Skip to content
This repository has been archived by the owner on Sep 30, 2024. It is now read-only.

Fix Trivy CI failures #505

Fix Trivy CI failures

Fix Trivy CI failures #505

Workflow file for this run

name: "UI Service Build"
on:
push:
tags:
- "[0-9]+.[0-9]+.[0-9]+"
- "[0-9]+.[0-9]+.[0-9]+-rc[0-9]+"
branches: [main]
# Path filters aren't evaluated for tags - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
paths:
- ".nvmrc"
- "package.json"
- "package-lock.json"
- "src/*/static/**"
- ".github/workflows/**"
- ".github/scripts/**"
- "docker/webserver/**"
pull_request:
paths:
- ".nvmrc"
- "package.json"
- "package-lock.json"
- "src/*/static/**"
- ".github/workflows/**"
- ".github/scripts/**"
- "docker/webserver/**"
workflow_dispatch: # Manually
env:
REGISTRY: ghcr.io/noaa-gsl/unified-graphics/ui
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: "npm"
cache-dependency-path: "package-lock.json"
- name: Install dependencies
run: npm ci
- name: Lint
run: npm run lint:code
# test:
# runs-on: ubuntu-latest
# permissions:
# pull-requests: write
# steps:
# - uses: actions/checkout@v4
# - uses: actions/setup-node@v4
# with:
# node-version-file: ".nvmrc"
# cache: "npm"
# cache-dependency-path: "services/api/package-lock.json"
# - name: Install dependencies
# working-directory: services/api
# run: npm ci
# - name: Test
# working-directory: services/api
# run: |
# npx playwright install-deps
# npx playwright install
# npm test
# - name: Code Coverage Report
# uses: irongut/[email protected]
# with:
# filename: services/api/src/coverage/cobertura-coverage.xml
# badge: true
# fail_below_min: true
# format: markdown
# hide_branch_rate: false
# hide_complexity: true
# indicators: true
# output: both
# thresholds: "0 80"
# - name: Add Coverage PR Comment
# uses: marocchino/sticky-pull-request-comment@v2
# if: github.event_name == 'pull_request'
# with:
# header: UI Coverage
# recreate: true
# path: code-coverage-results.md
build:
runs-on: ubuntu-latest
needs: [lint]
permissions:
packages: write
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Build & tag image
run: |
docker build -t ${{ env.REGISTRY }}:${{ env.BRANCH }} -f docker/webserver/Dockerfile .
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image
run: |
docker push ${{ env.REGISTRY }}:${{ env.BRANCH }}
scan:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Scan image with Trivy
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY }}:${{ env.BRANCH }}"
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
exit-code: "1"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
deploy:
if: ${{ github.actor != 'dependabot[bot]' }} # Don't deploy Dependabot changes
runs-on: ubuntu-latest
environment: vlab
concurrency: vlab
needs: scan
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2
- name: retag image and push
run: |
docker pull ${{ env.REGISTRY }}:${{ env.BRANCH }}
docker tag ${{ env.REGISTRY }}:${{ env.BRANCH }} ${{ secrets.AWS_REGISTRY }}/ui:${{ env.BRANCH }}
docker push ${{ secrets.AWS_REGISTRY }}/ui:${{ env.BRANCH }}