mirror of https://github.com/boxyhq/jackson.git
379 lines
13 KiB
YAML
379 lines
13 KiB
YAML
# This is a basic workflow to help you get started with Actions
|
|
|
|
name: CI
|
|
|
|
# Controls when the workflow will run
|
|
on:
|
|
# Triggers the workflow on push or pull request events but only for the main branch
|
|
push:
|
|
branches:
|
|
- '*'
|
|
tags:
|
|
- 'beta-v*'
|
|
pull_request:
|
|
types: [opened, synchronize, reopened]
|
|
|
|
# Allows you to run this workflow manually from the Actions tab
|
|
workflow_dispatch:
|
|
|
|
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
|
|
jobs:
|
|
ci:
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
NEXTAUTH_SECRET: ${{ secrets.NEXTAUTH_SECRET }}
|
|
NEXTAUTH_URL: http://localhost:5225
|
|
NEXTAUTH_ACL: '*@boxyhq.com'
|
|
DB_ENGINE: sql
|
|
DB_URL: postgres://postgres:postgres@localhost:5432/postgres
|
|
DB_TYPE: postgres
|
|
DEBUG: pw:webserver
|
|
SAML_AUDIENCE: https://saml.boxyhq.com
|
|
JACKSON_API_KEYS: secret
|
|
strategy:
|
|
matrix:
|
|
node-version: [16.x]
|
|
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres:13
|
|
ports:
|
|
- 5432:5432
|
|
env:
|
|
POSTGRES_PASSWORD: ''
|
|
POSTGRES_HOST_AUTH_METHOD: 'trust'
|
|
# Set health checks to wait until postgres has started
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
redis:
|
|
image: redis:6.2.5-alpine
|
|
ports:
|
|
- 6379:6379
|
|
mongo:
|
|
image: mongo:4.4.10
|
|
ports:
|
|
- 27017:27017
|
|
mysql:
|
|
image: mysql:5.7
|
|
ports:
|
|
- 3307:3306
|
|
env:
|
|
MYSQL_DATABASE: mysql
|
|
MYSQL_ROOT_PASSWORD: mysql
|
|
maria:
|
|
image: mariadb:10.4.22
|
|
ports:
|
|
- 3306:3306
|
|
env:
|
|
MARIADB_DATABASE: mysql
|
|
MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 'yes'
|
|
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
- name: Use Node.js ${{ matrix.node-version }}
|
|
uses: actions/setup-node@v2
|
|
with:
|
|
always-auth: true
|
|
node-version: ${{ matrix.node-version }}
|
|
registry-url: https://registry.npmjs.org
|
|
scope: '@boxyhq'
|
|
cache: 'npm'
|
|
- name: Setup Next.js cache
|
|
uses: actions/cache@v2
|
|
with:
|
|
path: ${{ github.workspace }}/.next/cache
|
|
# Generate a new cache whenever packages or source files change.
|
|
key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
|
|
# If source files changed but packages didn't, rebuild from a prior cache.
|
|
restore-keys: |
|
|
${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-
|
|
- run: npm install
|
|
- run: npm run build
|
|
- name: Install playwright browser dependencies
|
|
run: npx playwright install chromium
|
|
- name: e2e tests
|
|
run: npx ts-node --log-error e2e/seedAuthDb.ts && npx playwright test
|
|
- run: npm run test
|
|
working-directory: ./npm
|
|
- run: |
|
|
npm install -g json
|
|
JACKSON_VERSION=$(echo $(cat ../package.json) | json version)
|
|
|
|
publishTag="latest"
|
|
|
|
if [[ "$GITHUB_REF" == *\/release ]]
|
|
then
|
|
echo "Release branch"
|
|
else
|
|
echo "Dev branch"
|
|
publishTag="beta"
|
|
JACKSON_VERSION="${JACKSON_VERSION}-beta.${GITHUB_RUN_NUMBER}"
|
|
fi
|
|
|
|
echo ${JACKSON_VERSION} > npmversion.txt
|
|
echo ${publishTag} > publishTag.txt
|
|
|
|
echo $(cat npmversion.txt)
|
|
echo $(cat publishTag.txt)
|
|
working-directory: ./npm
|
|
env:
|
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
- name: Upload saml-jackson npm version
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: npmversion
|
|
path: ./npm/npmversion.txt
|
|
- name: Upload saml-jackson publish tag
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: publishTag
|
|
path: ./npm/publishTag.txt
|
|
|
|
build:
|
|
needs: ci
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Check Out Repo
|
|
uses: actions/checkout@v2
|
|
|
|
- name: Download saml-jackson npm version
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: npmversion
|
|
|
|
- name: Get saml-jackson npm version
|
|
id: npmversion
|
|
run: echo "::set-output name=npmversion::$(cat npmversion.txt)"
|
|
|
|
- run: echo ${{ steps.npmversion.outputs.npmversion }}
|
|
|
|
- name: Get short SHA
|
|
id: slug
|
|
run: echo "::set-output name=sha7::$(echo ${GITHUB_SHA} | cut -c1-7)"
|
|
|
|
- name: Set up Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@v1
|
|
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@v1
|
|
with:
|
|
username: ${{ secrets.DOCKER_HUB_USERNAME }}
|
|
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
|
|
|
|
- name: Build and push
|
|
if: github.ref == 'refs/heads/release'
|
|
id: docker_build
|
|
uses: docker/build-push-action@v2
|
|
with:
|
|
context: ./
|
|
file: ./Dockerfile
|
|
push: true
|
|
tags: ${{ github.repository }}:latest,${{ github.repository }}:${{ steps.slug.outputs.sha7 }},${{ github.repository }}:${{ steps.npmversion.outputs.npmversion }}
|
|
|
|
- name: Image digest
|
|
run: echo ${{ steps.docker_build.outputs.digest }}
|
|
|
|
- name: Login to GitHub Container Registry
|
|
run: |
|
|
echo "${{secrets.GITHUB_TOKEN}}" | docker login ghcr.io -u ${{github.repository_owner}} --password-stdin
|
|
|
|
# - name: NPM Package SBOM Scan
|
|
# uses: anchore/scan-action@v3
|
|
# with:
|
|
# path: './npm'
|
|
# fail-build: true
|
|
# severity-cutoff: high
|
|
|
|
- name: Set up Homebrew
|
|
id: set-up-homebrew
|
|
uses: Homebrew/actions/setup-homebrew@master
|
|
|
|
- name: Install Cosign with brew
|
|
run: brew install cosign
|
|
|
|
- name: place the cosign private key in a file
|
|
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
|
|
shell: bash
|
|
env:
|
|
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
|
|
|
|
- name: Sign the image
|
|
if: github.ref == 'refs/heads/release'
|
|
run: cosign sign --key /tmp/cosign.key ${{ github.repository }}:${{ steps.slug.outputs.sha7 }} || true
|
|
env:
|
|
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
|
|
|
|
- name: Create NPM Package SBOM Report [SPDX]
|
|
uses: anchore/sbom-action@v0
|
|
with:
|
|
format: spdx
|
|
artifact-name: npm_sbom.spdx
|
|
- name: Publish report [SPDX]
|
|
uses: anchore/sbom-action/publish-sbom@v0
|
|
with:
|
|
sbom-artifact-match: ".*\\.spdx$"
|
|
- name: Create NPM Pacakge SBOM Report [CycloneDx]
|
|
uses: anchore/sbom-action@v0
|
|
with:
|
|
format: cyclonedx
|
|
artifact-name: npm_sbom.cyclonedx
|
|
- name: Publish report [CycloneDx]
|
|
uses: anchore/sbom-action/publish-sbom@v0
|
|
with:
|
|
sbom-artifact-match: ".*\\.cyclonedx$"
|
|
- name: Download artifact for SPDX Report
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: npm_sbom.spdx
|
|
- name: Download artifact for CycloneDx Report
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: npm_sbom.cyclonedx
|
|
- name: Remove older SBOMs
|
|
run: rm -rf ./npm/sbom*.* || true
|
|
- name: Move SPDX Report
|
|
run: mv npm_sbom.spdx "./npm/sbom.spdx"
|
|
- name: Move CycloneDx Report
|
|
run: mv npm_sbom.cyclonedx "./npm/sbom.cyclonedx"
|
|
# - name: Next Js Project Scan
|
|
# uses: anchore/scan-action@v3
|
|
# with:
|
|
# path: './'
|
|
# fail-build: true
|
|
# severity-cutoff: high
|
|
- name: Next Js Project SBOM Report [SPDX]
|
|
uses: anchore/sbom-action@v0
|
|
with:
|
|
format: spdx
|
|
artifact-name: sbom.spdx
|
|
- name: Publish report [SPDX]
|
|
uses: anchore/sbom-action/publish-sbom@v0
|
|
with:
|
|
sbom-artifact-match: ".*\\.spdx$"
|
|
- name: Next Js Project SBOM Report [CycloneDx]
|
|
uses: anchore/sbom-action@v0
|
|
with:
|
|
format: cyclonedx
|
|
artifact-name: sbom.cyclonedx
|
|
- name: Publish report [CycloneDx]
|
|
uses: anchore/sbom-action/publish-sbom@v0
|
|
with:
|
|
sbom-artifact-match: ".*\\.cyclonedx$"
|
|
- name: Remove older SBOMs
|
|
run: rm -rf sbom*.* || true
|
|
- name: Download artifact for SPDX Report
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: sbom.spdx
|
|
- name: Download artifact for CycloneDx Report
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: sbom.cyclonedx
|
|
- name: Scan docker image using TERN
|
|
uses: philips-labs/tern-action@v1.1.0
|
|
id: scan
|
|
with:
|
|
image: ${{ github.repository }}:latest
|
|
format: spdxtagvalue
|
|
output: docker_sbom.spdx
|
|
- name: Create/Clear folder
|
|
run: mkdir -p ./_docker/ && rm -rf ./_docker/*.* || true
|
|
- name: Docker CycloneDx report
|
|
run: npm install -g @appthreat/cdxgen && cdxgen ${{ github.repository }}:latest -o ./_docker/sbom.xml -t docker
|
|
- name: Move Report & cleanup
|
|
run: |
|
|
mv docker_sbom.spdx "./_docker/sbom.spdx"
|
|
rm results.sarif || true
|
|
rm ./_docker/sbom.json || true
|
|
mv ./_docker/sbom.xml ./_docker/sbom.cyclonedx || true
|
|
- name: Download saml-jackson npm version
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: npmversion
|
|
- name: Get saml-jackson npm version
|
|
id: _npmversion
|
|
run: echo "::set-output name=npmversion::$(cat npmversion.txt)"
|
|
- name: ORAS Setup & Push SBOM reports to GitHub Container Registry
|
|
if: github.ref == 'refs/heads/release'
|
|
run: |
|
|
ORAS_VERSION="0.8.1"
|
|
ORAS_FILENAME="oras_0.8.1_linux_amd64.tar.gz"
|
|
curl -LO "https://cdn.bundle.bar/clients/oras/${ORAS_VERSION}/${ORAS_FILENAME}"
|
|
mkdir oras_install
|
|
tar -xvf "${ORAS_FILENAME}" -C oras_install
|
|
./oras_install/oras push ghcr.io/${{github.repository_owner}}/jackson/sbom:service-${{ steps._npmversion.outputs.npmversion }} ./sbom.*
|
|
cd _docker
|
|
../oras_install/oras push ghcr.io/${{github.repository_owner}}/jackson/sbom:docker-${{ steps._npmversion.outputs.npmversion }} ./sbom.*
|
|
cd ..
|
|
cd npm
|
|
../oras_install/oras push ghcr.io/${{github.repository_owner}}/jackson/sbom:npm-${{ steps._npmversion.outputs.npmversion }} ./sbom.*
|
|
cd ..
|
|
|
|
- name: Sign the sbom images
|
|
if: github.ref == 'refs/heads/release'
|
|
run: |
|
|
cosign sign --key /tmp/cosign.key ghcr.io/${{github.repository_owner}}/jackson/sbom:service-${{ steps._npmversion.outputs.npmversion }} || true
|
|
cosign sign --key /tmp/cosign.key ghcr.io/${{github.repository_owner}}/jackson/sbom:docker-${{ steps._npmversion.outputs.npmversion }} || true
|
|
cosign sign --key /tmp/cosign.key ghcr.io/${{github.repository_owner}}/jackson/sbom:npm-${{ steps._npmversion.outputs.npmversion }} || true
|
|
env:
|
|
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
|
|
publish:
|
|
needs: build
|
|
runs-on: ubuntu-latest
|
|
|
|
strategy:
|
|
matrix:
|
|
node-version: [16.x]
|
|
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
|
|
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
- name: Download saml-jackson npm version
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: npmversion
|
|
- name: Get saml-jackson npm version
|
|
id: npmversion
|
|
run: echo "::set-output name=npmversion::$(cat npmversion.txt)"
|
|
- run: echo ${{ steps.npmversion.outputs.npmversion }}
|
|
|
|
- name: Download saml-jackson publish tag
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: publishTag
|
|
- name: Get saml-jackson npm version
|
|
id: publishTag
|
|
run: echo "::set-output name=publishTag::$(cat publishTag.txt)"
|
|
- run: echo ${{ steps.publishTag.outputs.publishTag }}
|
|
|
|
- name: Use Node.js ${{ matrix.node-version }}
|
|
uses: actions/setup-node@v2
|
|
with:
|
|
always-auth: true
|
|
node-version: ${{ matrix.node-version }}
|
|
registry-url: https://registry.npmjs.org
|
|
scope: '@boxyhq'
|
|
cache: 'npm'
|
|
- run: npm install
|
|
working-directory: ./npm
|
|
|
|
- name: Publish NPM
|
|
if: github.ref == 'refs/heads/release' || contains(github.ref, 'refs/tags/beta-v')
|
|
run: |
|
|
npm install -g json
|
|
JACKSON_VERSION=${{ steps.npmversion.outputs.npmversion }}
|
|
json -I -f package.json -e "this.main=\"dist/index.js\""
|
|
json -I -f package.json -e "this.types=\"dist/index.d.ts\""
|
|
json -I -f package.json -e "this.version=\"${JACKSON_VERSION}\""
|
|
|
|
npm publish --tag ${{ steps.publishTag.outputs.publishTag }} --access public
|
|
working-directory: ./npm
|
|
env:
|
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|