mojaloop/build is a CircleCI orb for node.js build jobs in Mojaloop CI/CD pipelines
To use the mojaloop/build orb in your CircleCI configuration, turn on
Enable dynamic config using setup workflows in the Advanced Settings of your
project settings CircleCI. Then include the following in your .circleci/config.yml:
version: 2.1
setup: true
orbs:
build: mojaloop/build@1.1.1
workflows:
setup:
jobs:
- build/workflow:
context: org-global
filters:
tags:
only: /v\d+(\.\d+){2}(-[a-zA-Z-][0-9a-zA-Z-]*\.\d+)?/
# optionally supply the resource_class for the jobs
# pr_title_check_resource_class: medium
# setup_resource_class: medium
# test_dependencies_resource_class: medium
# test_deprecations_resource_class: medium
# test_lint_resource_class: medium
# test_unit_resource_class: medium
# test_coverage_resource_class: medium
# vulnerability_check_resource_class: medium
# license_audit_resource_class: medium
# build_local_resource_class: medium
# test_integration_resource_class: medium
# test_functional_resource_class: medium
# license_scan_resource_class: medium
# grype_image_scan_resource_class: medium
# release_resource_class: medium
# github_release_resource_class: medium
# publish_docker_resource_class: medium
# publish_npm_resource_class: medium
# publish_docker_snapshot_resource_class: medium
# publish_npm_snapshot_resource_class: medium
# publish_npm_prerelease_resource_class: medium
# publish_docker_prerelease_resource_class: mediumThe repo using the orb, must declare a .grype.yaml file in the root of the repo. As necessary vulnerabilities can be ignored per following example:
# Set to true to disable the Grype image scan completely
disabled: false
ignore:
# Ignore cross-spawn vulnerabilities by CVE ID due to false positive
# as grype looks at package-lock.json where it shows versions with
# vulnerabilities, npm ls shows only 7.0.6 verion is used
- vulnerability: "GHSA-3xgq-45jj-v275"
package:
name: "cross-spawn"
# Set output format defaults
output:
- "table"
- "json"
# Modify your CircleCI job to check critical count
search:
scope: "squashed"
quiet: false
check-for-app-update: falseTo completely disable the Grype image scan, set disabled: true in your .grype.yaml file. This will cause the scan job to exit successfully without performing any checks.
The orb supports merging additional workflows and jobs into the standard build pipeline. This feature allows you to extend the CI/CD pipeline with custom jobs while maintaining the benefits of the standard workflow.
To use this feature, create a .circleci/additional-workflows.yaml file in your repository root. The orb will automatically detect this file and merge it with the standard workflow configuration.
Create .circleci/additional-workflows.yaml:
jobs:
custom-build:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: Custom build step
command: |
echo "Running custom build logic"
# Add your custom commands here
workflows:
build_and_test:
jobs:
- custom-build:
name: Custom Build Job
context: org-global
filters:
tags:
only: /v\d+(\.\d+){2}/
requires:
- Lint
- Unit tests- The orb first generates the standard
build_and_testworkflow - If
.circleci/additional-workflows.yamlexists, it merges the additional configuration - Jobs from the additional file are added to the existing workflow
- Workflow definitions are merged, allowing you to extend the standard pipeline
This feature is particularly useful for:
- Building additional Docker images
- Adding custom deployment steps
- Running specialized tests or scans
- Integrating with external services
- The additional workflows file must be valid YAML
- Job names should be unique to avoid conflicts
- You can reference standard jobs in
requiressections (e.g.,Lint,Unit tests,Integration tests, etc.) - The merge process uses deep merge, so nested configurations are properly combined
- If a
Dockerfileis present in the root of the repository, it will be used to build and publish an image. - If a
package.jsonis present in the root of the repository and it does not have private=true, the package will be published to npm for the applicable branches and tags. - The following scripts are expected in the
package.jsonfile:lintdep:checkaudit:checktest:xunittest:integrationtest:functionaltest:coverage-check
The orb will trigger a publish when one of the following conditions is met:
- A release tag (e.g.
v#.#.#) is pushed to the repository. - A snapshot tag (e.g.
v#.#.#-snapshot.#,v#.#.#-hotfix.#, ,v#.#.#-perf.#) is pushed to the repository. - A commit to a pre-release branch (e.g.
major/*,minor/*,patch/*) passed the tests.
CircleCI Orb Registry Page - The official registry page of this orb for all versions, executors, commands, and jobs described.
CircleCI Orb Docs - Docs for using, creating, and publishing CircleCI Orbs.
We welcome issues to and pull requests against this repository!
- Merge pull requests with desired changes to the main branch.
- For the best experience, squash-and-merge and use Conventional Commit Messages.
- Find the current version of the orb.
- You can run
circleci orb info mojaloop/build | grep "Latest"to see the current version.
- You can run
- Create a new Release
on GitHub.
- Click "Choose a tag" and create a new semantically versioned tag. (ex: v1.0.0)
- We will have an opportunity to change this before we publish if needed after the next step.
- Click "+ Auto-generate release notes".
- This will create a summary of all of the merged pull requests since the previous release.
- If you have used Conventional Commit Messages it will be easy to determine what types of changes were made, allowing you to ensure the correct version tag is being published.
- Now ensure the version tag selected is semantically accurate based on the changes included.
- Click "Publish Release".
- This will push a new tag and trigger your publishing pipeline on CircleCI.