feat: bring over recent workflow improvements (#656)

Co-authored-by: Chris Berg <[email protected]>
bcgov · Oct 4, 2023 · 8500ff1 · 8500ff1
1 parent f8c1a73
commit 8500ff1
Show file tree

Hide file tree

Showing 11 changed files with 90 additions and 214 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,8 +1,8 @@
 # Default codeowners:
-* @john-fletcher-aot @gchauhan-aot @praju-aot @krishnan-aot @devin-aot
+* @john-fletcher-aot @gchauhan-aot @praju-aot @krishnan-aot
 
 # Frontend:
-/frontend/** @devin-aot @krishnan-aot
+/frontend/** @krishnan-aot
 
 # Backend:
 /backend/**  @gchauhan-aot @praju-aot
@@ -11,8 +11,6 @@
 /database/** @gchauhan-aot @john-fletcher-aot
 
 # Devops:
-Dockerfile @devin-aot @cberg-aot
-Dockerfile @devin-aot @cberg-aot
-Dockerfile @devin-aot @cberg-aot
-docker-compose.yml @devin-aot @cberg-aot
-/.github/** @devin-aot @cberg-aot
+Dockerfile @cberg-aot
+docker-compose.yml @cberg-aot
+/.github/** @cberg-aot
diff --git a/.github/workflows/unit-tests.yml → .github/workflows/analysis.yml b/.github/workflows/unit-tests.yml → .github/workflows/analysis.yml
@@ -1,4 +1,4 @@
-name: Unit Tests and Analysis
+name: Analysis
 
 on:
   pull_request:
@@ -10,15 +10,51 @@ on:
   push:
     branches:
       - main
-    paths-ignore:
-      - "**.md"
   workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  codeql:
+    name: CodeQL
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v2
+        with:
+          languages: javascript
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+
+  # https://github.com/marketplace/actions/aqua-security-trivy
+  trivy:
+    name: Security Scan
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/[email protected]
+        with:
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          scan-type: "fs"
+          scanners: "vuln,secret,config"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
+
   tests:
     name: Unit Tests
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
@@ -33,7 +69,7 @@ jobs:
             token: SONAR_TOKEN_BACKEND
           - dir: backend/dops
             sonar_projectKey: bcgov_onroutebc_backend
-            token: SONAR_TOKEN_BACKEND            
+            token: SONAR_TOKEN_BACKEND
           - dir: frontend
             sonar_projectKey: bcgov_onroutebc_frontend
             token: SONAR_TOKEN_FRONTEND

diff --git a/.github/workflows/charts-release.yaml b/.github/workflows/charts-release.yaml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -57,14 +57,14 @@ on:
         type: string
 jobs:
   deployments:
-    name: Deployments
+    name: Deploy
     environment: ${{inputs.environment}}
     runs-on: ubuntu-22.04
     strategy:
       max-parallel: 1
       fail-fast: true
       matrix:
-        name: [init, backend/vehicles, backend/dops, frontend]
+        name: [backend/vehicles, backend/dops, frontend]
         include:
           - name: backend/vehicles
             file: backend/vehicles/openshift.deploy.yml
@@ -75,9 +75,6 @@ jobs:
           - name: frontend
             file: frontend/openshift.deploy.yml
             overwrite: true
-          - name: init
-            file: common/openshift.init.yml
-            overwrite: false
     steps:
       - name: Import Secrets
         id: vault

diff --git a/.github/workflows/merge-main.yml → .github/workflows/merge.yml b/.github/workflows/merge-main.yml → .github/workflows/merge.yml
@@ -1,70 +1,18 @@
-name: Merge to Main
+name: Merge
 
 on:
-  push:
-    branches:
-      - main
-      - feature/deploy.yml
-    paths-ignore:
-      - ".github/ISSUE_TEMPLATE/*"
-      - "**.md"
+  workflow_run:
+    workflows: [PR Closed]
+    types: [completed]
   workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: true
 
 jobs:
-  codeql:
-    name: Semantic Code Analysis
-    runs-on: ubuntu-22.04
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Initialize
-        uses: github/codeql-action/init@v2
-        with:
-          languages: javascript
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
-
-  # https://github.com/marketplace/actions/aqua-security-trivy
-  trivy:
-    name: Security Scan
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/[email protected]
-        with:
-          format: "sarif"
-          output: "trivy-results.sarif"
-          ignore-unfixed: true
-          scan-type: "fs"
-          scanners: "vuln,secret,config"
-          severity: "CRITICAL,HIGH"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: "trivy-results.sarif"
-
   deploys-test:
     name: Deploy images to test
-    needs: 
-      - codeql
-      - trivy
     uses: ./.github/workflows/deploy.yml
     with:
       environment: 'test'
@@ -96,7 +44,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.head_ref }} # checkout the correct branch name
           fetch-depth: 0 # fetch the whole repo history

diff --git a/.github/workflows/pentests.yml b/.github/workflows/pentests.yml
@@ -10,6 +10,7 @@ concurrency:
 
 jobs:
   zap_scan:
+    runs-on: ubuntu-latest
     name: Penetration Tests
     env:
       DOMAIN: apps.silver.devops.gov.bc.ca

diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml
@@ -1,4 +1,4 @@
-name: Pull Request Closed
+name: PR Closed
 
 on:
   pull_request:
@@ -22,6 +22,7 @@ jobs:
 
           # Remove old build runs, build pods and deployment pods
           oc delete all,pvc,secret,configmap -l app=${{ github.event.repository.name }}-${{ github.event.number }}
+
       - name: Authenticate and set context
         uses: redhat-actions/oc-login@v1
         with:

diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
@@ -1,4 +1,4 @@
-name: Pull Request
+name: PR
 
 on:
   pull_request:
@@ -42,27 +42,18 @@ jobs:
     strategy:
       matrix:
         package: [backend/vehicles, backend/dops, frontend]
-        include:
-          - package: backend/vehicles
-            triggers: ('backend/vehicles/')
-          - package: backend/dops
-            triggers: ('backend/dops/')
-          - package: frontend
-            triggers: ('frontend/')
     steps:
-      - uses: actions/checkout@v3
-
+      - uses: actions/checkout@v4
       - uses: bcgov-nr/[email protected]
         with:
           package: ${{ matrix.package }}
           tag: ${{ github.event.number }}
           tag_fallback: test
           token: ${{ secrets.GITHUB_TOKEN }}
-          triggers: ${{ matrix.triggers }}
+          triggers: ( '${{ matrix.package }}/')
 
   deploys:
-    needs: 
-      - builds
+    needs: [builds]
     uses: ./.github/workflows/deploy.yml
     with:
       environment: 'dev'

diff --git a/README.md b/README.md
@@ -1,8 +1,8 @@
 <!-- PROJECT SHIELDS -->
 
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=bcgov_onroutebc&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=bcgov_onroutebc)
-[![Merge to Main](https://github.com/bcgov/onroutebc/actions/workflows/merge-main.yml/badge.svg)](https://github.com/bcgov/onroutebc/actions/workflows/merge-main.yml)
-[![Unit Tests and Analysis](https://github.com/bcgov/onroutebc/actions/workflows/unit-tests.yml/badge.svg)](https://github.com/bcgov/onroutebc/actions/workflows/unit-tests.yml)
+[![Merge](https://github.com/bcgov/onroutebc/actions/workflows/merge.yml/badge.svg)](https://github.com/bcgov/onroutebc/actions/workflows/merge.yml)
+[![Analysis](https://github.com/bcgov/onroutebc/actions/workflows/analysis.yml/badge.svg)](https://github.com/bcgov/onroutebc/actions/workflows/analysis.yml)
 
 [![Issues](https://img.shields.io/github/issues/bcgov/onroutebc)](/../../issues)
 [![Pull Requests](https://img.shields.io/github/issues-pr/bcgov/onroutebc)](/../../pulls)