Bump rollup from 3.29.4 to 3.29.5 in /angular #335
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: angular | |
on: | |
# run on all pull requests (but note that certain steps are skipped if if: github.ref == 'refs/heads/main' ) | |
pull_request: | |
paths: [ 'angular/**', '.github/workflows/angular.yml' ] | |
# run the foll set of steps on push into main branch | |
push: | |
# If at least one path matches a pattern in the paths filter, the workflow runs | |
paths: [ 'angular/**', '.github/workflows/angular.yml' ] | |
branches: [ main ] | |
jobs: | |
build: | |
if: " ! contains(github.event.head_commit.message, 'skip ci') " | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [18.x] | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
# https://stackoverflow.com/questions/58139406/only-run-job-on-specific-branch-with-github-actions | |
# if: github.ref == 'refs/heads/main' | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: eu-central-1 | |
- name: Pull Environment Config from AWS SSM ParamStore | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
run: | | |
echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV | |
echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
# https://github.com/actions/cache | |
# This action allows caching dependencies and build outputs to improve workflow execution time. | |
# for yarn https://github.com/actions/cache/blob/main/examples.md#node---yarn | |
- name: Cache node modules | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.npm | |
**/node_modules | |
key: ${{ runner.os }}-node-${{ hashFiles('**/yarn.lock') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
- name: Node ${{ matrix.node-version }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: yarn npm install and run angular build | |
working-directory: ./angular | |
run: | | |
npm install -g yarn | |
yarn install | |
yarn run test:coverage | |
yarn run build:prod | |
- name: Lint Dockerfile with hadolint | |
uses: brpaz/[email protected] | |
with: | |
dockerfile: ./angular/Dockerfile | |
# https://github.com/SonarSource/sonarcloud-github-action | |
# https://sonarcloud.io/project/configuration?analysisMode=GitHubActions&id=tillkuhn_angkor | |
- name: SonarCloud Scan | |
uses: SonarSource/sonarcloud-github-action@master | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
with: | |
projectBaseDir: ./angular | |
# -Dsonar.host.url=https://sonarcloud.io # not required, raises overwrite warning | |
# key needs to exist - no so nice for our monorepo setup (so angkor-ui does not work) | |
args: > | |
-Dsonar.organization=tillkuhn | |
-Dsonar.projectKey=angkor-ui | |
-Dsonar.projectVersion=${{env.RELEASE_VERSION}} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Sonarcloud: Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
- name: Set up Docker Buildx to support arm/amd platforms | |
uses: docker/setup-buildx-action@v3 | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} # Password or personal access token used to log in to a Docker registry. If not set then no login will occur. | |
- name: Push to DockerHub | |
uses: docker/build-push-action@v6 # https://github.com/docker/build-push-action | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
with: | |
context: ./angular | |
file: ./angular/Dockerfile | |
platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386 | |
push: true | |
tags: ${{ secrets.DOCKER_USERNAME }}/angkor-ui:latest | |
build-args: | | |
LATEST_REPO_TAG=${{ env.LATEST_REPO_TAG }} | |
RELEASE_NAME=${{ env.RELEASE_NAME }} | |
- name: Publish Action Event | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
run: | | |
aws sns publish --topic-arn $TOPIC_ARN --message "{\"action\":\"deploy-ui\",\"workflow\":\"$GITHUB_WORKFLOW\"}" \ | |
--message-attributes "GITHUB_SHA={DataType=String,StringValue=\"$GITHUB_SHA\"}, GITHUB_RUN_ID={DataType=String,StringValue=\"$GITHUB_RUN_ID\"}" | |
env: | |
TOPIC_ARN: ${{ secrets.TOPIC_ARN }} | |
- name: Send Kafka Publish Event with Docker | |
id: send-kafka-pub-event-playground # becomes $GITHUB_ACTION | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
run: | | |
docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \ | |
-ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \ | |
-source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \ | |
-type "net.timafe.event.ci.published.v1" -subject "docker.io/${GITHUB_REPOSITORY}-ui" \ | |
-record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}" | |
# Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action | |
# - https://github.com/aquasecurity/trivy-action | |
# - https://blog.aquasec.com/github-vulnerability-scanner-trivy | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
if: github.ref == 'refs/heads/main' # this is how to skip only specific steps if not main | |
with: | |
image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/angkor-ui:latest' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
# Using Trivy with GitHub Code Scanning | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
with: | |
sarif_file: 'trivy-results.sarif' |