This repository has been archived by the owner on Sep 30, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
156 lines (155 loc) · 5.04 KB
/
ui.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: "UI Service Build"
on:
push:
tags:
- "[0-9]+.[0-9]+.[0-9]+"
- "[0-9]+.[0-9]+.[0-9]+-rc[0-9]+"
branches: [main]
# Path filters aren't evaluated for tags - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
paths:
- ".nvmrc"
- "package.json"
- "package-lock.json"
- "src/*/static/**"
- ".github/workflows/**"
- ".github/scripts/**"
- "docker/webserver/**"
pull_request:
paths:
- ".nvmrc"
- "package.json"
- "package-lock.json"
- "src/*/static/**"
- ".github/workflows/**"
- ".github/scripts/**"
- "docker/webserver/**"
workflow_dispatch: # Manually
env:
REGISTRY: ghcr.io/noaa-gsl/unified-graphics/ui
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: "npm"
cache-dependency-path: "package-lock.json"
- name: Install dependencies
run: npm ci
- name: Lint
run: npm run lint:code
# test:
# runs-on: ubuntu-latest
# permissions:
# pull-requests: write
# steps:
# - uses: actions/checkout@v4
# - uses: actions/setup-node@v4
# with:
# node-version-file: ".nvmrc"
# cache: "npm"
# cache-dependency-path: "services/api/package-lock.json"
# - name: Install dependencies
# working-directory: services/api
# run: npm ci
# - name: Test
# working-directory: services/api
# run: |
# npx playwright install-deps
# npx playwright install
# npm test
# - name: Code Coverage Report
# uses: irongut/[email protected]
# with:
# filename: services/api/src/coverage/cobertura-coverage.xml
# badge: true
# fail_below_min: true
# format: markdown
# hide_branch_rate: false
# hide_complexity: true
# indicators: true
# output: both
# thresholds: "0 80"
# - name: Add Coverage PR Comment
# uses: marocchino/sticky-pull-request-comment@v2
# if: github.event_name == 'pull_request'
# with:
# header: UI Coverage
# recreate: true
# path: code-coverage-results.md
build:
runs-on: ubuntu-latest
needs: [lint]
permissions:
packages: write
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Build & tag image
run: |
docker build -t ${{ env.REGISTRY }}:${{ env.BRANCH }} -f docker/webserver/Dockerfile .
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image
run: |
docker push ${{ env.REGISTRY }}:${{ env.BRANCH }}
scan:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Scan image with Trivy
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY }}:${{ env.BRANCH }}"
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
exit-code: "1"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
deploy:
if: ${{ github.actor != 'dependabot[bot]' }} # Don't deploy Dependabot changes
runs-on: ubuntu-latest
environment: vlab
concurrency: vlab
needs: scan
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2
- name: retag image and push
run: |
docker pull ${{ env.REGISTRY }}:${{ env.BRANCH }}
docker tag ${{ env.REGISTRY }}:${{ env.BRANCH }} ${{ secrets.AWS_REGISTRY }}/ui:${{ env.BRANCH }}
docker push ${{ secrets.AWS_REGISTRY }}/ui:${{ env.BRANCH }}