Merge pull request #17 from bcgov/feat/ecr

chore: multiple enhancements

Author: mishraomp

.github/workflows/.deployer.yml

@@ -49,7 +49,7 @@ env:
 jobs:
  infra:
   environment: ${{ inputs.environment_name }}
-  name: Terraform ${{inputs.command}}
+  name: Terraform ${{inputs.command}} ${{inputs.working_directory}} ${{inputs.environment_name}}
   runs-on: ubuntu-24.04
   outputs:
     API_GW_URL: ${{ steps.tg-outputs.outputs.API_GW_URL }}

.github/workflows/.load-test.yml

@@ -0,0 +1,29 @@
+name: Load tests
+on:
+  workflow_call:
+    inputs:
+      BACKEND_URL:
+        description: 'The URL of the backend to test'
+        required: true
+        type: string
+      FRONTEND_URL:
+        description: 'The URL of the frontend to test'
+        required: true
+        type: string
+jobs:
+  load-tests:
+    name: Load
+    env:
+      BACKEND_URL: ${{inputs.BACKEND_URL}}
+      FRONTEND_URL: ${{inputs.FRONTEND_URL}}
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        name: [backend, frontend]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: grafana/setup-k6-action@v1
+      - uses: grafana/run-k6-action@v1
+        with:
+          path: ./tests/load/${{ matrix.name }}-test.js
+          flags: --vus 10 --duration 30s

.github/workflows/.tests.yml

@@ -11,6 +11,69 @@ on:
 permissions:
   contents: write # This is required for actions/checkout
 jobs:
+  tests:
+    name: Tests
+    if: ${{ ! github.event.pull_request.draft }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+    strategy:
+      matrix:
+        dir: [backend, frontend]
+        include:
+          - dir: backend
+            token: SONAR_TOKEN_BACKEND
+          - dir: frontend
+            token: SONAR_TOKEN_FRONTEND
+    steps:
+      - uses: bcgov-nr/action-test-and-analyse@v1.2.1
+        with:
+          commands: |
+            npm ci
+            npm run test:cov
+          dir: ${{ matrix.dir }}
+          node_version: "22"
+          sonar_args: >
+            -Dsonar.exclusions=**/coverage/**,**/node_modules/**,**/*spec.ts
+            -Dsonar.organization=bcgov-sonarcloud
+            -Dsonar.projectKey=quickstart-openshift_${{ matrix.dir }}
+            -Dsonar.sources=src
+            -Dsonar.tests.inclusions=**/*spec.ts
+            -Dsonar.javascript.lcov.reportPaths=./coverage/lcov.info
+          sonar_token: ${{ secrets[matrix.token] }}
+          triggers: ('${{ matrix.dir }}/')
+  trivy:
+    name: Trivy Security Scan
+    if: ${{ ! github.event.pull_request.draft }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 1
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          scan-type: "fs"
+          scanners: "vuln,secret,config"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
   e2e:
     name: E2E Tests
     runs-on: ubuntu-24.04
@@ -24,6 +87,13 @@ jobs:
           FRONTEND_IMAGE: ghcr.io/${{ github.repository }}/frontend:${{ inputs.tag }}
         run: docker compose up -d --wait
         continue-on-error: true
+      - name: Cache Playwright Browsers
+        uses: actions/cache@v4
+        id: playwright-cache
+        with:
+          path: |
+            ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('**/package-lock.json') }}
       - uses: actions/setup-node@v4
         name: Setup Node
         with:
@@ -36,7 +106,12 @@ jobs:
         working-directory: frontend
         run: |
           npm ci
-          npx playwright install --with-deps
+      - run: npx @playwright/test install --with-deps
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
+        working-directory: ./frontend
+      - run: npx @playwright/test install-deps
+        if: steps.playwright-cache.outputs.cache-hit == 'true'
+        working-directory: ./frontend
       - name: Run Tests
         working-directory: frontend
         env:

.github/workflows/merge.yml

@@ -89,3 +89,10 @@ jobs:
           aws s3 sync --delete ./dist s3://$(echo "$S3_BUCKET_ARN" | cut -d: -f6)
           aws cloudfront create-invalidation --distribution-id $CF_DISTRIBUTION_ID --paths "/*"
    
+  load-test:
+    needs: [deploy-api, build-ui, deploy-cloudfront]
+    name: Load Test
+    uses: ./.github/workflows/.load-test.yml
+    with:
+      BACKEND_URL: ${{ needs.deploy-api.outputs.API_GW_URL }}/api
+      FRONTEND_URL: https://${{ needs.deploy-cloudfront.outputs.CF_DOMAIN }}

.github/workflows/pr-open.yml

@@ -67,7 +67,7 @@ jobs:
       app_env: ephermal-${{ github.event.number }}
     secrets: inherit
 
-  tests-e2e:
+  tests:
     name: Tests
     needs: builds
     uses: ./.github/workflows/.tests.yml