feat: add basic actions

SocialGouv · Mar 3, 2022 · 659f728 · 659f728
1 parent ea640d3
commit 659f728
Show file tree

Hide file tree

Showing 9 changed files with 359 additions and 15 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,75 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    - cron: "16 1 * * 5"
+
+concurrency:
+  cancel-in-progress: true
+  group: codeql-${{ github.ref }}
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
+
+      #- run: |
+      #   make bootstrap
+      #   make release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/deactivate.yml b/.github/workflows/deactivate.yml
@@ -0,0 +1,17 @@
+name: Deactivate
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  bury_review_env:
+    name: Deactivate review branch
+    runs-on: ubuntu-latest
+    steps:
+      - uses: SocialGouv/actions/autodevops-deactivate@v1
+        with:
+          kube-config: ${{ secrets.KUBECONFIG }}
+          github-token: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          rancherId: ${{ secrets.RANCHER_PROJECT_ID }} # optional
+          socialgouvBaseDomain: ${{ secrets.SOCIALGOUV_BASE_DOMAIN }} # optional
diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml
@@ -0,0 +1,36 @@
+name: Kubernetes manifests tests
+
+on: [pull_request]
+
+concurrency:
+  cancel-in-progress: true
+  group: k8s-${{ github.ref }}
+
+defaults:
+  run:
+    shell: bash
+    working-directory: .k8s
+
+jobs:
+  build:
+    name: Test .k8s
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - name: Restore cache
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Install dependencies
+        run: |
+          yarn install --prefer-offline --frozen-lockfile
+      - name: Test .k8s
+        run: |
+          yarn test
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -0,0 +1,65 @@
+name: Code quality
+
+on: [pull_request]
+
+concurrency:
+  cancel-in-progress: true
+  group: quality-${{ github.ref }}
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - name: Restore cache
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Install dependencies
+        run: |
+          yarn install --prefer-offline --frozen-lockfile
+      - name: Build code
+        run: |
+          yarn build
+      - name: Cache build
+        uses: actions/cache@v2
+        with:
+          path: ./*
+          key: ${{ github.sha }}
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    needs: [build]
+    strategy:
+      fail-fast: false
+      matrix:
+        repositories: ["frontend"]
+    steps:
+      - uses: actions/cache@v2
+        name: Restore build
+        with:
+          path: ./*
+          key: ${{ github.sha }}
+      - name: Lint ${{ matrix.repositories }}
+        run: |
+          yarn workspace ${{ matrix.repositories }} lint
+
+  docker:
+    name: Lint Dockerfile
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Lint Dockerfile
+        uses: hadolint/hadolint-action@v1.6.0
+        with:
+          recursive: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,44 @@
+name: Release
+
+on: workflow_dispatch
+
+concurrency:
+  cancel-in-progress: true
+  group: release-${{ github.ref }}
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - name: Restore cache
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Deploy
+        run: |
+          npm config set access public
+          npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}
+          git config --global user.name "${NAME}"
+          git config --global user.email "${EMAIL}"
+          git remote set-url origin https://git:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git
+          yarn --frozen-lockfile
+          yarn build:npm
+          GH_TOKEN=${GITHUB_TOKEN} yarn lerna version --force-publish --yes --conventional-commits
+          yarn lerna publish from-package --yes
+        env:
+          GITHUB_TOKEN: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+          NAME: ${{ secrets.SOCIALGROOVYBOT_NAME }}
+          EMAIL: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
+          NPM_TOKEN: ${{ secrets.SOCIALGROOVYBOT_NPM_TOKEN }}
diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
@@ -0,0 +1,61 @@
+name: Review
+
+on:
+  pull_request:
+    branches:
+      - "**"
+    tags-ignore:
+      - v*
+
+concurrency:
+  cancel-in-progress: true
+  group: review-${{ github.ref }}
+
+jobs:
+  register:
+    name: Register images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Register docker image for frontend
+        uses: SocialGouv/actions/autodevops-build-register@local-cache-cdtn
+        with:
+          project: "cdtn-admin"
+          imageName: cdtn-admin/cdtn-admin-frontend
+          token: ${{ secrets.GITHUB_TOKEN }}
+          dockerfile: "./targets/frontend/Dockerfile"
+          dockercontext: "./targets/frontend/"
+
+  manifests:
+    name: Generate k8s manifests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install
+        shell: bash
+        run: |
+          yarn add @socialgouv/kosko-charts
+      - name: Get k8s infos
+        id: k8s
+        shell: bash
+        run: |
+          RAW_BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
+          BRANCH=$(npx @socialgouv/env-slug "${RAW_BRANCH}")
+          echo "::set-output name=branch::$(echo ${BRANCH})"
+      - name: Use k8s manifests generation
+        uses: SocialGouv/actions/k8s-manifests@v1
+        with:
+          environment: "dev"
+          rancherId: ${{ secrets.RANCHER_PROJECT_ID }}
+          socialgouvBaseDomain: ${{ secrets.SOCIALGOUV_BASE_DOMAIN }}
+
+  deploy:
+    name: Deploy application
+    runs-on: ubuntu-latest
+    needs: [register, manifests]
+    steps:
+      - name: Use autodevops deployment
+        uses: SocialGouv/actions/autodevops-deploy@v1
+        with:
+          environment: "dev"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          kubeconfig: ${{ secrets.KUBECONFIG }}
+          rancherId: ${{ secrets.RANCHER_PROJECT_ID }}
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,46 @@
+name: Security vulnerability scanner
+
+on:
+  push:
+    branches: ["master"]
+
+concurrency:
+  cancel-in-progress: true
+  group: security-${{ github.ref }}
+
+jobs:
+  register:
+    name: Register images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Register docker image for frontend
+        uses: SocialGouv/actions/autodevops-build-register@local-cache-cdtn
+        with:
+          project: "cdtn-admin"
+          imageName: cdtn-admin/cdtn-admin-frontend
+          token: ${{ secrets.GITHUB_TOKEN }}
+          dockerfile: "./targets/frontend/Dockerfile"
+          dockercontext: "./targets/frontend/"
+
+  trivy:
+    name: Run trivy
+    runs-on: ubuntu-18.04
+    needs: [register]
+    strategy:
+      fail-fast: false
+      matrix:
+        images: ["cdtn-admin-frontend"]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build ${{ matrix.images }} from Dockerfile
+        run: |
+          docker build -t ghcr.io/socialgouv/cdtn-admin/${{ matrix.images }}:sha-${{ github.sha }} .
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ghcr.io/socialgouv/cdtn-admin/${{ matrix.images }}:sha-${{ github.sha }}"
+          format: "table"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
diff --git a/.github/workflows/sync-gitlab.yml b/.github/workflows/sync-gitlab.yml
@@ -0,0 +1,15 @@
+name: Gitlab mirroring
+
+on:
+  - push
+  - delete
+
+jobs:
+  mirror_gitlab:
+    name: 🪞 Gitlab
+    runs-on: ubuntu-latest
+    steps:
+      - uses: SocialGouv/actions/mirror-gitlab@master
+        with:
+          project: SocialGouv/cdtn/cdtn-admin
+          token: ${{ secrets.SOCIALGROOVYBOT_GITLAB_TOKEN }}
diff --git a/.github/workflows/🇫🇷.yml b/.github/workflows/🇫🇷.yml