This repository has been archived by the owner on Sep 30, 2024. It is now read-only.
Fix Trivy CI failures #507
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "UI Service Build" | |
on: | |
push: | |
tags: | |
- "[0-9]+.[0-9]+.[0-9]+" | |
- "[0-9]+.[0-9]+.[0-9]+-rc[0-9]+" | |
branches: [main] | |
# Path filters aren't evaluated for tags - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore | |
paths: | |
- ".nvmrc" | |
- "package.json" | |
- "package-lock.json" | |
- "src/*/static/**" | |
- ".github/workflows/**" | |
- ".github/scripts/**" | |
- "docker/webserver/**" | |
pull_request: | |
paths: | |
- ".nvmrc" | |
- "package.json" | |
- "package-lock.json" | |
- "src/*/static/**" | |
- ".github/workflows/**" | |
- ".github/scripts/**" | |
- "docker/webserver/**" | |
workflow_dispatch: # Manually | |
env: | |
REGISTRY: ghcr.io/noaa-gsl/unified-graphics/ui | |
jobs: | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version-file: ".nvmrc" | |
cache: "npm" | |
cache-dependency-path: "package-lock.json" | |
- name: Install dependencies | |
run: npm ci | |
- name: Lint | |
run: npm run lint:code | |
# test: | |
# runs-on: ubuntu-latest | |
# permissions: | |
# pull-requests: write | |
# steps: | |
# - uses: actions/checkout@v4 | |
# - uses: actions/setup-node@v4 | |
# with: | |
# node-version-file: ".nvmrc" | |
# cache: "npm" | |
# cache-dependency-path: "services/api/package-lock.json" | |
# - name: Install dependencies | |
# working-directory: services/api | |
# run: npm ci | |
# - name: Test | |
# working-directory: services/api | |
# run: | | |
# npx playwright install-deps | |
# npx playwright install | |
# npm test | |
# - name: Code Coverage Report | |
# uses: irongut/[email protected] | |
# with: | |
# filename: services/api/src/coverage/cobertura-coverage.xml | |
# badge: true | |
# fail_below_min: true | |
# format: markdown | |
# hide_branch_rate: false | |
# hide_complexity: true | |
# indicators: true | |
# output: both | |
# thresholds: "0 80" | |
# - name: Add Coverage PR Comment | |
# uses: marocchino/sticky-pull-request-comment@v2 | |
# if: github.event_name == 'pull_request' | |
# with: | |
# header: UI Coverage | |
# recreate: true | |
# path: code-coverage-results.md | |
build: | |
runs-on: ubuntu-latest | |
needs: [lint] | |
permissions: | |
packages: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Extract branch/tag name | |
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
- name: Build & tag image | |
run: | | |
docker build -t ${{ env.REGISTRY }}:${{ env.BRANCH }} -f docker/webserver/Dockerfile . | |
- name: Login to GHCR | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push image | |
run: | | |
docker push ${{ env.REGISTRY }}:${{ env.BRANCH }} | |
scan: | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Extract branch/tag name | |
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
- name: Scan image with Trivy | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "${{ env.REGISTRY }}:${{ env.BRANCH }}" | |
format: "sarif" | |
output: "trivy-results.sarif" | |
ignore-unfixed: true | |
severity: "CRITICAL,HIGH" | |
limit-severities-for-sarif: true | |
exit-code: "1" | |
env: | |
TRIVY_USERNAME: ${{ github.actor }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload Trivy scan results to GitHub Security tab | |
if: always() | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
deploy: | |
if: ${{ github.actor != 'dependabot[bot]' }} # Don't deploy Dependabot changes | |
runs-on: ubuntu-latest | |
environment: vlab | |
concurrency: vlab | |
needs: scan | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Extract branch/tag name | |
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
- name: Login to GHCR | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-east-1 | |
- name: Login to ECR | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: retag image and push | |
run: | | |
docker pull ${{ env.REGISTRY }}:${{ env.BRANCH }} | |
docker tag ${{ env.REGISTRY }}:${{ env.BRANCH }} ${{ secrets.AWS_REGISTRY }}/ui:${{ env.BRANCH }} | |
docker push ${{ secrets.AWS_REGISTRY }}/ui:${{ env.BRANCH }} |