Shared CI configurations

.github/workflows/component-container-image-security.yml

@@ -0,0 +1,64 @@
+name: Generic security scan
+
+on:
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the Dockerfile directory to analyse"
+        required: true
+        default: "."
+        type: string
+      image-path:
+        description: "Path of the docker image to analyse"
+        default: "ghcr.io/${{ github.repository }}/app"
+        type: string
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+jobs:
+  security-dependency-trivy:
+    name: Trivy dependency scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      # need to format as github.repository contains uppercase
+      # and pull request workflow contains slashes
+      - id: format
+        name: Format proper image path and tag
+        env:
+          IMAGE_PATH: ${{ inputs.image-path }}
+        run: |
+          echo "image-tag=${GITHUB_REF_NAME/\//-}" >> $GITHUB_OUTPUT
+          echo "image-path=${IMAGE_PATH@L}" >> $GITHUB_OUTPUT
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        if: ${{ github.event_name != 'release' }}
+        with:
+          context: "{{defaultContext}}:${{ inputs.context }}"
+          tags: "${{ steps.format.outputs.image-path }}:${{ steps.format.outputs.image-tag }}"
+          push: false
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
+        with:
+          image-ref: "${{ steps.format.outputs.image-path }}:${{ steps.format.outputs.image-tag }}"
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+          exit-code: "1"
+          ignore-unfixed: true
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+      - name: Inspect bandit SARIF report
+        if: always()
+        run: cat trivy-results.sarif

.github/workflows/java-docker.yml → .github/workflows/component-container-image.yml

@@ -1,25 +1,31 @@
-name: Java Docker
+name: Build and push Docker image
 
 on:
-  push:
-    branches:
-      - main
-    paths:
-      - "java-demo/**"
-  pull_request:
-    paths:
-      - "java-demo/**"
-  release:
-    types: [created]
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the Dockerfile directory to build"
+        default: "."
+        type: string
+      image-path:
+        description: "Path of the docker image Tag"
+        default: "ghcr.io/${{ github.repository }}/app"
+        type: string
 
 jobs:
   container-image-build:
+    name: Docker
     runs-on: ubuntu-latest
     steps:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      - id: format
+        name: Lowercase repository path
+        uses: ASzc/change-string-case-action@v1
+        with:
+          string: ${{ inputs.image-path }}
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         if: ${{ github.event_name == 'release' }}
@@ -31,12 +37,13 @@ jobs:
         uses: docker/build-push-action@v6
         if: ${{ github.event_name != 'release' }}
         with:
-          context: "{{defaultContext}}:java-demo"
+          context: "{{defaultContext}}:${{ inputs.context }}"
+          tags: "${{ steps.format.outputs.lowercase }}:develop"
           push: false
       - name: Build and push
         uses: docker/build-push-action@v6
         if: ${{ github.event_name == 'release' }}
         with:
-          context: "{{defaultContext}}:java-demo"
+          context: "{{defaultContext}}:${{ inputs.context }}"
+          tags: "${{ steps.format.outputs.lowercase }}:${{ github.ref_name }}"
           push: true
-          tags: "ghcr.io/british-oceanographic-data-centre/amrit-repos/java/app:${{ github.ref_name }}"

.github/workflows/component-java-lint.yml

@@ -0,0 +1,27 @@
+name: Java Lint
+
+on:
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the module to lint"
+        default: ""
+        type: string
+      java-version:
+        description: "Java version"
+        default: "21"
+        type: string
+
+jobs:
+  java-linter-spotless:
+    name: Lint with spotless
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: "temurin"
+          java-version: ${{ inputs.java-version }}
+      - name: Run Spotless lint
+        working-directory: ./${{ inputs.context }}
+        run: ./mvnw spotless:check

.github/workflows/component-java-test.yml

@@ -0,0 +1,32 @@
+name: Java Tests
+
+on:
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the module to lint"
+        default: ""
+        type: string
+      java-version:
+        description: "Java version"
+        default: "21"
+        type: string
+
+jobs:
+  java-test-maven:
+    name: Test with Maven
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: "temurin"
+          java-version: ${{ inputs.java-version }}
+      - name: Run Maven run tests
+        working-directory: ./${{ inputs.context }}
+        run: ./mvnw clean test
+      - name: Publish Test Report
+        uses: mikepenz/action-junit-report@v5
+        if: always()
+        with:
+          report_paths: '**/target/**/TEST-*.xml'

.github/workflows/python-tox.yaml → .github/workflows/component-python-lint.yml

@@ -1,16 +1,13 @@
-name: Python Tox
+name: Python Linting
 
 on:
-  push:
-    branches:
-      # Run on our main branch
-      - main
-    paths:
-      - example-python/**
-  pull_request:
-    # Run for any pull requests
-    paths:
-      - example-python/**
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the module to lint"
+        default: ""
+        type: string
+
 jobs:
   tox:
     runs-on: ubuntu-latest
@@ -20,21 +17,21 @@ jobs:
         python-version: ["3.10", "3.11", "3.12", "3.13"]
         tox-job: ["test", "build", "lint", "type"]
     steps:
-      - uses: actions/checkout@v4  # Checkout the current branch/merge state
-      - name: Set up Python ${{ matrix.python-version }}  # Get Python ready to use
+      - uses: actions/checkout@v4 # Checkout the current branch/merge state
+      - name: Set up Python ${{ matrix.python-version }} # Get Python ready to use
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install dependencies  # Get Tox and Poetry ready
-        working-directory: ./example-python
+      - name: Install dependencies # Get Tox and Poetry ready
+        working-directory: ./${{ inputs.context }}
         run: |
           python -m pip install --upgrade pip
           python -m pip install tox tox-gh-actions
           curl -sSL https://install.python-poetry.org | python -
           tox depends --recreate
       # Run Tox jobs
       - name: Tox (${{ matrix.tox-job }})
-        working-directory: ./example-python
+        working-directory: ./${{ inputs.context }}
         run: |
           poetry config virtualenvs.create false
           poetry install --no-root --with ${{ matrix.tox-job }}

.github/workflows/python-security.yml → .github/workflows/component-python-security.yml

@@ -2,30 +2,30 @@
 name: Python Security
 
 on:
-  push:
-    branches:
-      # Run on our main branch
-      - main
-    paths:
-      - example-python/**
-  pull_request:
-    # Run for any pull requests
-    paths:
-      - example-python/**
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the module to lint"
+        default: ""
+        type: string
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
 jobs:
   # https://github.com/marketplace/actions/anchore-container-scan
   dependency-check:
+    name: Grype & Pip Audit dependency scan
     runs-on: ubuntu-latest
-    permissions:
-      # Required for uploading sarif file
-      security-events: write
     steps:
       - uses: actions/checkout@v4  # Checkout the current branch/merge state
       - name: Grype Scan
         uses: anchore/scan-action@v3
         id: grype-scan
         with:
-          path: example-python
+          path: ${{ inputs.context }}
       - name: Upload grype sarif file
         if: always()
         uses: github/codeql-action/upload-sarif@v3
@@ -38,8 +38,9 @@ jobs:
       - name: Pip Audit
         uses: pypa/[email protected]
         with:
-          inputs: example-python
+          inputs: ${{ inputs.context }}
   code-check:
+    name: Bandit scan
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -54,21 +55,21 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies  # Install bandit
-        working-directory: ./example-python
+        working-directory: ./${{ inputs.context }}
         run: |
           python -m pip install --upgrade pip
           python -m pip install bandit[toml,sarif]
       - name: Run Bandit
-        working-directory: ./example-python
+        working-directory: ./${{ inputs.context }}
         # Run bandit and output to sarif file
         run: |
           bandit -r . -c pyproject.toml -f sarif -o bandit.sarif
       - name: Upload bandit sarif file
         if: always()
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: example-python/bandit.sarif
+          sarif_file: ${{ inputs.context }}/bandit.sarif
           category: bandit-python-analysis
       - name: Inspect bandit SARIF report
         if: always()
-        run: cat example-python/bandit.sarif
+        run: cat ${{ inputs.context }}/bandit.sarif

.github/workflows/component-ts-lint.yml

@@ -0,0 +1,21 @@
+name: Typescript Lint
+
+on:
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the module to lint"
+        default: ""
+        type: string
+
+jobs:
+  eslint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install modules
+        working-directory: ./${{ inputs.context }}
+        run: npm install
+      - name: Run ESLint
+        working-directory: ./${{ inputs.context }}
+        run: npm run lint

.github/workflows/bearer.yml → .github/workflows/component-ts-security.yml

@@ -5,13 +5,15 @@
 #
 # This workflow file requires a free account on Bearer.com to manage findings, notifications and more.
 # See https://docs.bearer.com/guides/bearer-cloud/
-name: Bearer
+name: Typescript security
 
 on:
-  pull_request:  
-
-  schedule:
-    - cron: '*/15 * * * *'
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the module to lint"
+        default: ""
+        type: string
 
 permissions:
   contents: read # for actions/checkout to fetch code
@@ -20,6 +22,7 @@ permissions:
 
 jobs:
   bearer:
+    name: Bearer scan
     runs-on: ubuntu-latest
     steps:
       # Checkout project source
@@ -29,4 +32,4 @@ jobs:
         id: report
         uses: bearer/bearer-action@828eeb928ce2f4a7ca5ed57fb8b59508cb8c79bc
         with:
-          path: typescript-demo
+          path: ${{ inputs.context }}