Skip to content

fix: 2 moderate severity npm package vulnerabilities #530

fix: 2 moderate severity npm package vulnerabilities

fix: 2 moderate severity npm package vulnerabilities #530

Workflow file for this run

name: CI/CD Pipeline
on:
push:
workflow_dispatch:
inputs:
ssh_debugging:
description: Enable SSH debugging
type: boolean
required: true
default: false
jobs:
versions:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Determine versions
id: versions
run: |
echo "erlang=$(grep 'erlang_version' elixir_buildpack.config | cut -d'=' -f2)" >> "$GITHUB_OUTPUT"
echo "elixir=$(grep 'elixir_version' elixir_buildpack.config | cut -d'=' -f2)" >> "$GITHUB_OUTPUT"
echo "alpine=$(grep 'alpine_version' elixir_buildpack.config | cut -d'=' -f2)" >> "$GITHUB_OUTPUT"
echo "postgres=$(yq '.docker_services.postgres.version' < dev.yml)" >> "$GITHUB_OUTPUT"
outputs:
elixir: ${{ steps.versions.outputs.elixir }}
erlang: ${{ steps.versions.outputs.erlang }}
alpine: ${{ steps.versions.outputs.alpine }}
postgres: ${{ steps.versions.outputs.postgres }}
test:
runs-on: ubuntu-latest
needs: versions
env:
MIX_ENV: test
PGHOST: localhost
PGPASS: test
POSTGRES_USER: postgres
POSTGRES_PASSWORD: test
services:
postgres:
image: postgres:${{ needs.versions.outputs.postgres }}-alpine
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: test
POSTGRES_HOST_AUTH_METHOD: trust
ports:
- 5432:5432
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- uses: actions/checkout@v4
- uses: erlef/setup-beam@v1
with:
otp-version: ${{ needs.versions.outputs.erlang }}
elixir-version: ${{ needs.versions.outputs.elixir }}
- uses: actions/setup-node@v4
with:
node-version: 20
- uses: nanasess/setup-chromedriver@v2
- uses: actions/cache/restore@v4
id: cache-restore-mix-deps
with:
path: |
deps
_build
key: mix-${{ needs.versions.outputs.erlang }}-${{ needs.versions.outputs.elixir }}-${{ hashFiles('**/mix.lock') }}
restore-keys: |
mix-${{ needs.versions.outputs.erlang }}-${{ needs.versions.outputs.elixir }}-
- name: Prepare deps
if: steps.cache-restore-mix-deps.outputs.cache-hit != 'true'
run: mix do deps.get, deps.compile
- uses: actions/cache/save@v4
if: steps.cache-restore-mix-deps.outputs.cache-hit != 'true'
with:
path: |
deps
_build
key: ${{ steps.cache-restore-mix-deps.outputs.cache-primary-key }}
- name: Prepare assets
run: mix assets.setup
- name: Compile
run: mix compile
- name: Setup DB
run: mix ecto.setup
- name: Site assets
run: mix assets.build
- name: Test
run: mix test
build:
runs-on: ubuntu-latest
needs: versions
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ECR_ACCESS_ROLE_ARN }}
- name: Log into AWS ECR
uses: docker/login-action@v3
with:
registry: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com
- name: Build and push
uses: docker/build-push-action@v5
with:
build-args: |
MIX_ENV=prod
APP_NAME=remit
ERLANG_VERSION=${{ needs.versions.outputs.erlang }}
ELIXIR_VERSION=${{ needs.versions.outputs.elixir }}
ALPINE_VERSION=${{ needs.versions.outputs.alpine }}
REVISION=${{ github.sha }}
context: .
push: ${{ github.ref_name == github.event.repository.default_branch }}
tags: |
${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
deploy:
runs-on: ubuntu-latest
if: github.ref_name == github.event.repository.default_branch
needs:
- test
- build
concurrency:
group: deploy
cancel-in-progress: false
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.repository.default_branch }}
fetch-depth: 0
- name: Checkout stack repository
uses: actions/checkout@v4
with:
repository: barsoom/stack
path: stack
token: ${{ secrets.STACK_TOKEN }}
sparse-checkout: |
applications/remit/values.yaml
script/ci/deploy.sh
script/ci/ensure_revision_is_newer_than_deployed_revision.sh
- name: Ensure revision is newer than deployed revision
run: stack/script/ci/ensure_revision_is_newer_than_deployed_revision.sh
- name: Update values.yaml with new image tag
run: |
NEW_TAG="${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}:sha-${{ github.sha }}"
sed -i "s|image:.*|image: $NEW_TAG|g" stack/applications/remit/values.yaml
- name: Deploy to Stack
run: stack/script/ci/deploy.sh remit.auctionet.dev