Add OpenSSF Score card (#207) #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Frontend CI | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| paths: | |
| - .github/workflows/frontend-ci.yaml | |
| - components/resc-frontend/** | |
| - '!**.md' | |
| - '!**.png' | |
| - '!**.gif' | |
| - .gitignore | |
| pull_request: | |
| branches: [ "main" ] | |
| paths: | |
| - .github/workflows/frontend-ci.yaml | |
| - components/resc-frontend/** | |
| - '!**.md' | |
| - '!**.png' | |
| - '!**.gif' | |
| - .gitignore | |
| workflow_dispatch: | |
| env: | |
| RESC_FRONTEND_DIR: components/resc-frontend | |
| CONTAINER_REGISTRY: rescabnamro | |
| IMAGE_NAME: resc-frontend | |
| jobs: | |
| nodejs-basic-validation: | |
| name: Build Nodejs | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node-version: [16.13.0] | |
| outputs: | |
| frontend_version: ${{ steps.getversion.outputs.frontend_version }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Install Dependencies | |
| run: | | |
| cd ${{ env.RESC_FRONTEND_DIR }} | |
| npm install | |
| - name: Npm Lint | |
| run: | | |
| cd ${{ env.RESC_FRONTEND_DIR }} | |
| npm run lint | |
| - name: Run Unit Tests | |
| run: | | |
| cd ${{ env.RESC_FRONTEND_DIR }} | |
| npm run ut | |
| - name: Run Software Composition Analysis using AuditJS | |
| run: | | |
| cd ${{ env.RESC_FRONTEND_DIR }} | |
| npx auditjs@latest ossi -q || true | |
| - name: Running Jest and Coverage | |
| run: | | |
| cd ${{ env.RESC_FRONTEND_DIR }} | |
| yarn jest --coverage || true | |
| npm install jest-sonar-reporter --save-dev | |
| ## Removing the dir paths and making them relative paths. | |
| - name: Fix coverage report | |
| run: | | |
| cd ${{ env.RESC_FRONTEND_DIR }} | |
| sed -i "s+/home/runner/work/repository-scanner/repository-scanner/components/resc-frontend/++g" tests/unit/reports/coverage/lcov.info | |
| cat tests/unit/reports/coverage/lcov.info | |
| # This step will only execute if PR is created internally. | |
| - name: SonarCloud Scan | |
| if: ${{ (github.event.pull_request.head.repo.full_name == 'abnamro/repository-scanner') || (github.ref == 'refs/heads/main') }} | |
| uses: SonarSource/sonarcloud-github-action@master | |
| with: | |
| projectBaseDir: ${{ env.RESC_FRONTEND_DIR }} | |
| args: > | |
| -Dsonar.organization=abnamro-resc | |
| -Dsonar.projectKey=abnamro-resc_resc-frontend | |
| -Dsonar.sourceEncoding=UTF-8 | |
| -Dsonar.projectName=resc-frontend | |
| -Dsonar.groupid=resc | |
| -Dsonar.sources=src/ | |
| -Dsonar.inclusions=**/* | |
| -Dsonar.exclusions=**/__mocks__/* | |
| -Dsonar.tests=tests/ | |
| -Dsonar.cpd.exclusions=**/*.example.js,**/*.spec.js,**/*.?spec.js | |
| -Dsonar.coverage.exclusions=**/*.html,**/*.json,**/*.spec.js,**/*.?spec.js,**/main.*,**/i18n.js,**/router/index.js,**/configuration/*.js | |
| -Dsonar.javascript.jstest.reportsPath=tests/unit/reports/coverage | |
| -Dsonar.javascript.lcov.reportPaths=tests/unit/reports/coverage/lcov.info | |
| -Dsonar.pdf.skip=true | |
| -Dsonar.branch.target=* | |
| -Dsonar.branch.name=* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
| SONAR_TOKEN: ${{ secrets.__SONAR_TOKEN_BACKEND__ }} | |
| - id: getversion | |
| name: Get package version | |
| run: | | |
| cd ${{ env.RESC_FRONTEND_DIR }} | |
| frontend_version=$(npm pkg get version | sed 's/"//g') | |
| echo "frontend_version=$frontend_version" >> $GITHUB_OUTPUT | |
| dockerize: | |
| name: Build and Push Docker image | |
| needs: nodejs-basic-validation | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v3 | |
| - name: Docker Lint | |
| uses: hadolint/hadolint-action@v2.0.0 | |
| with: | |
| dockerfile: ${{ env.RESC_FRONTEND_DIR }}/Dockerfile | |
| failure-threshold: error | |
| - name: Build an image from Dockerfile | |
| run: | | |
| cd ${{ env.RESC_FRONTEND_DIR }} | |
| docker build -t ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{needs.nodejs-basic-validation.outputs.frontend_version}} . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{needs.nodejs-basic-validation.outputs.frontend_version}} | |
| format: 'table' | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Get Branch Name | |
| run: | | |
| if [[ ${GITHUB_EVENT_NAME} == 'pull_request' ]]; then | |
| echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF})" >> "$GITHUB_ENV" | |
| elif [[ ${GITHUB_EVENT_NAME} == 'push' ]]; then | |
| echo "BRANCH_NAME=$(echo ${GITHUB_REF_NAME})" >> "$GITHUB_ENV" | |
| else | |
| echo "Event is neither pull_request nor push" | |
| fi | |
| - name: Determine if image needs to be published | |
| run: | | |
| if [[ ${{ env.BRANCH_NAME }} == 'main' ]]; then | |
| echo "PUBLISH_IMAGE=true" >> "$GITHUB_ENV" | |
| echo "Going to publish image to registry" | |
| else | |
| echo "PUBLISH_IMAGE=false" >> "$GITHUB_ENV" | |
| echo "Skipping publishing of image to registry" | |
| fi | |
| - name: Log in to Container Registry | |
| if: ${{ env.PUBLISH_IMAGE == 'true' }} | |
| uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 | |
| with: | |
| username: ${{ secrets.__DOCKER_HUB_USER__ }} | |
| password: ${{ secrets.__DOCKER_HUB_PASS__ }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc | |
| with: | |
| context: ${{ env.RESC_FRONTEND_DIR }}/ | |
| push: ${{ env.PUBLISH_IMAGE }} | |
| tags: ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest, ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{needs.nodejs-basic-validation.outputs.frontend_version}} |