From dd4084d991822ba5a2bd6fc61cc4ec32f2577bf7 Mon Sep 17 00:00:00 2001 From: Jacopo Andrea Giola Date: Fri, 25 Oct 2024 10:38:21 +0200 Subject: [PATCH] ci: update pipelines --- .github/workflows/build.yml | 84 +++++------ .github/workflows/codeql.yml | 79 +++------- .github/workflows/dependency-review.yaml | 25 ++++ .github/workflows/docker-build.yml | 180 +++++++++++++---------- .github/workflows/lint.yml | 35 ++--- .github/workflows/main.yml | 43 ++++-- .github/workflows/publish.yml | 33 +++++ .github/workflows/pull-main.yml | 18 --- .github/workflows/tag.yml | 67 --------- .github/workflows/tests.yml | 60 ++++---- 10 files changed, 288 insertions(+), 336 deletions(-) create mode 100644 .github/workflows/dependency-review.yaml create mode 100644 .github/workflows/publish.yml delete mode 100644 .github/workflows/pull-main.yml delete mode 100644 .github/workflows/tag.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 746832c..6916065 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,52 +1,44 @@ -name: Build - on: workflow_call: - inputs: - node-version: - required: false - default: 20.x - type: string jobs: - build: + checks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - - name: Use Node.js ${{ inputs.node-version }} - uses: actions/setup-node@v3 - with: - node-version: ${{ inputs.node-version }} - cache: npm - - - name: Install - run: npm ic - - - name: Compile file and build - run: npm run build - - - name: Save Build Cache - id: save-build-cache - uses: actions/cache/save@v3 - with: - path: ./dist - key: ${{ runner.os }}-${{ github.sha }}-build - - - name: Test Build - run: | - export WORKING_DIR=`pwd` - export ENV_DIR=$WORKING_DIR/.env - - cp $WORKING_DIR/default.env $WORKING_DIR/.env.local - mkdir -p $ENV_DIR/public - - echo "PUBLIC_DIRECTORY_PATH=$ENV_DIR/public" >> $WORKING_DIR/.env.local - echo "RESOURCES_DIRECTORY_PATH=$ENV_DIR/configurations" >> $WORKING_DIR/.env.local - - npm run start:local & - - ./scripts/wait-for-it.sh localhost:3001 --timeout=20 - - curl -i "http://localhost:3001/-/ready" | grep "HTTP/1.1 200 OK" - exit `echo $?` + - name: Checkout Repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + show-progress: false + - name: Setup Node.js + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + with: + node-version-file: .nvmrc + check-latest: true + cache: npm + - name: Install + run: npm ci + - name: Compile file and build + run: npm run build + - name: Test Build + run: | + export WORKING_DIR=`pwd` + export ENV_DIR=$WORKING_DIR/.env + + cp $WORKING_DIR/default.env $WORKING_DIR/.env.local + mkdir -p $ENV_DIR/public + + echo "PUBLIC_DIRECTORY_PATH=$ENV_DIR/public" >> $WORKING_DIR/.env.local + echo "RESOURCES_DIRECTORY_PATH=$ENV_DIR/configurations" >> $WORKING_DIR/.env.local + + npm run start:local & + + ./scripts/wait-for-it.sh localhost:3001 --timeout=20 + + curl -i "http://localhost:3001/-/ready" | grep "HTTP/1.1 200 OK" + exit `echo $?` + - name: Upload Build Artifacts + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: build + path: dist + if-no-files-found: error diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index de426d6..f508d32 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,76 +1,31 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - +name: Code Scanning on: push: - branches: [ "main" ] + branches: + - main + tags: + - "*" pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: + - main + paths-ignore: + - "**/*.md" schedule: - - cron: '43 19 * * 6' + - cron: 0 5 * * 1 # Run every monday at 5 UTC jobs: - analyze: - name: Analyze + codeql: runs-on: ubuntu-latest permissions: - actions: read - contents: read security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Use only 'java' to analyze code written in Java, Kotlin or both - # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - steps: - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + show-progress: false - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - + languages: javascript-typescript - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" + uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml new file mode 100644 index 0000000..8b71241 --- /dev/null +++ b/.github/workflows/dependency-review.yaml @@ -0,0 +1,25 @@ +name: Dependency Review +on: + pull_request: + branches: + - main + paths-ignore: + - "**/*.md" + +jobs: + dependency-review: + name: Dependencies Review + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: Checkout Repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + show-progress: false + - name: Dependency Review + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + fail-on-scopes: runtime,unknown + comment-summary-in-pr: on-failure diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 7b44e50..3d80785 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -1,16 +1,7 @@ -name: Docker build +name: Docker container release on: workflow_call: - inputs: - push: - default: false - required: false - type: boolean - version: - default: latest - type: string - required: false secrets: docker_username: required: true @@ -20,78 +11,111 @@ on: required: true nexus_token: required: true - security_checks_token: + sysdig_token: required: true + kms_gcp_poject: + required: false + gcp_wif: + required: false + cosign_key: + required: false jobs: release-docker: runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Restore Build Cache - id: restore-build-cache - uses: actions/cache/restore@v3 - with: - path: ./dist - key: ${{ runner.os }}-${{ github.sha }}-build - - - name: Fail on absent cache - if: steps.restore-build-cache.outputs.cache-hit != 'true' - run: exit 1 - - - name: Configure docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: | - docker.io/microlc/middleware - nexus.mia-platform.eu/microlc/middleware - tags: | - type=raw,value=latest,enable={{is_default_branch}} - type=semver,pattern={{version}} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.docker_username }} - password: ${{ secrets.docker_token }} - - - name: Login to Mia registry - uses: docker/login-action@v3 - with: - registry: nexus.mia-platform.eu - username: ${{ secrets.nexus_username }} - password: ${{ secrets.nexus_token }} - - - name: Build and push - if: ${{ inputs.push }} - uses: docker/build-push-action@v5 - with: - context: . - pull: true - push: true - tags: ${{ steps.meta.outputs.tags }} - cache-from: type=registry,ref=${{ steps.meta.outputs.tags }} - cache-to: type=inline - - security-checks: - needs: - - release-docker - name: Triggers security checks - runs-on: ubuntu-latest steps: - - name: Invoke API - if: ${{ inputs.push }} - run: | - curl --request POST \ - --form token=${{ secrets.security_checks_token }} \ - --form ref=main \ - --form "variables[VERSION]=${{ inputs.version }}" \ - "https://git.tools.mia-platform.eu/api/v4/projects/86269/trigger/pipeline" + - name: Checkout Repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + show-progress: false + - name: Download Build Artifacts + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: build + path: dist + - name: Docker Login to DockerHub + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + username: ${{ secrets.docker_username }} + password: ${{ secrets.docker_token }} + - name: Login to Mia registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: nexus.mia-platform.eu + username: ${{ secrets.nexus_username }} + password: ${{ secrets.nexus_token }} + - name: Install Cosign + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + - name: Set up QEMU + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + with: + platforms: amd64,arm64 + - name: Configure docker metadata + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + with: + images: | + docker.io/microlc/middleware + nexus.mia-platform.eu/microlc/middleware + tags: | + type=raw,value=latest,enable={{is_default_branch}} + type=semver,pattern={{version}} + labels: | + org.opencontainers.image.documentation=https://micro-lc.io/ + org.opencontainers.image.vendor=Mia s.r.l. + annotations: | + org.opencontainers.image.documentation=https://micro-lc.io/ + org.opencontainers.image.vendor=Mia s.r.l. + - name: Build Docker Image + id: docker-build + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + with: + context: . + load: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.output.annotations }} + platforms: ${{ steps.buildx.outputs.platforms }} + cache-from: type=gha + cache-to: type=gha,mode=max + - name: Scan image + uses: sysdiglabs/scan-action@0065d3b93bd4115371b55720251adb1d228fe188 # v5.1.1 + with: + image-tag: nexus.mia-platform.eu/microlc/middleware:${{ steps.meta.output.version.main }} + sysdig-secure-url: "https://eu1.app.sysdig.com" + sysdig-secure-token: ${{ secrets.sysdig_token }} + registry-user: ${{ secrets.nexus_username }} + registry-password: ${{ secrets.nexus_token }} + stop-on-processing-error: true + - name: Generate SBOM + uses: anchore/sbom-action@f5e124a5e5e1d497a692818ae907d3c45829d033 # v0.17.3 + if: github.ref_type == 'tag' + with: + artifact-name: middleware-sbom.spdx.json + output-file: ./middleware-sbom.spdx.json + image: nexus.mia-platform.eu/microlc/middleware:${{ steps.meta.output.version.main }} + upload-release-assets: true + - name: GCP Auth + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 + if: github.ref_type == 'tag' + with: + project_id: ${{ secrets.kms_gcp_poject }} + workload_identity_provider: ${{ secrets.gcp_wif }} + create_credentials_file: true + - name: Sign image with a key + if: github.ref_type == 'tag' + run: | + for tag in ${TAGS}; do + image="${tag}@${DIGEST}" + cosign sign --recursive --yes --key "${COSIGN_PRIVATE_KEY}" "${image}" + cosign attest --recursive --yes --key "${COSIGN_PRIVATE_KEY}" --predicate "micro-lc-sbom.spdx.json" --type="spdxjson" "${image}" + done + env: + TAGS: | + docker.io/microlc/middleware:${{ steps.meta.output.version.main }} + nexus.mia-platform.eu/microlc/middleware:${{ steps.meta.output.version.main }} + DIGEST: ${{ steps.docker-build.outputs.digest }} + COSIGN_PRIVATE_KEY: ${{ secrets.cosign_key }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6e6c5e5..7d306dd 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,27 +2,22 @@ name: Linting on: workflow_call: - inputs: - node-version: - default: 20.x - required: false - type: string jobs: - tests: + checks: runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Use Node.js ${{ inputs.node-version }} - uses: actions/setup-node@v3 - with: - node-version: ${{ inputs.node-version }} - cache: npm - - - name: Install - run: npm ic - - - name: Check linting - run: npm run lint + - name: Checkout Repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + show-progress: false + - name: Setup Node.js + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + with: + node-version-file: .nvmrc + check-latest: true + cache: npm + - name: Install Dependencies + run: npm ci + - name: Check Linting + run: npm run lint diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f1eb7e7..d88f6c3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,31 +3,48 @@ name: Main on: push: branches: - - main + - main + tags: + - v* + pull_request: + branches: + - main jobs: + lint: + uses: ./.github/workflows/lint.yml + tests: - uses: micro-lc/middleware/.github/workflows/tests.yml@main + uses: ./.github/workflows/tests.yml secrets: token: ${{ secrets.GITHUB_TOKEN }} - lint: - uses: micro-lc/middleware/.github/workflows/lint.yml@main - build: - uses: micro-lc/middleware/.github/workflows/build.yml@main + uses: ./.github/workflows/build.yml docker-build: + if: github.event_name == 'push' needs: - - tests - - lint - - build - uses: micro-lc/middleware/.github/workflows/docker-build.yml@main - with: - push: true + - tests + - lint + - build + uses: ./.github/workflows/docker-build.yml secrets: docker_username: ${{ secrets.BOT_DOCKER_USERNAME }} docker_token: ${{ secrets.BOT_DOCKER_TOKEN }} nexus_username: ${{ secrets.NEXUS_USER }} nexus_token: ${{ secrets.NEXUS_TOKEN }} - security_checks_token: ${{ secrets.SECURITY_CHECKS_TOKEN }} + sysdig_token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + kms_gcp_project: ${{ secrets.MIA_PLATFORM_KMS_GCP_PROJECT }} + gcp_wif: ${{ secrets.MIA_PLATFORM_WIF }} + cosign_key: ${{ secrets.MIA_PLATFORM_KEY_KMS }} + + npm-publish: + if: github.ref_type == 'tag' + needs: + - tests + - lint + - build + uses: ./github/workflows/publish.yml + secrets: + token: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..714d889 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,33 @@ +name: Publish + +on: + workflow_call: + secrets: + token: + required: true + +jobs: + checks: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + show-progress: false + - name: Setup Node.js + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + with: + node-version-file: .nvmrc + check-latest: true + cache: npm + - name: Download Build Artifacts + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: build + path: dist + - name: Build + run: npm run build + - name: Publish + run: npm publish + env: + NODE_AUTH_TOKEN: ${{ secrets.token }} diff --git a/.github/workflows/pull-main.yml b/.github/workflows/pull-main.yml deleted file mode 100644 index 406c581..0000000 --- a/.github/workflows/pull-main.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: PR on Main - -on: - pull_request: - branches: - - main - -jobs: - tests: - uses: micro-lc/middleware/.github/workflows/tests.yml@main - secrets: - token: ${{ secrets.GITHUB_TOKEN }} - - lint: - uses: micro-lc/middleware/.github/workflows/lint.yml@main - - build: - uses: micro-lc/middleware/.github/workflows/build.yml@main diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml deleted file mode 100644 index 55a95d7..0000000 --- a/.github/workflows/tag.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: Tag - -env: - NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - -on: - push: - tags: - - 'v*' - -jobs: - tests: - uses: micro-lc/middleware/.github/workflows/tests.yml@main - secrets: - token: ${{ secrets.GITHUB_TOKEN }} - - lint: - uses: micro-lc/middleware/.github/workflows/lint.yml@main - - build: - uses: micro-lc/middleware/.github/workflows/build.yml@main - - docker-build: - needs: - - tests - - lint - - build - uses: micro-lc/middleware/.github/workflows/docker-build.yml@main - with: - version: ${GITHUB_REF#refs/tags/v} - push: true - secrets: - docker_username: ${{ secrets.BOT_DOCKER_USERNAME }} - docker_token: ${{ secrets.BOT_DOCKER_TOKEN }} - nexus_username: ${{ secrets.NEXUS_USER }} - nexus_token: ${{ secrets.NEXUS_TOKEN }} - security_checks_token: ${{ secrets.SECURITY_CHECKS_TOKEN }} - - npm-publish: - needs: - - tests - - lint - - build - - name: Release package on npm - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Use Node.js 20.x - uses: actions/setup-node@v3 - with: - node-version: 20.x - cache: npm - registry-url: 'https://registry.npmjs.org' - - - name: Install - run: npm ic - - - name: Build - run: npm run build - - - name: Publish - run: npm publish - env: - NODE_AUTH_TOKEN: ${{ env.NPM_AUTH_TOKEN }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 01602e7..c4f5c7f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -2,42 +2,38 @@ name: Tests on: workflow_call: - inputs: - node-version: - default: 20.x - required: false - type: string secrets: token: required: true jobs: - tests: + checks: runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Use Node.js ${{ inputs.node-version }} - uses: actions/setup-node@v3 - with: - node-version: ${{ inputs.node-version }} - cache: npm - - - name: Install - run: | - npm ic - npm run build:cli - - - name: Run Unit Tests - run: npm run coverage - - - name: Run CLI Tests - run: npm run test:cli - - - name: Collect Coveralls coverage - uses: coverallsapp/github-action@master - continue-on-error: true - with: - github-token: ${{ secrets.token }} - path-to-lcov: './coverage/lcov.info' + - name: Checkout Repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + show-progress: false + - name: Setup Node.js + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + with: + node-version-file: .nvmrc + check-latest: true + cache: npm + - name: Install Dependencies + run: | + npm ci + npm run build:cli + + - name: Run Unit Tests + run: npm run coverage + + - name: Run CLI Tests + run: npm run test:cli + + - name: Collect Coveralls coverage + uses: coverallsapp/github-action@4cdef0b2dbe0c9aa26bed48edb868db738625e79 # v2.3.3 + continue-on-error: true + with: + github-token: ${{ secrets.token }} + path-to-lcov: './coverage/lcov.info'