KEY}" API_URL="${API_URL}" node index.js diff --git a/.github/workflows/schedule-jobs.yml b/.github/workflows/scheduled.yml similarity index 73% rename from .github/workflows/schedule-jobs.yml rename to .github/workflows/scheduled.yml index e20643b..ec4362b 100644 --- a/.github/workflows/schedule-jobs.yml +++ b/.github/workflows/scheduled.yml @@ -94,3 +94,37 @@ jobs: # Create a Pull Request gh pr create --assignee "mishraomp" --base main --label "chore" --title "Updating the Schema as changes to ministry names were detected." --body "Updating the Schema as changes to ministry names were detected." + soft-delete-removed-pubcodes: + name: Soft Delete pubcodes In the Databse which are removed from the repo. + runs-on: ubuntu-22.04 + defaults: + run: + working-directory: utilities/remove-deleted-pubcode + environment: prod + steps: + - name: Check out repository + uses: actions/checkout@v4 + + - name: Add Node.js + uses: actions/setup-node@v4 + with: + node-version: "20.x" + - name: Install Dependencies + run: npm ci + + - uses: actions/cache@v3 + with: + path: ~/.npm + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- + + - name: Process script + run: | + oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }} + oc project ${{ vars.OC_NAMESPACE }} + + # Get API key + API_KEY=$(oc get secrets/pubcode --template={{.data.API_KEY}} | base64 -d) + API_URL=https://$(oc get route/pubcode-api --template={{.spec.host}}) + API_KEY="${API_KEY}" API_URL="${API_URL}" node index.js diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml deleted file mode 100644 index db22bfe..0000000 --- a/.github/workflows/tests.yml +++ /dev/null @@ -1,62 +0,0 @@ -name: Unit Tests and Analysis - -on: - pull_request: - types: [opened, reopened, synchronize, ready_for_review] - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - # tests: - # name: Unit Tests - # if: github.event_name != 'pull_request' || !github.event.pull_request.draft - # runs-on: ubuntu-22.04 - # strategy: - # matrix: - # dir: [api, frontend] - # include: - # - dir: api - # sonar_projectKey: bcgov_public-code_api - # token: SONAR_TOKEN_BACKEND - # - dir: frontend - # sonar_projectKey: bcgov_public-code_frontend - # token: SONAR_TOKEN_FRONTEND - # steps: - # - uses: bcgov-nr/action-test-and-analyse@v0.0.1 - # with: - # commands: | - # npm ci - # npm run test:cov - # dir: ${{ matrix.dir }} - # sonar_args: > - # -Dsonar.exclusions=**/coverage/**,**/node_modules/** - # -Dsonar.organization=bcgov-sonarcloud - # -Dsonar.project.monorepo.enabled=true - # -Dsonar.projectKey=${{ matrix.sonar_projectKey }} - # sonar_project_token: ${{ secrets[matrix.token] }} - - # https://github.com/marketplace/actions/aqua-security-trivy - trivy: - name: Trivy Security Scan - if: github.event_name != 'pull_request' || !github.event.pull_request.draft - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.16.1 - with: - format: "sarif" - output: "trivy-results.sarif" - ignore-unfixed: true - scan-type: "fs" - scanners: "vuln,secret,config" - severity: "CRITICAL,HIGH" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: "trivy-results.sarif"