diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..10ffb339b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: npm + directory: "/" # Location of package manifests + schedule: + interval: daily + time: "04:00" + open-pull-requests-limit: 10 + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 000000000..ab765cf60 --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,50 @@ +name: onpush pipeline +on: + push: + +jobs: + verify: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v3 + with: + node-version: '20' + cache: 'npm' + - name: Fontawesome + run: | + cp ~/work/num-portal-webapp/num-portal-webapp/.circleci/.npmrc ~/ + envsubst '$FONTAWESOME_NPM_AUTH_TOKEN' < ~/.npmrc + - name: Install + run: npm install + - name: Run Linter + run: npm run lint + - name: Run frontend unit tests + run: npm run test-ci + env: + NODE_OPTIONS: --max_old_space_size=4096 + - name: Upload test report + uses: actions/upload-artifact@v4 + with: + name: test-report + path: ./reports/junit/ + - name: Run CVE scan with audit + run: npm audit --audit-level=critical + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@v2.1.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + continue-on-error: true