generated from bcgov/quickstart-openshift
-
Notifications
You must be signed in to change notification settings - Fork 2
129 lines (120 loc) · 3.75 KB
/
analysis.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Analysis
on:
push:
branches: [main]
merge_group:
pull_request:
types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
schedule:
- cron: "0 11 * * 0" # 3 AM PST = 12 PM UDT, runs sundays
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# https://github.com/github/codeql-action
codeql:
name: CodeQL
if: ${{ ! github.event.pull_request.draft }}
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: javascript
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:javascript"
# https://github.com/marketplace/actions/aqua-security-trivy
trivy:
name: Trivy Security Scan
if: ${{ ! github.event.pull_request.draft }}
runs-on: ubuntu-22.04
timeout-minutes: 1
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/[email protected]
with:
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
scan-type: "fs"
scanners: "vuln,secret,config"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
tests:
name: Tests
if: ${{ ! github.event.pull_request.draft }}
runs-on: ubuntu-22.04
timeout-minutes: 5
services:
postgres:
image: postgres
env:
POSTGRES_DB: postgres
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
strategy:
matrix:
dir: [vehicles, dops, frontend, scheduler, policy]
include:
- dir: dops
sonar_projectKey: onroutebc_dops
token: SONAR_TOKEN_DOPS
triggers: ('dops')
- dir: policy
sonar_projectKey: onroutebc_policy
token: SONAR_TOKEN_POLICY
triggers: ('policy')
- dir: vehicles
sonar_projectKey: onroutebc_vehicles
token: SONAR_TOKEN_VEHICLES
triggers: ('vehicles')
- dir: scheduler
sonar_projectKey: onroutebc_scheduler
token: SONAR_TOKEN_SCHEDULER
triggers: ('scheduler')
- dir: frontend
sonar_projectKey: onroutebc_frontend
token: SONAR_TOKEN_FRONTEND
triggers: ('frontend/')
steps:
- uses: bcgov-nr/[email protected]
with:
commands: |
npm ci
npm run test:cov
dir: ${{ matrix.dir }}
node_version: "18"
sonar_args: >
-Dsonar.exclusions=**/coverage/**,**/node_modules/**,**/*spec.ts
-Dsonar.organization=bcgov-sonarcloud
-Dsonar.projectKey=${{ matrix.sonar_projectKey }}
-Dsonar.sources=src
-Dsonar.tests.inclusions=**/*spec.ts
-Dsonar.javascript.lcov.reportPaths=./coverage/lcov.info
sonar_token: ${{ secrets[matrix.token] }}
triggers: ${{ github.event_name == 'pull_requst' && matrix.triggers || '' }}
results:
name: Results
needs: [codeql, trivy, tests]
if: always() && (! failure())
runs-on: ubuntu-22.04
timeout-minutes: 1
steps:
- run: echo "Success!"