Skip to content

Scorecard fix

Scorecard fix #190

Workflow file for this run

name: Frontend CI
on:
push:
branches: [ "main" ]
paths:
- .github/workflows/frontend-ci.yaml
- components/resc-frontend/**
- '!**.md'
- '!**.png'
- '!**.gif'
- .gitignore
pull_request:
branches: [ "main" ]
paths:
- .github/workflows/frontend-ci.yaml
- components/resc-frontend/**
- '!**.md'
- '!**.png'
- '!**.gif'
- .gitignore
workflow_dispatch:
env:
RESC_FRONTEND_DIR: components/resc-frontend
CONTAINER_REGISTRY: rescabnamro
IMAGE_NAME: resc-frontend
permissions: read-all
jobs:
nodejs-basic-validation:
name: Build Nodejs
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20.9.0]
outputs:
frontend_version: ${{ steps.getversion.outputs.frontend_version }}
steps:
- name: Checkout Repository
uses: actions/checkout@v3
- name: Set up Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- name: Install Dependencies
run: |
cd ${{ env.RESC_FRONTEND_DIR }}
npm install
- name: Npm Lint
run: |
cd ${{ env.RESC_FRONTEND_DIR }}
npm run lint
- name: Run Unit Tests with Vitest and coverage
run: |
cd ${{ env.RESC_FRONTEND_DIR }}
npm run ut
- name: Run Software Composition Analysis using AuditJS
run: |
cd ${{ env.RESC_FRONTEND_DIR }}
npx auditjs@latest ossi -q || true
## Removing the dir paths and making them relative paths.
- name: Fix coverage report
run: |
cd ${{ env.RESC_FRONTEND_DIR }}
sed -i "s+/home/runner/work/repository-scanner/repository-scanner/components/resc-frontend/++g" tests/reports/coverage/lcov.info
cat tests/reports/coverage/lcov.info
# This step will only execute if PR is created internally.
- name: SonarCloud Scan
if: ${{ (github.event.pull_request.head.repo.full_name == 'abnamro/repository-scanner') || (github.ref == 'refs/heads/main') }}
uses: SonarSource/sonarcloud-github-action@master
with:
projectBaseDir: ${{ env.RESC_FRONTEND_DIR }}
args: >
-Dsonar.organization=abnamro-resc
-Dsonar.projectKey=abnamro-resc_resc-frontend
-Dsonar.sourceEncoding=UTF-8
-Dsonar.projectName=resc-frontend
-Dsonar.groupid=resc
-Dsonar.sources=src/
-Dsonar.inclusions=**/*
-Dsonar.exclusions=**/__mocks__/*
-Dsonar.tests=tests/
-Dsonar.cpd.exclusions=**/*.example.js,**/*.spec.js,**/*.?spec.js
-Dsonar.coverage.exclusions=**/*.html,**/*.json,**/*.spec.js,**/*.?spec.js,**/main.*,**/i18n.js,**/router/index.js,**/configuration/*.js
-Dsonar.javascript.jstest.reportsPath=tests/reports/coverage
-Dsonar.javascript.lcov.reportPaths=tests/reports/coverage/lcov.info
-Dsonar.pdf.skip=true
-Dsonar.branch.target=*
-Dsonar.branch.name=*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.__SONAR_TOKEN_BACKEND__ }}
- id: getversion
name: Get package version
run: |
cd ${{ env.RESC_FRONTEND_DIR }}
frontend_version=$(npm pkg get version | sed 's/"//g')
echo "frontend_version=$frontend_version" >> $GITHUB_OUTPUT
dockerize:
name: Build and Push Docker image
needs: nodejs-basic-validation
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v3
- name: Docker Lint
uses: hadolint/hadolint-action@v2.0.0
with:
dockerfile: ${{ env.RESC_FRONTEND_DIR }}/Dockerfile
failure-threshold: error
- name: Build an image from Dockerfile
run: |
cd ${{ env.RESC_FRONTEND_DIR }}
docker build -t ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{needs.nodejs-basic-validation.outputs.frontend_version}} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{needs.nodejs-basic-validation.outputs.frontend_version}}
format: 'table'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Get Branch Name
run: |
if [[ ${GITHUB_EVENT_NAME} == 'pull_request' ]]; then
echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF})" >> "$GITHUB_ENV"
elif [[ ${GITHUB_EVENT_NAME} == 'push' ]]; then
echo "BRANCH_NAME=$(echo ${GITHUB_REF_NAME})" >> "$GITHUB_ENV"
else
echo "Event is neither pull_request nor push"
fi
- name: Determine if image needs to be published
run: |
if [[ ${{ env.BRANCH_NAME }} == 'main' ]]; then
echo "PUBLISH_IMAGE=true" >> "$GITHUB_ENV"
echo "Going to publish image to registry"
else
echo "PUBLISH_IMAGE=false" >> "$GITHUB_ENV"
echo "Skipping publishing of image to registry"
fi
- name: Log in to Container Registry
if: ${{ env.PUBLISH_IMAGE == 'true' }}
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
username: ${{ secrets.__DOCKER_HUB_USER__ }}
password: ${{ secrets.__DOCKER_HUB_PASS__ }}
- name: Build and push Docker image
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: ${{ env.RESC_FRONTEND_DIR }}/
push: ${{ env.PUBLISH_IMAGE }}
tags: ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest, ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{needs.nodejs-basic-validation.outputs.frontend_version}}