-
Notifications
You must be signed in to change notification settings - Fork 4
150 lines (131 loc) · 7.2 KB
/
angular.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: angular
on:
# run on all pull requests (but note that certain steps are skipped if if: github.ref == 'refs/heads/main' )
pull_request:
paths: [ 'angular/**', '.github/workflows/angular.yml' ]
# run the foll set of steps on push into main branch
push:
# If at least one path matches a pattern in the paths filter, the workflow runs
paths: [ 'angular/**', '.github/workflows/angular.yml' ]
branches: [ main ]
jobs:
build:
if: " ! contains(github.event.head_commit.message, 'skip ci') "
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [18.x]
steps:
- name: Checkout Repo
uses: actions/checkout@v4
# https://stackoverflow.com/questions/58139406/only-run-job-on-specific-branch-with-github-actions
# if: github.ref == 'refs/heads/main'
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1
- name: Pull Environment Config from AWS SSM ParamStore
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
run: |
echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV
echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
# https://github.com/actions/cache
# This action allows caching dependencies and build outputs to improve workflow execution time.
# for yarn https://github.com/actions/cache/blob/main/examples.md#node---yarn
- name: Cache node modules
uses: actions/cache@v4
with:
path: |
~/.npm
**/node_modules
key: ${{ runner.os }}-node-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-node-
- name: Node ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- name: yarn npm install and run angular build
working-directory: ./angular
run: |
npm install -g yarn
yarn install
yarn run test:coverage
yarn run build:prod
- name: Lint Dockerfile with hadolint
uses: brpaz/[email protected]
with:
dockerfile: ./angular/Dockerfile
# https://github.com/SonarSource/sonarcloud-github-action
# https://sonarcloud.io/project/configuration?analysisMode=GitHubActions&id=tillkuhn_angkor
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
projectBaseDir: ./angular
# -Dsonar.host.url=https://sonarcloud.io # not required, raises overwrite warning
# key needs to exist - no so nice for our monorepo setup (so angkor-ui does not work)
args: >
-Dsonar.organization=tillkuhn
-Dsonar.projectKey=angkor-ui
-Dsonar.projectVersion=${{env.RELEASE_VERSION}}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Sonarcloud: Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Set up Docker Buildx to support arm/amd platforms
uses: docker/setup-buildx-action@v3
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
- name: Login to DockerHub
uses: docker/login-action@v3
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }} # Password or personal access token used to log in to a Docker registry. If not set then no login will occur.
- name: Push to DockerHub
uses: docker/build-push-action@v6 # https://github.com/docker/build-push-action
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
context: ./angular
file: ./angular/Dockerfile
platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386
push: true
tags: ${{ secrets.DOCKER_USERNAME }}/angkor-ui:latest
build-args: |
LATEST_REPO_TAG=${{ env.LATEST_REPO_TAG }}
RELEASE_NAME=${{ env.RELEASE_NAME }}
- name: Publish Action Event
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
run: |
aws sns publish --topic-arn $TOPIC_ARN --message "{\"action\":\"deploy-ui\",\"workflow\":\"$GITHUB_WORKFLOW\"}" \
--message-attributes "GITHUB_SHA={DataType=String,StringValue=\"$GITHUB_SHA\"}, GITHUB_RUN_ID={DataType=String,StringValue=\"$GITHUB_RUN_ID\"}"
env:
TOPIC_ARN: ${{ secrets.TOPIC_ARN }}
- name: Send Kafka Publish Event with Docker
id: send-kafka-pub-event-playground # becomes $GITHUB_ACTION
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
run: |
docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \
-ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \
-source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \
-type "net.timafe.event.ci.published.v1" -subject "docker.io/${GITHUB_REPOSITORY}-ui" \
-record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}"
# Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action
# - https://github.com/aquasecurity/trivy-action
# - https://blog.aquasec.com/github-vulnerability-scanner-trivy
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
if: github.ref == 'refs/heads/main' # this is how to skip only specific steps if not main
with:
image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/angkor-ui:latest'
format: 'sarif'
output: 'trivy-results.sarif'
# Using Trivy with GitHub Code Scanning
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
sarif_file: 'trivy-results.sarif'