chore(deps): update github/codeql-action action to v2.27.5 #3381
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: [push] | |
jobs: | |
# -- TESTS ------------------------------------------------------------------ | |
tests: | |
name: Tests | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node: ['18'] | |
mongodb: ['5.0'] | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@2579b52abd08b0a4c3ad0e4476ddb0f2036e3b67 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pipelines.actions.githubusercontent.com:443 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
registry.npmjs.org:443 | |
snyk.io:443 | |
docker.io:443 | |
auth.docker.io:443 | |
production.cloudflare.docker.com:443 | |
- name: Checkout | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Setup Node.js ${{ matrix.node }} | |
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 | |
with: | |
node-version: ${{ matrix.node }} | |
check-latest: true | |
- name: Install dependencies | |
run: npm install | |
- name: Start MongoDB | |
uses: supercharge/mongodb-github-action@e815fd8a9dfede09fd6e6c144f2c9f4875e933df # tag=1.7.0 | |
with: | |
mongodb-version: ${{ matrix.mongodb }} | |
mongodb-db: encryptionAPI | |
- name: Run Unit-Tests + Code Coverage | |
run: npm run test:coverage | |
- name: Save Code Coverage | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: code-coverage | |
path: coverage | |
# -- SONARCLOUD ------------------------------------------------------------- | |
code-quality: | |
name: Code Quality | |
runs-on: ubuntu-latest | |
needs: tests | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@2579b52abd08b0a4c3ad0e4476ddb0f2036e3b67 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
pipelines.actions.githubusercontent.com:443 | |
sonarcloud.io:443 | |
scanner.sonarcloud.io:443 | |
- name: Checkout | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Download Code Coverage | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: code-coverage | |
path: coverage | |
- name: Get App Version | |
run: ./scripts/version.sh | |
- name: SonarCloud Scan | |
uses: sonarsource/sonarcloud-github-action@master | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
# -- SAST SCAN -------------------------------------------------------------- | |
code-security: | |
name: Code Security | |
runs-on: ubuntu-latest | |
needs: tests | |
# Skip any PR created by dependabot to avoid permission issues | |
if: (github.actor != 'dependabot[bot]') | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@2579b52abd08b0a4c3ad0e4476ddb0f2036e3b67 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
github.com:443 | |
api.github.com:443 | |
pipelines.actions.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
registry-1.docker.io:443 | |
osv-vulnerabilities.storage.googleapis.com:443 | |
nvd.nist.gov:443 | |
pypi.org:443 | |
location.services.mozilla.com:443 | |
docker.io:443 | |
auth.docker.io:443 | |
production.cloudflare.docker.com:443 | |
- name: Checkout | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Perform Scan | |
uses: ShiftLeftSecurity/scan-action@master | |
env: | |
WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SCAN_ANNOTATE_PR: true | |
- name: Save the SCAN reports | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: sast-reports | |
path: reports | |
# -- API TESTS -------------------------------------------------------------- | |
api-tests: | |
name: API Tests | |
runs-on: ubuntu-latest | |
needs: tests | |
strategy: | |
matrix: | |
node: ['18'] | |
mongodb: ['5.0'] | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@2579b52abd08b0a4c3ad0e4476ddb0f2036e3b67 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Setup Node.js ${{ matrix.node }} | |
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 | |
with: | |
node-version: ${{ matrix.node }} | |
check-latest: true | |
- name: Install dependencies | |
run: npm install | |
- name: Install Postman Newman | |
run: npm install newman | |
- name: Start MongoDB | |
uses: supercharge/mongodb-github-action@e815fd8a9dfede09fd6e6c144f2c9f4875e933df # tag=1.7.0 | |
with: | |
mongodb-version: ${{ matrix.mongodb }} | |
mongodb-db: encryptionAPI | |
- name: Start the app | |
run: npm start > /dev/null & | |
- name: Run Postman Newman | |
run: node_modules/.bin/newman run https://api.getpostman.com/collections/${{ secrets.POSTMAN_COLLECTION }}?apikey=${{ secrets.POSTMAN_API_TOKEN }} -e https://api.getpostman.com/environments/${{ secrets.POSTMAN_ENVIRONMENT }}?apikey=${{ secrets.POSTMAN_API_TOKEN }} | |
# -- ZAP Scan --------------------------------------------------------------- | |
api-security: | |
name: API Security | |
runs-on: ubuntu-latest | |
needs: tests | |
# Skip any PR created by dependabot to avoid permission issues | |
if: (github.actor != 'dependabot[bot]') | |
strategy: | |
matrix: | |
node: ['18'] | |
mongodb: ['5.0'] | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@2579b52abd08b0a4c3ad0e4476ddb0f2036e3b67 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
bit.ly:443 | |
cfu.zaproxy.org:443 | |
content-signature-2.cdn.mozilla.net:443 | |
docker.io:443 | |
firefox.settings.services.mozilla.com:443 | |
github.com:443 | |
location.services.mozilla.com:443 | |
news.zaproxy.org:443 | |
objects.githubusercontent.com:443 | |
pipelines.actions.githubusercontent.com:443 | |
production.cloudflare.docker.com:443 | |
raw.githubusercontent.com:443 | |
registry-1.docker.io:443 | |
registry.npmjs.org:443 | |
shavar.services.mozilla.com:443 | |
snyk.io:443 | |
tel.zaproxy.org:443 | |
tracking-protection.cdn.mozilla.net:443 | |
- name: Checkout | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Setup Node.js ${{ matrix.node }} | |
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 | |
with: | |
node-version: ${{ matrix.node }} | |
check-latest: true | |
- name: Install dependencies | |
run: npm install | |
- name: Start MongoDB | |
uses: supercharge/mongodb-github-action@e815fd8a9dfede09fd6e6c144f2c9f4875e933df # tag=1.7.0 | |
with: | |
mongodb-version: ${{ matrix.mongodb }} | |
mongodb-db: encryptionAPI | |
- name: Start the app | |
run: npm start > /dev/null & | |
- name: Run ZAP API Scan | |
uses: zaproxy/action-api-scan@d7eab41e224d7427459ca0a3b7523ba7b98f3ccc # v0.3.1 | |
with: | |
target: http://localhost:3000/swagger/json | |
format: openapi | |
# -- PRE-RELEASE ------------------------------------------------------------ | |
pre-release: | |
name: Prepare Release | |
runs-on: ubuntu-latest | |
needs: | |
- code-quality | |
- code-security | |
- api-security | |
- api-tests | |
if: github.ref == 'refs/heads/master' | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@2579b52abd08b0a4c3ad0e4476ddb0f2036e3b67 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Semantic Release | |
uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d # v3.4.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# -- BUILD ------------------------------------------------------------------ | |
build: | |
name: Build & Release | |
runs-on: ubuntu-latest | |
needs: pre-release | |
if: github.ref == 'refs/heads/master' | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@2579b52abd08b0a4c3ad0e4476ddb0f2036e3b67 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 | |
with: | |
images: ${{ github.repository }} | |
tags: | | |
type=schedule | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha | |
type=raw,value=latest | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Build and push | |
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 | |
with: | |
context: . | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} |