Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(ci): workflow updates and Trivy fails #306

Merged
merged 9 commits into from
Jan 18, 2024
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions .github/workflows/.tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: .Tests

on:
workflow_call:
inputs:
### Required
target:
description: PR number, test or prod
required: true
type: string

jobs:
cypress-e2e:
name: Cypress E2E
runs-on: ubuntu-22.04
strategy:
matrix:
browser: [chrome, edge]
steps:
- uses: actions/checkout@v4
- uses: cypress-io/github-action@v5
name: Cypress run
with:
config: pageLoadTimeout=10000,baseUrl=https://pubcode-${{ inputs.target }}.apps.silver.devops.gov.bc.ca/
working-directory: ./frontend
browser: ${{ matrix.browser }}
- uses: actions/upload-artifact@v3
if: failure()
with:
name: cypress-screenshots
path: ./frontend/cypress/screenshots
if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn`
39 changes: 39 additions & 0 deletions .github/workflows/analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Analysis

on:
push:
branches: [main]
merge_group:
pull_request:
types: [opened, reopened, synchronize, ready_for_review]
schedule:
- cron: "0 12 * * 0" # 3 AM PST = 12 PM UDT, runs sundays
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
# https://github.com/marketplace/actions/aqua-security-trivy
trivy:
name: Trivy Security Scan
if: github.event_name != 'pull_request' || !github.event.pull_request.draft
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4

- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.16.1
with:
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
scan-type: "fs"
scanners: "vuln,secret,config"
severity: "CRITICAL,HIGH"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
Original file line number Diff line number Diff line change
Expand Up @@ -93,32 +93,16 @@ jobs:
helm dependency update
helm upgrade --install --wait --atomic pubcode-test --values values.yaml --set-string global.repository=${{ github.repository }} --set-string api.containers[0].tag="${{ needs.semantic-version.outputs.semanticVersion }}" --set-string frontend.containers[0].tag="${{ needs.semantic-version.outputs.semanticVersion }}" --set-string global.secrets.emailRecipients="${{ secrets.EMAIL_RECIPIENTS }}" --set-string global.secrets.chesTokenURL="${{ secrets.CHES_TOKEN_URL }}" --set-string global.secrets.chesClientID="${{ secrets.CHES_CLIENT_ID }}" --set-string global.secrets.chesClientSecret="${{ secrets.CHES_CLIENT_SECRET }}" --set-string global.secrets.chesAPIURL="${{ secrets.CHES_API_URL }}" --set-string global.secrets.databaseAdminPassword="${{ secrets.DB_PWD }}" --set-string namespace="${{ vars.oc_namespace }}" --timeout 5m .

cypress-e2e:
name: Cypress end to end test
needs:
- deploys
runs-on: ubuntu-22.04
strategy:
matrix:
browser: [ chrome, firefox, edge ]
steps:
- uses: actions/checkout@v4
name: Checkout
- uses: cypress-io/github-action@v5
name: Cypress run
with:
config: pageLoadTimeout=10000,baseUrl=https://pubcode-test.apps.silver.devops.gov.bc.ca/
working-directory: ./frontend
browser: ${{ matrix.browser }}
- uses: actions/upload-artifact@v3
if: failure()
with:
name: cypress-screenshots
path: ./frontend/cypress/screenshots
if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn`
tests:
name: Tests
needs: [deploys]
uses: ./.github/workflows/.tests.yml
with:
target: test

deploys-prod:
name: PROD Deployments
needs: [semantic-version,cypress-e2e]
needs: [semantic-version, tests]
environment: prod
runs-on: ubuntu-22.04
timeout-minutes: 10
Expand Down
46 changes: 10 additions & 36 deletions .github/workflows/pr-open.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Pull Request

on:
pull_request:
workflow_dispatch:
merge_group:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand Down Expand Up @@ -42,14 +42,6 @@ jobs:
strategy:
matrix:
package: [api, frontend, database]
include:
- package: frontend
triggers: ('frontend/')
- package: api
triggers: ('api/')
- package: database
triggers: ('database/')

steps:
- uses: actions/checkout@v4
- uses: bcgov-nr/action-builder-ghcr@v2.0.1
Expand All @@ -58,7 +50,7 @@ jobs:
tag: ${{ github.sha }}
tag_fallback: test
token: ${{ secrets.GITHUB_TOKEN }}
triggers: ${{ matrix.triggers }}
triggers: ('${{ matrix.package }}/')

- uses: shrink/actions-docker-registry-tag@v3
with:
Expand All @@ -77,12 +69,11 @@ jobs:
- name: Deploy to OpenShift
shell: bash
run: |
# Allow pipefail, since we could be catching oc create errors
# Expand for deployment steps
set +o pipefail

# Login to OpenShift (NOTE: project command is a safeguard)
oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }}
oc project ${{ vars.oc_namespace }}
oc project ${{ vars.oc_namespace }} # Safeguard!

# Deploy Helm Chart
cd charts/pubcode
Expand Down Expand Up @@ -121,26 +112,9 @@ jobs:
--set-string global.env.VITE_SCHEMA_BRANCH=${{ github.event.pull_request.head.ref }} \
--set-string namespace="${{ vars.oc_namespace }}" -f values.yaml --timeout 5m .

cypress-e2e:
name: Cypress end to end test
needs:
- deploys
runs-on: ubuntu-22.04
strategy:
matrix:
browser: [ chrome, edge ]
steps:
- uses: actions/checkout@v4
name: Checkout
- uses: cypress-io/github-action@v5
name: Cypress run
with:
config: pageLoadTimeout=10000,baseUrl=https://pubcode-${{ github.event.number }}.apps.silver.devops.gov.bc.ca/
working-directory: ./frontend
browser: ${{ matrix.browser }}
- uses: actions/upload-artifact@v3
if: failure()
with:
name: cypress-screenshots
path: ./frontend/cypress/screenshots
if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn`
tests:
name: Tests
needs: [deploys]
uses: ./.github/workflows/.tests.yml
with:
target: ${{ github.event.number }}
46 changes: 0 additions & 46 deletions .github/workflows/prod.yml

This file was deleted.

42 changes: 0 additions & 42 deletions .github/workflows/remove-deleted-repos.yaml

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -94,3 +94,37 @@ jobs:
# Create a Pull Request
gh pr create --assignee "mishraomp" --base main --label "chore" --title "Updating the Schema as changes to ministry names were detected." --body "Updating the Schema as changes to ministry names were detected."

soft-delete-removed-pubcodes:
name: Soft Delete pubcodes In the Databse which are removed from the repo.
runs-on: ubuntu-22.04
defaults:
run:
working-directory: utilities/remove-deleted-pubcode
environment: prod
steps:
- name: Check out repository
uses: actions/checkout@v4

- name: Add Node.js
uses: actions/setup-node@v4
with:
node-version: "20.x"
- name: Install Dependencies
run: npm ci

- uses: actions/cache@v3
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-

- name: Process script
run: |
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }}
oc project ${{ vars.OC_NAMESPACE }}

# Get API key
API_KEY=$(oc get secrets/pubcode --template={{.data.API_KEY}} | base64 -d)
API_URL=https://$(oc get route/pubcode-api --template={{.spec.host}})
API_KEY="${API_KEY}" API_URL="${API_URL}" node index.js
62 changes: 0 additions & 62 deletions .github/workflows/tests.yml

This file was deleted.

Loading