From 8500ff1c8235892a30a5cfdd5e1b7475cb29a0d9 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Wed, 4 Oct 2023 12:22:08 -0700 Subject: [PATCH] feat: bring over recent workflow improvements (#656) Co-authored-by: Chris Berg --- .github/CODEOWNERS | 12 +- .../{unit-tests.yml => analysis.yml} | 44 ++++++- .github/workflows/charts-release.yaml | 2 +- .github/workflows/deploy.yml | 7 +- .../workflows/{merge-main.yml => merge.yml} | 62 +-------- .github/workflows/pentests.yml | 1 + .github/workflows/pr-close.yml | 3 +- .github/workflows/pr-open.yml | 17 +-- README.md | 4 +- common/openshift.init.yml | 123 ------------------ database/openshift.deploy.yml | 29 ++++- 11 files changed, 90 insertions(+), 214 deletions(-) rename .github/workflows/{unit-tests.yml => analysis.yml} (54%) rename .github/workflows/{merge-main.yml => merge.yml} (78%) delete mode 100644 common/openshift.init.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index b547a291e..d0d958d3b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,8 +1,8 @@ # Default codeowners: -* @john-fletcher-aot @gchauhan-aot @praju-aot @krishnan-aot @devin-aot +* @john-fletcher-aot @gchauhan-aot @praju-aot @krishnan-aot # Frontend: -/frontend/** @devin-aot @krishnan-aot +/frontend/** @krishnan-aot # Backend: /backend/** @gchauhan-aot @praju-aot @@ -11,8 +11,6 @@ /database/** @gchauhan-aot @john-fletcher-aot # Devops: -Dockerfile @devin-aot @cberg-aot -Dockerfile @devin-aot @cberg-aot -Dockerfile @devin-aot @cberg-aot -docker-compose.yml @devin-aot @cberg-aot -/.github/** @devin-aot @cberg-aot \ No newline at end of file +Dockerfile @cberg-aot +docker-compose.yml @cberg-aot +/.github/** @cberg-aot diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/analysis.yml similarity index 54% rename from .github/workflows/unit-tests.yml rename to .github/workflows/analysis.yml index 1ad7a1ed1..88cd07afa 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/analysis.yml @@ -1,4 +1,4 @@ -name: Unit Tests and Analysis +name: Analysis on: pull_request: @@ -10,8 +10,6 @@ on: push: branches: - main - paths-ignore: - - "**.md" workflow_dispatch: concurrency: @@ -19,6 +17,44 @@ concurrency: cancel-in-progress: true jobs: + codeql: + name: CodeQL + if: github.event_name != 'pull_request' || !github.event.pull_request.draft + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v2 + with: + languages: javascript + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + + # https://github.com/marketplace/actions/aqua-security-trivy + trivy: + name: Security Scan + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.12.0 + with: + format: "sarif" + output: "trivy-results.sarif" + ignore-unfixed: true + scan-type: "fs" + scanners: "vuln,secret,config" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + tests: name: Unit Tests if: github.event_name != 'pull_request' || !github.event.pull_request.draft @@ -33,7 +69,7 @@ jobs: token: SONAR_TOKEN_BACKEND - dir: backend/dops sonar_projectKey: bcgov_onroutebc_backend - token: SONAR_TOKEN_BACKEND + token: SONAR_TOKEN_BACKEND - dir: frontend sonar_projectKey: bcgov_onroutebc_frontend token: SONAR_TOKEN_FRONTEND diff --git a/.github/workflows/charts-release.yaml b/.github/workflows/charts-release.yaml index fd7f1795e..34b5b9e2d 100644 --- a/.github/workflows/charts-release.yaml +++ b/.github/workflows/charts-release.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1a26c5036..a91025851 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -57,14 +57,14 @@ on: type: string jobs: deployments: - name: Deployments + name: Deploy environment: ${{inputs.environment}} runs-on: ubuntu-22.04 strategy: max-parallel: 1 fail-fast: true matrix: - name: [init, backend/vehicles, backend/dops, frontend] + name: [backend/vehicles, backend/dops, frontend] include: - name: backend/vehicles file: backend/vehicles/openshift.deploy.yml @@ -75,9 +75,6 @@ jobs: - name: frontend file: frontend/openshift.deploy.yml overwrite: true - - name: init - file: common/openshift.init.yml - overwrite: false steps: - name: Import Secrets id: vault diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge.yml similarity index 78% rename from .github/workflows/merge-main.yml rename to .github/workflows/merge.yml index 53f65afc9..b2f332851 100644 --- a/.github/workflows/merge-main.yml +++ b/.github/workflows/merge.yml @@ -1,13 +1,9 @@ -name: Merge to Main +name: Merge on: - push: - branches: - - main - - feature/deploy.yml - paths-ignore: - - ".github/ISSUE_TEMPLATE/*" - - "**.md" + workflow_run: + workflows: [PR Closed] + types: [completed] workflow_dispatch: concurrency: @@ -15,56 +11,8 @@ concurrency: cancel-in-progress: true jobs: - codeql: - name: Semantic Code Analysis - runs-on: ubuntu-22.04 - permissions: - actions: read - contents: read - security-events: write - steps: - - uses: actions/checkout@v3 - - - name: Initialize - uses: github/codeql-action/init@v2 - with: - languages: javascript - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - - # https://github.com/marketplace/actions/aqua-security-trivy - trivy: - name: Security Scan - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v3 - - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.10.0 - with: - format: "sarif" - output: "trivy-results.sarif" - ignore-unfixed: true - scan-type: "fs" - scanners: "vuln,secret,config" - severity: "CRITICAL,HIGH" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: "trivy-results.sarif" - deploys-test: name: Deploy images to test - needs: - - codeql - - trivy uses: ./.github/workflows/deploy.yml with: environment: 'test' @@ -96,7 +44,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} # checkout the correct branch name fetch-depth: 0 # fetch the whole repo history diff --git a/.github/workflows/pentests.yml b/.github/workflows/pentests.yml index 521ed7a61..a9c654743 100644 --- a/.github/workflows/pentests.yml +++ b/.github/workflows/pentests.yml @@ -10,6 +10,7 @@ concurrency: jobs: zap_scan: + runs-on: ubuntu-latest name: Penetration Tests env: DOMAIN: apps.silver.devops.gov.bc.ca diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml index 39c5dae62..414d34efc 100644 --- a/.github/workflows/pr-close.yml +++ b/.github/workflows/pr-close.yml @@ -1,4 +1,4 @@ -name: Pull Request Closed +name: PR Closed on: pull_request: @@ -22,6 +22,7 @@ jobs: # Remove old build runs, build pods and deployment pods oc delete all,pvc,secret,configmap -l app=${{ github.event.repository.name }}-${{ github.event.number }} + - name: Authenticate and set context uses: redhat-actions/oc-login@v1 with: diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 8ce9f1aeb..7fe5ad204 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -1,4 +1,4 @@ -name: Pull Request +name: PR on: pull_request: @@ -42,27 +42,18 @@ jobs: strategy: matrix: package: [backend/vehicles, backend/dops, frontend] - include: - - package: backend/vehicles - triggers: ('backend/vehicles/') - - package: backend/dops - triggers: ('backend/dops/') - - package: frontend - triggers: ('frontend/') steps: - - uses: actions/checkout@v3 - + - uses: actions/checkout@v4 - uses: bcgov-nr/action-builder-ghcr@v1.1.2 with: package: ${{ matrix.package }} tag: ${{ github.event.number }} tag_fallback: test token: ${{ secrets.GITHUB_TOKEN }} - triggers: ${{ matrix.triggers }} + triggers: ( '${{ matrix.package }}/') deploys: - needs: - - builds + needs: [builds] uses: ./.github/workflows/deploy.yml with: environment: 'dev' diff --git a/README.md b/README.md index 54e6d0bb6..b87d6e54a 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=bcgov_onroutebc&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=bcgov_onroutebc) -[![Merge to Main](https://github.com/bcgov/onroutebc/actions/workflows/merge-main.yml/badge.svg)](https://github.com/bcgov/onroutebc/actions/workflows/merge-main.yml) -[![Unit Tests and Analysis](https://github.com/bcgov/onroutebc/actions/workflows/unit-tests.yml/badge.svg)](https://github.com/bcgov/onroutebc/actions/workflows/unit-tests.yml) +[![Merge](https://github.com/bcgov/onroutebc/actions/workflows/merge.yml/badge.svg)](https://github.com/bcgov/onroutebc/actions/workflows/merge.yml) +[![Analysis](https://github.com/bcgov/onroutebc/actions/workflows/analysis.yml/badge.svg)](https://github.com/bcgov/onroutebc/actions/workflows/analysis.yml) [![Issues](https://img.shields.io/github/issues/bcgov/onroutebc)](/../../issues) [![Pull Requests](https://img.shields.io/github/issues-pr/bcgov/onroutebc)](/../../pulls) diff --git a/common/openshift.init.yml b/common/openshift.init.yml deleted file mode 100644 index b17432648..000000000 --- a/common/openshift.init.yml +++ /dev/null @@ -1,123 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -parameters: - - name: NAME - description: Product name - value: onroutebc - - name: ZONE - description: Deployment zone, e.g. pr-### or prod - required: true - - name: PROMOTE - description: Dummy param, for convenience in deployments - - name: DATABASE_NAME - description: Name of Database to connect to - required: true - - name: DATABASE_USER - description: User connecting to database - required: true - - name: DATABASE_PASSWORD - description: Password of user connecting to database - required: true - - name: DATABASE_HOST - description: Host url/service of database connection - required: true - - name: AUTH0_ISSUER_URL - description: The principal that issued the JWT - required: true - - name: AUTH0_AUDIENCE - description: Identifies the recipients that the JWT is intended for - required: true - - name: AUTH0_IGNORE_EXP - description: The boolean flag to ignore the JWT expiration - required: true - - name: SITEMINDER_LOG_OFF_URL - description: The siteminder log off url - required: true - - name: DOPS_CVSE_FORMS_CACHE_TTL_MS - description: The cache time to live for CVSE FORMS in DOPS in Milliseconds - required: true - - name: DOPS_S3_ACCESS_TYPE - description: The key to switch between COMS or Direct access - required: true - - name: DOPS_S3_ACCESSKEYID - description: The Access Key for your S3 compatible object storage account - required: true - - name: DOPS_S3_BUCKET - description: The object storage bucket name - required: true - - name: DOPS_S3_PRESIGNED_URL_EXPIRY - description: The expiry time for pre-signed URLs to objects in seconds - required: true - - name: DOPS_S3_ENDPOINT - description: Object store URL - required: true - - name: DOPS_S3_KEY - description: The base path for storage location - required: true - - name: DOPS_S3_SECRETACCESSKEY - description: The Secret Access Key for your S3 compatible object storage account - required: true - - name: CDOGS_CLIENT_ID - description: The keycloak client ID for common hosted CDOGS - required: true - - name: CDOGS_CLIENT_SECRET - description: The keycloak client secret for common hosted CDOGS - required: true - - name: CDOGS_TOKEN_URL - description: The keycloak url for common hosted CDOGS - required: true - - name: CDOGS_URL - description: The CDOGS API url - required: true - - name: CHES_TOKEN_URL - description: The keycloak url for common hosted CHES - required: true - - name: CHES_CLIENT_ID - description: Client Id to request the access token for connecting to CHES - required: true - - name: CHES_CLIENT_SECRET - description: Client Secret to request the access token for connecting to CHES - required: true - - name: CHES_URL - description: The CHES API url - - name: NODE_ENV - description: The NODE Environment - required: true - - name: MOTIPAY_API_KEY - description: API Key for MOTI Pay - required: true - - name: MOTIPAY_MERCHANT_ID - description: Merchant ID for MOTI Pay - required: true - - name: MOTIPAY_BASE_URL - description: Base URL for MOTI Pay - required: true -objects: - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-from-openshift-ingress - labels: - template: openshift-test - spec: - podSelector: {} - ingress: - - from: - - namespaceSelector: - matchLabels: - network.openshift.io/policy-group: ingress - policyTypes: - - Ingress - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-same-namespace - labels: - template: quickstart-network-security-policy - spec: - podSelector: {} - ingress: - - from: - - podSelector: {} - policyTypes: - - Ingress diff --git a/database/openshift.deploy.yml b/database/openshift.deploy.yml index 4fd41e070..6be1f5c11 100644 --- a/database/openshift.deploy.yml +++ b/database/openshift.deploy.yml @@ -93,7 +93,34 @@ parameters: - name: DATABASE_HOST description: Host url/service of database connection required: true -objects: +objects: - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-from-openshift-ingress + labels: + template: openshift-test + spec: + podSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + policyTypes: + - Ingress + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-same-namespace + labels: + template: quickstart-network-security-policy + spec: + podSelector: {} + ingress: + - from: + - podSelector: {} + policyTypes: + - Ingress - kind: PersistentVolumeClaim apiVersion: v1 metadata: