diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 85735c8ee..c856476d4 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -14,45 +14,6 @@ concurrency: cancel-in-progress: true jobs: - codeql: - name: CodeQL - if: ${{ ! github.event.pull_request.draft }} - runs-on: ubuntu-22.04 - timeout-minutes: 5 - steps: - - uses: actions/checkout@v4 - - uses: github/codeql-action/init@v3 - with: - languages: javascript - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:javascript" - - # https://github.com/marketplace/actions/aqua-security-trivy - trivy: - name: Trivy Security Scan - if: ${{ ! github.event.pull_request.draft }} - runs-on: ubuntu-22.04 - timeout-minutes: 1 - steps: - - uses: actions/checkout@v4 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.16.1 - with: - format: "sarif" - output: "trivy-results.sarif" - ignore-unfixed: true - scan-type: "fs" - scanners: "vuln,secret,config" - severity: "CRITICAL,HIGH" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results.sarif" - tests: name: Tests if: ${{ ! github.event.pull_request.draft }} @@ -96,10 +57,44 @@ jobs: sonar_token: ${{ secrets[matrix.token] }} triggers: ('${{ matrix.dir }}/') - results: - name: Results - needs: [codeql, trivy, tests] + codeql: + name: CodeQL + if: ${{ ! github.event.pull_request.draft }} + needs: [tests] + runs-on: ubuntu-22.04 + timeout-minutes: 5 + steps: + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v3 + with: + languages: javascript + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:javascript" + + # https://github.com/marketplace/actions/aqua-security-trivy + trivy: + name: Trivy Security Scan + if: ${{ ! github.event.pull_request.draft }} + needs: [tests] runs-on: ubuntu-22.04 timeout-minutes: 1 steps: - - run: echo "Success!" + - uses: actions/checkout@v4 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.16.1 + with: + format: "sarif" + output: "trivy-results.sarif" + ignore-unfixed: true + scan-type: "fs" + scanners: "vuln,secret,config" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif" + diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index e810a4a4a..b9d75a646 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -9,41 +9,6 @@ concurrency: cancel-in-progress: true jobs: - conventional-commits: - name: Conventional Commits - runs-on: ubuntu-22.04 - steps: - - uses: amannn/action-semantic-pull-request@v5.4.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - pr-description-add: - name: PR Description Add - env: - DOMAIN: apps.silver.devops.gov.bc.ca - PREFIX: ${{ github.event.repository.name }} - runs-on: ubuntu-22.04 - permissions: - pull-requests: write - timeout-minutes: 1 - steps: - - uses: bcgov-nr/action-pr-description-add@v1.1.0 - with: - add_markdown: | - --- - - Thanks for the PR! - - Deployments, as required, will be available below: - - [Frontend](https://${{ env.PREFIX }}-${{ github.event.number }}-frontend.${{ env.DOMAIN }}) - - [Backend](https://${{ env.PREFIX }}-${{ github.event.number }}-frontend.${{ env.DOMAIN }}/api) - - Please create PRs in draft mode. Mark as ready to enable: - - [Analysis Workflow](https://github.com/${{ github.repository }}/actions/workflows/analysis.yml) - - After merge, new images are deployed in: - - [Merge Workflow](https://github.com/${{ github.repository }}/actions/workflows/merge.yml) - # https://github.com/bcgov-nr/action-builder-ghcr builds: name: Builds diff --git a/.github/workflows/pr-validate.yml b/.github/workflows/pr-validate.yml new file mode 100644 index 000000000..3dd674525 --- /dev/null +++ b/.github/workflows/pr-validate.yml @@ -0,0 +1,54 @@ +name: PR Validate + +on: + pull_request: + types: [edited, opened, reopened, synchronize] + +concurrency: + # Cancel in progress for PR open and close, but not merge_group + group: ${{ github.workflow }}-${{ github.event.number || github.event.merge_group.base_sha }} + cancel-in-progress: true + +jobs: + # PR only, skip for merge_group + conventional-commits: + name: Conventional Commits + runs-on: ubuntu-22.04 + steps: + - uses: amannn/action-semantic-pull-request@v5.4.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - if: failure() && !success() + run: | + echo "Please use conventional commits in your PR title and re-run this job." + echo "https://www.conventionalcommits.org/en/v1.0.0/" + exit 1 + + # PR only, skip for merge_group + pr-description-add: + name: PR Description Add + env: + DOMAIN: apps.silver.devops.gov.bc.ca + PREFIX: ${{ github.event.repository.name }} + runs-on: ubuntu-22.04 + permissions: + pull-requests: write + timeout-minutes: 1 + steps: + - uses: bcgov-nr/action-pr-description-add@v1.1.0 + with: + add_markdown: | + --- + + Thanks for the PR! + + Deployments, as required, will be available below: + - [Frontend](https://${{ env.PREFIX }}-${{ github.event.number }}-frontend.${{ env.DOMAIN }}) + - [Backend](https://${{ env.PREFIX }}-${{ github.event.number }}-frontend.${{ env.DOMAIN }}/api) + + Please create PRs in draft mode. Mark as ready to enable: + - [Analysis Workflow](https://github.com/${{ github.repository }}/actions/workflows/analysis.yml) + + After merge, new images are deployed in: + - [Merge Workflow](https://github.com/${{ github.repository }}/actions/workflows/merge.yml)