diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..076ee47 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# Code owners: +* @MeasureAuthoringTool/madie-developers diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..58cd1d5 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,27 @@ +## MADiE PR + +Jira Ticket: [MAT-0000](https://jira.cms.gov/browse/MAT-0000) +(Optional) Related Tickets: + +### Summary + +### All Submissions +* [ ] This PR has the JIRA linked. +* [ ] Required tests are included. +* [ ] No extemporaneous files are included (i.e Complied files or testing results). +* [ ] This PR is merging into the **correct branch**. +* [ ] All Documentation needed for this PR is Complete (or noted in a TODO or other Ticket). +* [ ] Any breaking changes or failing automations are noted by placing a comment on this PR. + +### DevSecOps +If there is a question if this PR has a security or infrastructure impact, please contact the Security or DevOps engineer assigned to this project to discuss it further. + +* [ ] This PR has NO significant security impact (i.e Changing auth methods, Adding a new user type, Adding a required but vulnerable package). +* [ ] All CDN/Web dependencies are hosted internally (i.e MADiE-Root Repo). + +### Reviewers +By Approving this PR you are attesting to the following: + +* Code is maintainable and reusable, reuses existing code and infrastructure where appropriate, and accomplishes the task’s purpose. +* The tests appropriately test the new code, including edge cases. +* If you have any concerns they are brought up either to the developer assigned, security engineer, or leads. diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000..67d2277 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,29 @@ +# @format + +name: Github Secrets Scanner + +on: [push] + +jobs: + gitleaks_scan: + runs-on: ubuntu-latest + env: + REPO: https://github.com/MeasureAuthoringTool/excel-export + REMOTE_EXCLUDES_URL: https://raw.githubusercontent.com/semanticbits/bmat-gitleaks-automation/master/madie-measure/gitleaks.toml + GITLEAKS_VERSION: v7.5.0 + steps: + - name: Execute Gitleaks + run: | + wget ${REMOTE_EXCLUDES_URL} -O gitleaks.toml + wget https://github.com/zricethezav/gitleaks/releases/download/${GITLEAKS_VERSION}/gitleaks-linux-amd64 -O gitleaks + chmod +x gitleaks + echo ${GITHUB_SHA} + echo "gitleaks --repo-url=${REPO} -v --redact --commit=${GITHUB_SHA} --config-path=gitleaks.toml" + ./gitleaks --repo-url=${REPO} -v --redact --commit=${GITHUB_SHA} --config-path=gitleaks.toml + - name: Slack notification + if: failure() + env: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + uses: Ilshidur/action-slack@master + with: + args: "Potential Secrets found in: https://github.com/{{ GITHUB_REPOSITORY }}/commit/{{ GITHUB_SHA }} Link to build with full gitleaks output: https://github.com/{{ GITHUB_REPOSITORY }}/commit/{{ GITHUB_SHA }}/checks" diff --git a/.github/workflows/unit_test_coverage.yml b/.github/workflows/unit_test_coverage.yml new file mode 100644 index 0000000..c452acd --- /dev/null +++ b/.github/workflows/unit_test_coverage.yml @@ -0,0 +1,100 @@ +# This workflow will do the following: +# - perform a clean install of node dependencies +# - lint the source code for errors +# - build the source code +# - run tests and capture code coverage +# - run end-to-end tests +# - upload the code coverage report to Codacy +# - upload the code coverage report to Codecov + +name: Continuous Integration + +on: + push: + branches: [main, develop] + pull_request: + branches: [main, develop] + +jobs: + build: + name: Checkout, install, lint, build and test with coverage + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Use Node.js 20.x + uses: actions/setup-node@v3 + with: + node-version: 20.x + + - name: Cache node modules + uses: actions/cache@v3 + env: + cache-name: cache-node-modules + with: + path: ~/.npm + key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-build-${{ env.cache-name }}- + ${{ runner.os }}-build- + ${{ runner.os }}- + + - name: Install node dependencies + run: npm ci + + - name: Audit dependencies for security vulnerabilities + run: npm audit --production + + - name: Lint the source code + run: npm run-script lint + + - name: Check prettier formatting + run: npm run-script check-format + + - name: Build the source code + run: npm run build + + - name: Execute test coverage + run: npm run-script coverage + + - name: Store the coverage report as an artifact + uses: actions/upload-artifact@v3 + with: + name: coverage + path: coverage/lcov.info + + upload-codacy-coverage: + name: Upload code coverage to Codacy + needs: build + runs-on: ubuntu-latest + steps: + - name: Download coverage artifact + uses: actions/download-artifact@v3 + with: + name: coverage + + - name: Upload code coverage to Codacy + uses: codacy/codacy-coverage-reporter-action@master + with: + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + coverage-reports: lcov.info + + upload-codecov-coverage: + name: Upload code coverage to Codecov + needs: build + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Download coverage artifact + uses: actions/download-artifact@v3 + with: + name: coverage + + - name: Upload code coverage to Codecov + uses: codecov/codecov-action@v3 + with: + file: lcov.info + fail_ci_if_error: true