merge/pipeline: merge latest from greenfield template for updates bef…

…ore 220828
bcgov · Aug 30, 2022 · c3dab8d · c3dab8d
1 parent a4f51ae
commit c3dab8d
Show file tree

Hide file tree

Showing 5 changed files with 522 additions and 330 deletions.
diff --git a/.github/workflows/merge-dev.yml b/.github/workflows/merge-dev.yml
@@ -1,19 +1,46 @@
-name: Dev Merge
+name: Merge to Dev
 
 on:
   push:
     branches:
       - dev
+    paths-ignore:
+      - ".**"
+      - "**.md"
+      - "**.yml"
+      - "**.yaml"
+  workflow_dispatch:
 
 env:
   REGISTRY: ghcr.io
   NAME: nrfc
   NS: nr-d2723f
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
 jobs:
+  # https://github.com/marketplace/actions/ghcr-io-container-cleanup
+  cleanup-ghcr:
+    name: Cleanup Container Registry
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Delete old packages
+        uses: davahome/[email protected]
+        with:
+          delete_untagged: 1
+          keep_versions: 10
+          keep_versions_untagged: 0
+          minimum_days: 14
+          owner: orgs/bcgov
+          package: ${{ github.event.repository.name }}
+          skip_tags: prod-frontend,prod-backend
+          token: ${{ secrets.GHCR_TOKEN }}
+
   codeql:
     name: Semantic Code Analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read
@@ -35,116 +62,49 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
 
-  # https://github.com/marketplace/actions/aqua-security-trivy
-  trivy-backend:
-    name: Backend Image Report
-    runs-on: ubuntu-18.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      # Backend container scan
-      - name: Trivy Image Scan
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:test-backend
-          ignore-unfixed: true
-          severity: CRITICAL
-          format: "sarif"
-          output: "trivy-results-backend.sarif"
-
-      - name: Upload Trivy results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: "trivy-results-backend.sarif"
-
-  # https://github.com/marketplace/actions/aqua-security-trivy
-  trivy-frontend:
-    name: Frontend Image Report
-    runs-on: ubuntu-18.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      # Frontend container scan
-      - name: Trivy Image Scan
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:test-frontend
-          ignore-unfixed: true
-          severity: CRITICAL
-          format: "sarif"
-          output: "trivy-results-frontend.sarif"
-
-      - name: Upload Trivy results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: "trivy-results-frontend.sarif"
-
-  # https://github.com/marketplace/actions/aqua-security-trivy
-  trivy-repo:
-    name: Repository Report
-    runs-on: ubuntu-18.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/[email protected]
-        with:
-          scan-type: "fs"
-          ignore-unfixed: true
-          format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "CRITICAL"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: "trivy-results.sarif"
-
-  # https://github.com/marketplace/actions/aqua-security-trivy
-  trivy-rhel-ubi:
-    name: Base Image Report
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
+  # SonarCloud runs in the main branch are needed to compare against PRs
+  sonarcloud:
+    name: Static Analysis
+    runs-on: ubuntu-22.04
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
-
-      - name: Trivy Vulnerability Scan
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: registry.access.redhat.com/ubi8/ubi
-          ignore-unfixed: true
-          severity: CRITICAL
-          format: "sarif"
-          output: "trivy-results.sarif"
-
-      - name: Upload Trivy results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+      - uses: actions/checkout@v2
+        # Disable shallow clone for SonarCloud analysis
         with:
-          sarif_file: "trivy-results.sarif"
+          fetch-depth: 0
 
-  cleanup-ghcr:
-    name: Cleanup Container Registry
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: delete
-    steps:
-      # https://github.com/marketplace/actions/ghcr-io-container-cleanup
-      - name: Delete old packages
-        uses: davahome/ghcr-cleanup@v1
+      - name: Backend Tests
+        run: |
+          cd frontend
+          npm ci
+          npm run test:cov
+      - name: Frontend Tests
+        run: |
+          cd frontend
+          npm ci
+          npm run test:cov
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          package: ${{ github.event.repository.name }}
-          owner: orgs/bcgov
-          skip_tags: prod-frontend,prod-backend
+          args: >
+            -Dsonar.exclusions=**/test/**,.github/**/*
+            -Dsonar.organization=bcgov-sonarcloud
+            -Dsonar.javascript.lcov.reportPaths=backend/coverage/lcov.info,frontend/coverage/lcov.info
+            -Dsonar.cobertura.reportPaths=backend/coverage/cobertura-coverage.xml,frontend/coverage/cobertura-coverage.xml
+            -Dsonar.project.monorepo.enabled=true
+            -Dsonar.projectKey=greenfield-template
+            -Dsonar.sources=backend,frontend
+            -Dsonar.tests=backend/test,frontend/test
 
   deploy-test:
     name: TEST Deployment
-    runs-on: ubuntu-latest
+    needs:
+      - cleanup-ghcr
+      - codeql
+      - sonarcloud
+    runs-on: ubuntu-22.04
     environment:
       name: test
     env:
@@ -157,17 +117,15 @@ jobs:
           oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }}
           oc project ${{ secrets.OC_NAMESPACE }}
 
-          # Clear stale images for import/replacement
-          if [ $(oc get is -l app=${{ env.NAME }}-${{ env.ZONE }} -o name | grep -v database | wc -l) -gt 0 ]; then
-            oc delete is -l app=${{ env.NAME }}-${{ env.ZONE }}
-          fi
-
           # Create frontend config (Remove the old one if exists)
           oc delete configmap ${{ env.NAME }}-${{ env.ZONE }}-frontend 2> /dev/null \
             || true && echo "No existing frontend config"
           oc create configmap ${{ env.NAME }}-${{ env.ZONE }}-frontend  \
             --from-literal=config.js="const config = (() => { return { VITE_BACKEND_URL: 'https://${{ env.NAME }}-${{ env.ZONE }}.api.gov.bc.ca', VITE_X_API_KEY: '${{ secrets.GWA_X_API_KEY }}'}; })();"
 
+          # Do not replace database; 'oc create' kicks up an error if objects already exist
+          oc process -f .github/openshift/deploy.database.yml -p ZONE=${{ env.ZONE }} | oc create -f - || true
+
           # Process and apply deployment templates
           oc process -f .github/openshift/deploy.backend.yml -p ZONE=${{ env.ZONE }} \
             -p PROMOTE=${{ github.repository }}:${{ env.ZONE }}-backend \
@@ -227,7 +185,7 @@ jobs:
     name: Backend Pen Tests
     needs:
       - deploy-test
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -244,7 +202,7 @@ jobs:
     name: Frontend Pen Tests
     needs:
       - deploy-test
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2