Build(deps): bump softprops/action-gh-release from 1 to 2 #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Deploy | |
on: | |
push: | |
branches: ["*"] | |
pull_request: | |
branches: ["main"] | |
workflow_dispatch: | |
jobs: | |
shellcheck: | |
name: Shellcheck | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Run ShellCheck | |
uses: ludeeus/action-shellcheck@master | |
with: | |
scandir: "./ops" | |
fossa-check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: FOSSA Check | |
run: | | |
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash | |
export FOSSA_API_KEY=${{secrets.FOSSA_API_KEY}} | |
fossa analyze | |
credential-check: | |
name: Credential Check | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.head_ref }} | |
# - name: Trufflehog scan | |
# uses: trufflesecurity/trufflehog@main | |
# with: | |
# path: ./ | |
# base: ${{ github.event.repository.default_branch }} | |
# head: HEAD | |
# extra_args: --only-verified | |
- name: Run Gitleaks check | |
run: | | |
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ | |
-v "${PWD}:/path" \ | |
ghcr.io/gitleaks/gitleaks:latest \ | |
detect \ | |
--source="/path" \ | |
-v --redact | |
security-check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.head_ref }} | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: "fs" | |
ignore-unfixed: true | |
exit-code: "1" | |
severity: "CRITICAL" | |
trivyignores: .trivyignore | |
- name: Run Trivy vulnerability scanner in IaC mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: "config" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: "CRITICAL" | |
trivyignores: .trivyignore | |
backend-check: | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: ./backend | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: ${{ vars.JAVA_VERSION }} | |
distribution: "adopt" | |
- name: Validate Gradle wrapper | |
uses: gradle/wrapper-validation-action@v2 | |
- name: Set up Gradle | |
uses: gradle/[email protected] | |
- name: Test and check | |
run: ./gradlew clean check | |
- name: Build | |
run: ./gradlew clean build | |
- name: Upload Test Report to Codacy | |
run: | | |
export CODACY_PROJECT_TOKEN=${{secrets.CODACY_PROJECT_TOKEN}} | |
bash <(curl -Ls https://coverage.codacy.com/get.sh) | |
- name: Build and analyze | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_BACKEND }} | |
run: ./gradlew build sonar --info | |
backend-license-check: | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: ./backend | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: ${{ vars.JAVA_VERSION }} | |
distribution: "adopt" | |
- name: Validate Gradle wrapper | |
uses: gradle/wrapper-validation-action@v2 | |
- name: Set up Gradle | |
uses: gradle/[email protected] | |
- name: License check | |
run: ./gradlew clean checkLicense | |
- uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: backend-license-report | |
path: backend/build/reports/dependency-license/ | |
retention-days: ${{ vars.RETENTION_DAYS }} | |
deny-dot-star-check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Java .*; check | |
shell: bash {0} | |
run: ./ops/check.sh dot-star | |
deny-px-check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: CSS unit `px` check | |
shell: bash {0} | |
run: ./ops/check.sh px | |
deny-css-hex-check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: CSS hex check | |
shell: bash {0} | |
run: ./ops/check.sh hex | |
deny-css-rgba-check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: CSS rgba check | |
shell: bash {0} | |
run: ./ops/check.sh rgba | |
frontend-type-check: | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: ./frontend | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Use Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ vars.NODE_VERSION }} | |
- name: Install & Lint | |
run: | | |
npm install -g pnpm | |
pnpm install --no-frozen-lockfile | |
pnpm run type-check | |
frontend-check: | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: ./frontend | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Use Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ vars.NODE_VERSION }} | |
- name: Install & Lint | |
run: | | |
npm install -g pnpm | |
pnpm install --no-frozen-lockfile | |
pnpm lint | |
- name: Audit for vulnerabilities | |
run: pnpm dlx audit-ci@^6 --critical --report-type full | |
- name: Testing and coverage | |
run: | | |
pnpm coverage:silent | |
- name: Building | |
run: pnpm build | |
- name: Upload Test Report to Codacy | |
run: | | |
export CODACY_PROJECT_TOKEN=${{secrets.CODACY_PROJECT_TOKEN}} | |
bash <(curl -Ls https://coverage.codacy.com/get.sh) | |
- name: SonarCloud Scan | |
uses: SonarSource/sonarcloud-github-action@master | |
with: | |
projectBaseDir: frontend | |
args: > | |
-Dsonar.organization=au-heartbeat | |
-Dsonar.projectKey=au-heartbeat-heartbeat-frontend | |
-Dsonar.javascript.lcov.reportPaths=./coverage/lcov.info | |
-Dsonar.sources=src/ | |
-Dsonar.tests=__tests__ | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_FRONTEND }} | |
frontend-license-check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Use Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ vars.NODE_VERSION }} | |
- name: License compliance check | |
run: | | |
./ops/check.sh frontend-license | |
# check-buildkite-status: | |
# if: ${{ github.event_name == 'pull_request' }} | |
# runs-on: ubuntu-latest | |
# steps: | |
# - name: Checkout code | |
# uses: actions/checkout@v4 | |
# | |
# - name: Check BuildKite status | |
# run: | | |
# buildkite_status=$(curl -H "Authorization: Bearer ${{ secrets.BUILDKITE_TOKEN }}" "https://api.buildkite.com/v2/organizations/thoughtworks-Heartbeat/pipelines/heartbeat/builds?branch=main"| jq -r '.[0].state') | |
# | |
# if [ "$buildkite_status" != "passed" ]; then | |
# echo "BuildKite build failed. Cannot merge the PR." | |
# exit 1 | |
# fi | |
images-check: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Build and tag | |
run: | | |
docker build -t frontend:latest ./ -f ./ops/infra/Dockerfile.frontend | |
docker build -t backend:latest ./ -f ./ops/infra/Dockerfile.backend | |
- name: Run Trivy vulnerability scanner for frontend | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: frontend:latest | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: "CRITICAL,HIGH" | |
trivyignores: ".trivyignore" | |
- name: Run Trivy vulnerability scanner for backend | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: backend:latest | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: "CRITICAL,HIGH" | |
trivyignores: ".trivyignore" | |
deploy-infra: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: | |
- fossa-check | |
- frontend-check | |
- deny-px-check | |
- deny-css-hex-check | |
- deny-css-rgba-check | |
- frontend-type-check | |
- backend-check | |
- deny-dot-star-check | |
- security-check | |
- images-check | |
- shellcheck | |
- credential-check | |
- frontend-license-check | |
- backend-license-check | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
# - name: Configure AWS credentials | |
# if: ${{ contains(github.event.head_commit.message, '[infra]') }} | |
# uses: aws-actions/configure-aws-credentials@v4 | |
# with: | |
# role-to-assume: ${{ secrets.AWS_GITHUB_ACTION_ROLE }} | |
# aws-region: ${{ secrets.AWS_REGION}} | |
# role-session-name: MySessionName | |
# - name: Deploy infra | |
# if: ${{ contains(github.event.head_commit.message, '[infra]') }} | |
# env: | |
# SSHPublicKey: ${{ secrets.AWS_EC2_SSH_PUBLIC_KEY}} | |
# AWSHost: ${{ secrets.AWS_HOST }} | |
# AWSAccountId: ${{ secrets.AWS_ACCOUNT_ID }} | |
# AWSRegion: ${{ secrets.AWS_REGION }} | |
# BuildKiteToken: ${{ secrets.BUILDKITE_TOKEN }} | |
# SSHPrivateKey: ${{ secrets.AWS_EC2_SSH_PRIVATE_KEY}} | |
# run: | | |
# sh ./ops/infra/updateAwsResource.sh | |
build-backend: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: | |
- deploy-infra | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_GITHUB_ACTION_ROLE }} | |
aws-region: ${{ secrets.AWS_REGION}} | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: Build, tag, and push for Backend | |
env: | |
REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
REPOSITORY: heartbeat_backend | |
IMAGE_TAG: "hb${{ github.run_number }}" | |
run: | | |
docker build -t $REGISTRY/$REPOSITORY:latest ./ -f ./ops/infra/Dockerfile.backend | |
docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG ./ -f ./ops/infra/Dockerfile.backend | |
# - name: Push for Backend | |
# env: | |
# REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
# REPOSITORY: heartbeat_backend | |
# IMAGE_TAG: "hb${{ github.run_number }}" | |
# run: | | |
# docker push $REGISTRY/$REPOSITORY:latest | |
# docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG | |
build-frontend: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: | |
- deploy-infra | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_GITHUB_ACTION_ROLE }} | |
aws-region: ${{ secrets.AWS_REGION}} | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: Build, tag, and push for Frontend | |
env: | |
REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
REPOSITORY: heartbeat_frontend | |
IMAGE_TAG: "hb${{ github.run_number }}" | |
run: | | |
docker build -t $REGISTRY/$REPOSITORY:latest ./ -f ./ops/infra/Dockerfile.frontend | |
docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG ./ -f ./ops/infra/Dockerfile.frontend | |
# - name: Push for Frontend | |
# env: | |
# REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
# REPOSITORY: heartbeat_frontend | |
# IMAGE_TAG: "hb${{ github.run_number }}" | |
# run: | | |
# docker push $REGISTRY/$REPOSITORY:latest | |
# docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG | |
deploy-e2e: | |
runs-on: ubuntu-latest | |
needs: | |
- build-backend | |
- build-frontend | |
steps: | |
- name: Checkout repo | |
# uses: actions/checkout@v4 | |
run: echo "This is an empty step" | |
# - name: Update docker-compose.yaml | |
# run: | | |
# sed -i -e 's/heartbeat_backend:latest/${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }}\/heartbeat_backend:hb${{ github.run_number }}/g' ops/infra/docker-compose.yml | |
# sed -i -e 's/heartbeat_frontend:latest/${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }}\/heartbeat_frontend:hb${{ github.run_number }}/g' ops/infra/docker-compose.yml | |
# - name: Copy docker-compose to ec2 | |
# uses: appleboy/scp-action@master | |
# with: | |
# host: ${{ secrets.AWS_EC2_IP_E2E }} | |
# username: ${{ secrets.AWS_USERNAME }} | |
# key: ${{ secrets.AWS_PRIVATE_KEY }} | |
# port: ${{ secrets.AWS_SSH_PORT }} | |
# source: "./ops/infra/docker-compose.yml" | |
# target: "./" | |
# strip_components: 1 | |
# - name: Deploy | |
# uses: appleboy/ssh-action@master | |
# env: | |
# REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }} | |
# IMAGE_TAG: "hb${{ github.run_number }}" | |
# with: | |
# host: ${{ secrets.AWS_EC2_IP_E2E }} | |
# username: ${{ secrets.AWS_USERNAME }} | |
# key: ${{ secrets.AWS_PRIVATE_KEY }} | |
# port: ${{ secrets.AWS_SSH_PORT }} | |
# script: | | |
# aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }} | |
# cp "./ops/infra/docker-compose.yml" ./ | |
# # docker-compose down | |
# if [[ -n $(docker images -f label=arch=Backend -q) ]]; then docker rmi -f $(docker images -f label=arch=Backend -q); fi | |
# if [[ -n $(docker images -f label=arch=Frontend -q) ]]; then docker rmi -f $(docker images -f label=arch=Frontend -q); fi | |
# docker pull $REGISTRY/heartbeat_backend:$IMAGE_TAG | |
# docker pull $REGISTRY/heartbeat_frontend:$IMAGE_TAG | |
# export SPRING_PROFILES_ACTIVE="e2e" | |
# docker-compose up -d frontend | |
e2e: | |
runs-on: ubuntu-latest | |
needs: | |
- deploy-e2e | |
container: | |
image: mcr.microsoft.com/playwright:latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
node-version: ${{ vars.NODE_VERSION }} | |
- name: Install | |
run: | | |
npm install -g pnpm | |
- name: Set env | |
run: echo "HOME=/root" >> $GITHUB_ENV | |
- name: Run E2E | |
env: | |
APP_ORIGIN: ${{ vars.APP_HTTP_SCHEDULE }}://${{ secrets.AWS_EC2_IP_E2E }}:${{ secrets.AWS_EC2_IP_E2E_FRONTEND_PORT }} | |
E2E_TOKEN_JIRA: ${{ secrets.E2E_TOKEN_JIRA }} | |
E2E_TOKEN_BUILD_KITE: ${{ secrets.E2E_TOKEN_BUILD_KITE }} | |
E2E_TOKEN_GITHUB: ${{ secrets.E2E_TOKEN_GITHUB }} | |
E2E_TOKEN_FLAG_AS_BLOCK_JIRA: ${{ secrets.E2E_TOKEN_FLAG_AS_BLOCK_JIRA }} | |
shell: bash {0} | |
run: ./ops/check.sh e2e | |
- uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: playwright-report | |
path: frontend/e2e/reports/ | |
retention-days: 30 | |
deploy: | |
runs-on: ubuntu-latest | |
needs: | |
- e2e | |
steps: | |
- name: Checkout repo | |
# uses: actions/checkout@v4 | |
run: echo "This is an empty step" | |
# - name: Update docker-compose.yaml | |
# run: | | |
# sed -i -e 's/heartbeat_backend:latest/${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }}\/heartbeat_backend:hb${{ github.run_number }}/g' ops/infra/docker-compose.yml | |
# sed -i -e 's/heartbeat_frontend:latest/${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }}\/heartbeat_frontend:hb${{ github.run_number }}/g' ops/infra/docker-compose.yml | |
# - name: Copy docker-compose to ec2 | |
# uses: appleboy/scp-action@master | |
# with: | |
# host: ${{ secrets.AWS_EC2_IP }} | |
# username: ${{ secrets.AWS_USERNAME }} | |
# key: ${{ secrets.AWS_PRIVATE_KEY }} | |
# port: ${{ secrets.AWS_SSH_PORT }} | |
# source: "./ops/infra/docker-compose.yml" | |
# target: "./" | |
# strip_components: 1 | |
# - name: Deploy | |
# uses: appleboy/ssh-action@master | |
# env: | |
# REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }} | |
# IMAGE_TAG: "hb${{ github.run_number }}" | |
# with: | |
# host: ${{ secrets.AWS_EC2_IP }} | |
# username: ${{ secrets.AWS_USERNAME }} | |
# key: ${{ secrets.AWS_PRIVATE_KEY }} | |
# port: ${{ secrets.AWS_SSH_PORT }} | |
# script: | | |
# aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }} | |
# cp "./ops/infra/docker-compose.yml" ./ | |
# # docker-compose down | |
# if [[ -n $(docker images -f label=app=Heartbeat -q) ]]; then docker rmi -f $(docker images -f label=app=Heartbeat -q); fi | |
# docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }}/heartbeat_backend:$IMAGE_TAG | |
# docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }}/heartbeat_frontend:$IMAGE_TAG | |
# docker-compose up -d frontend |