Skip to content

Bump rollup from 3.29.4 to 3.29.5 in /angular #335

Bump rollup from 3.29.4 to 3.29.5 in /angular

Bump rollup from 3.29.4 to 3.29.5 in /angular #335

Workflow file for this run

name: angular
on:
# run on all pull requests (but note that certain steps are skipped if if: github.ref == 'refs/heads/main' )
pull_request:
paths: [ 'angular/**', '.github/workflows/angular.yml' ]
# run the foll set of steps on push into main branch
push:
# If at least one path matches a pattern in the paths filter, the workflow runs
paths: [ 'angular/**', '.github/workflows/angular.yml' ]
branches: [ main ]
jobs:
build:
if: " ! contains(github.event.head_commit.message, 'skip ci') "
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [18.x]
steps:
- name: Checkout Repo
uses: actions/checkout@v4
# https://stackoverflow.com/questions/58139406/only-run-job-on-specific-branch-with-github-actions
# if: github.ref == 'refs/heads/main'
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1
- name: Pull Environment Config from AWS SSM ParamStore
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
run: |
echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV
echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
# https://github.com/actions/cache
# This action allows caching dependencies and build outputs to improve workflow execution time.
# for yarn https://github.com/actions/cache/blob/main/examples.md#node---yarn
- name: Cache node modules
uses: actions/cache@v4
with:
path: |
~/.npm
**/node_modules
key: ${{ runner.os }}-node-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-node-
- name: Node ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- name: yarn npm install and run angular build
working-directory: ./angular
run: |
npm install -g yarn
yarn install
yarn run test:coverage
yarn run build:prod
- name: Lint Dockerfile with hadolint
uses: brpaz/[email protected]
with:
dockerfile: ./angular/Dockerfile
# https://github.com/SonarSource/sonarcloud-github-action
# https://sonarcloud.io/project/configuration?analysisMode=GitHubActions&id=tillkuhn_angkor
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
projectBaseDir: ./angular
# -Dsonar.host.url=https://sonarcloud.io # not required, raises overwrite warning
# key needs to exist - no so nice for our monorepo setup (so angkor-ui does not work)
args: >
-Dsonar.organization=tillkuhn
-Dsonar.projectKey=angkor-ui
-Dsonar.projectVersion=${{env.RELEASE_VERSION}}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Sonarcloud: Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Set up Docker Buildx to support arm/amd platforms
uses: docker/setup-buildx-action@v3
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
- name: Login to DockerHub
uses: docker/login-action@v3
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }} # Password or personal access token used to log in to a Docker registry. If not set then no login will occur.
- name: Push to DockerHub
uses: docker/build-push-action@v6 # https://github.com/docker/build-push-action
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
context: ./angular
file: ./angular/Dockerfile
platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386
push: true
tags: ${{ secrets.DOCKER_USERNAME }}/angkor-ui:latest
build-args: |
LATEST_REPO_TAG=${{ env.LATEST_REPO_TAG }}
RELEASE_NAME=${{ env.RELEASE_NAME }}
- name: Publish Action Event
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
run: |
aws sns publish --topic-arn $TOPIC_ARN --message "{\"action\":\"deploy-ui\",\"workflow\":\"$GITHUB_WORKFLOW\"}" \
--message-attributes "GITHUB_SHA={DataType=String,StringValue=\"$GITHUB_SHA\"}, GITHUB_RUN_ID={DataType=String,StringValue=\"$GITHUB_RUN_ID\"}"
env:
TOPIC_ARN: ${{ secrets.TOPIC_ARN }}
- name: Send Kafka Publish Event with Docker
id: send-kafka-pub-event-playground # becomes $GITHUB_ACTION
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
run: |
docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \
-ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \
-source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \
-type "net.timafe.event.ci.published.v1" -subject "docker.io/${GITHUB_REPOSITORY}-ui" \
-record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}"
# Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action
# - https://github.com/aquasecurity/trivy-action
# - https://blog.aquasec.com/github-vulnerability-scanner-trivy
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
if: github.ref == 'refs/heads/main' # this is how to skip only specific steps if not main
with:
image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/angkor-ui:latest'
format: 'sarif'
output: 'trivy-results.sarif'
# Using Trivy with GitHub Code Scanning
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
sarif_file: 'trivy-results.sarif'