SocialGouv · maxgfr · Mar 8, 2022 · Mar 3, 2022 · Mar 7, 2022 · Mar 7, 2022
@@ -0,0 +1,75 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    - cron: "16 1 * * 5"
+
+concurrency:
+  cancel-in-progress: true
+  group: codeql-${{ github.ref }}
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
+
+      #- run: |
+      #   make bootstrap
+      #   make release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
@@ -0,0 +1,107 @@
+name: Code quality
+
+on: [pull_request]
+
+concurrency:
+  cancel-in-progress: true
+  group: quality-${{ github.ref }}
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version-file: '.node-version'
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - name: Restore cache
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Install dependencies
+        run: |
+          yarn install --prefer-offline --frozen-lockfile
+      - name: Build code
+        run: |
+          yarn build
+      - name: Cache build
+        uses: actions/cache@v2
+        with:
+          path: ./*
+          key: ${{ github.sha }}
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    needs: [build]
+    strategy:
+      fail-fast: false
+      matrix:
+        repositories:
+          [
+            "frontend",
+            "alert-cli",
+            "ingester",
+            "ingester-es",
+            "@shared/dila-resolver",
+            "@socialgouv/cdtn-elasticsearch",
+            "@shared/elasticsearch-document-adapter",
+            "@socialgouv/cdtn-logger"
+          ]
+    steps:
+      - uses: actions/cache@v2
+        name: Restore build
+        with:
+          path: ./*
+          key: ${{ github.sha }}
+      - name: Lint ${{ matrix.repositories }}
+        run: |
+          yarn workspace ${{ matrix.repositories }} lint
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    needs: [ build ]
+    strategy:
+      fail-fast: false
+      matrix:
+        repositories:
+          [
+              "frontend",
+              "alert-cli",
+              "ingester",
+              "ingester-es",
+              "@shared/dila-resolver",
+              "@socialgouv/cdtn-elasticsearch",
+              "@shared/elasticsearch-document-adapter",
+              "@socialgouv/cdtn-logger"
+          ]
+    steps:
+      - uses: actions/cache@v2
+        name: Restore build
+        with:
+          path: ./*
+          key: ${{ github.sha }}
+      - name: Test ${{ matrix.repositories }}
+        run: |
+          yarn workspace ${{ matrix.repositories }} test
+
+  docker:
+    name: Lint Dockerfile
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Lint Dockerfile
+        uses: hadolint/hadolint-action@v1.6.0
+        with:
+          failure-threshold: error
+          recursive: true
@@ -0,0 +1,52 @@
+name: Security vulnerability scanner
+
+on:
+  push:
+    branches: ["master"]
+
+concurrency:
+  cancel-in-progress: true
+  group: security-${{ github.ref }}
+
+jobs:
+  register:
+    name: Register images
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - images: "cdtn-admin-frontend"
+            path: "./targets/frontend"
+    steps:
+      - name: Register docker image for frontend
+        uses: SocialGouv/actions/autodevops-build-register@local-cache-cdtn
+        with:
+          project: "cdtn-admin"
+          imageName: cdtn-admin/${{ matrix.images }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          dockerfile: "${{ matrix.path }}/Dockerfile"
+          dockercontext: "${{ matrix.path }}/"
+
+  trivy:
+    name: Run trivy
+    runs-on: ubuntu-18.04
+    needs: [register]
+    strategy:
+      fail-fast: false
+      matrix:
+        images: ["cdtn-admin-frontend"]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build ${{ matrix.images }} from Dockerfile
+        run: |
+          docker build -t ghcr.io/socialgouv/cdtn-admin/${{ matrix.images }}:sha-${{ github.sha }} .
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ghcr.io/socialgouv/cdtn-admin/${{ matrix.images }}:sha-${{ github.sha }}"
+          format: "table"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
@@ -0,0 +1,15 @@
+name: Gitlab mirroring
+
+on:
+  - push
+  - delete
+
+jobs:
+  mirror_gitlab:
+    name: 🪞 Gitlab
+    runs-on: ubuntu-latest
+    steps:
+      - uses: SocialGouv/actions/mirror-gitlab@master
+        with:
+          project: SocialGouv/cdtn/cdtn-admin
+          token: ${{ secrets.SOCIALGROOVYBOT_GITLAB_TOKEN }}
diff --git a/.github/workflows/🇫🇷.yml b/.github/workflows/🇫🇷.yml
diff --git a/Dockerfile b/Dockerfile
diff --git a/package.json b/package.json
@@ -23,5 +23,8 @@
   "name": "cdtn-admin",
   "volta": {
     "node": "14.18.0"
+  },
+  "engines": {
+    "node": "^14"
   }
 }
diff --git a/shared/dila-resolver/.gitlab-ci.yml b/shared/dila-resolver/.gitlab-ci.yml
@@ -36,8 +36,6 @@
     #
     #
     #
-    - yarn lint
-    - yarn test
     - yarn build
   artifacts:
     expire_in: 1 week

diff --git a/shared/elasticsearch-document-adapter/.gitlab-ci.yml b/shared/elasticsearch-document-adapter/.gitlab-ci.yml
@@ -32,8 +32,6 @@
     #
     #
     #
-    - yarn lint
-    - yarn test
     - yarn build
   artifacts:
     expire_in: 1 week

diff --git a/shared/elasticsearch/.gitlab-ci.yml b/shared/elasticsearch/.gitlab-ci.yml
diff --git a/shared/elasticsearch/package.json b/shared/elasticsearch/package.json
@@ -37,7 +37,8 @@
     "lint": "eslint \"./src/**/*.{js,ts}\"",
     "precommit": "lint-staged",
     "prepush": "yarn lint && yarn test --bail --changedSince=master",
-    "test": "jest"
+    "test": "jest",
+    "test:update": "jest -u"
   },
   "lint-staged": {
     "lib/**": [