From b3ef82980bcc4bdc7e25975379f1dfe6d36f0aa1 Mon Sep 17 00:00:00 2001 From: ruigomes99 Date: Fri, 23 Aug 2024 12:48:28 +0100 Subject: [PATCH] add cicd --- .github/CODEOWNERS | 1 + .github/workflows/publish-images.yaml | 69 ++++++++++++++++++++++++++ .github/workflows/release.yaml | 20 ++++++++ .github/workflows/security-checks.yaml | 34 +++++++++++++ .github/workflows/tests.yaml | 28 +++++++++++ package.json | 3 +- 6 files changed, 154 insertions(+), 1 deletion(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/workflows/publish-images.yaml create mode 100644 .github/workflows/release.yaml create mode 100644 .github/workflows/security-checks.yaml create mode 100644 .github/workflows/tests.yaml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..5239fbd --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @ruigomes99 \ No newline at end of file diff --git a/.github/workflows/publish-images.yaml b/.github/workflows/publish-images.yaml new file mode 100644 index 0000000..25c651c --- /dev/null +++ b/.github/workflows/publish-images.yaml @@ -0,0 +1,69 @@ +# https://docs.github.com/en/actions/use-cases-and-examples/publishing-packages/publishing-docker-images +name: Publish Docker image + +on: + release: + types: [published] + +env: + GITHUB_REGISTRY: ghcr.io + DOCKERHUB_REGISTRY: index.docker.io + GITHUB_IMAGE_NAME: ${{ github.repository }} + DOCKERHUB_IMAGE_NAME: ruigomes99/${{ github.event.repository.name }} + +jobs: + push_to_registries: + name: Push Docker image to multiple registries + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + attestations: write + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + + - name: Log in to Docker Hub + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Log in to GitHub Container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1 + with: + images: | + ${{ env.DOCKERHUB_IMAGE_NAME}} + ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_IMAGE_NAME }} + + - name: Build and push Docker images + id: push + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 #v6.7.0 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Generate artifact attestation to GitHub Container registry + uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 #v1.4.1 + with: + subject-name: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_IMAGE_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Generate artifact attestation to Docker Hub + uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 #v1.4.1 + with: + subject-name: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKERHUB_IMAGE_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..7018087 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,20 @@ +name: Release + +on: + push: + tags: + - "v*.*.*" + +jobs: + create_release: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + + - name: Release + uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 #v2.0.8 + with: + prerelease: ${{ contains(github.ref, '-alpha') }} + generate_release_notes: true + token: ${{ secrets.ACTION_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/security-checks.yaml b/.github/workflows/security-checks.yaml new file mode 100644 index 0000000..2a26dcb --- /dev/null +++ b/.github/workflows/security-checks.yaml @@ -0,0 +1,34 @@ +name: Security checks + +on: + pull_request: + branches: [master, main] + +jobs: + trivy_file_system: + name: Trivy file system scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 #v0.24.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'table' + output: './results.txt' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' + exit-code: '1' + + - name: Inspect action report + if: always() + run: cat ./results.txt + + - name: Upload artifact + if: always() + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a #v4.3.6 + with: + name: trivy-fs-scan-results + path: ./results.txt \ No newline at end of file diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml new file mode 100644 index 0000000..ab48971 --- /dev/null +++ b/.github/workflows/tests.yaml @@ -0,0 +1,28 @@ +name: Tests + +on: + pull_request: + branches: [master, main] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + - name: Build Docker image + run: docker build -t ${{ github.event.repository.name }}:ci . + + # https://docs.github.com/en/actions/use-cases-and-examples/building-and-testing/building-and-testing-nodejs + unit_tests: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + - name: Use Node.js + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b #v4.0.3 + with: + node-version: '20.x' + - run: npm ci + - run: npm run build --if-present + - run: npm test \ No newline at end of file diff --git a/package.json b/package.json index 76f8578..7778472 100644 --- a/package.json +++ b/package.json @@ -3,7 +3,8 @@ "version": "1.0.0", "main": "server.js", "scripts": { - "start": "set \"NODE_ENV=development\" && nodemon index" + "start": "set \"NODE_ENV=development\" && nodemon index", + "test": "echo \"No tests specified\" && exit 0" }, "author": "", "license": "ISC",