-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3 from aligent/chore/AM-2046-initial-repo-setup
Setup GitHub actions
- Loading branch information
Showing
11 changed files
with
331 additions
and
27 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
* @aligent/mesh-developers | ||
|
||
.github/* @aligent/aligent-devops | ||
bitbucket-pipelines.yml @aligent/aligent-devops |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
version: 2 | ||
updates: | ||
- package-ecosystem: 'npm' | ||
directory: '/' | ||
schedule: | ||
interval: 'daily' | ||
open-pull-requests-limit: 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
name: Build | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
application: | ||
required: true | ||
type: string | ||
|
||
jobs: | ||
build: | ||
name: 🏭 Build all packages | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 1 | ||
|
||
- uses: actions/setup-node@v4 | ||
with: | ||
node-version-file: '.nvmrc' | ||
cache: 'yarn' | ||
|
||
- name: Install | ||
run: yarn install | ||
|
||
- name: Build all packages | ||
env: | ||
BC_CLIENT_ID: ${{ secrets.BC_CLIENT_ID }} | ||
BC_CLIENT_SECRET: ${{ secrets.BC_CLIENT_SECRET }} | ||
BC_GRAPHQL_API: ${{ secrets.BC_GRAPHQL_API }} | ||
BC_GRAPHQL_TOKEN: ${{ secrets.BC_GRAPHQL_TOKEN }} | ||
BC_REST_API: ${{ secrets.BC_REST_API }} | ||
JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }} | ||
ORO_CLIENT_ID: ${{ secrets.ORO_CLIENT_ID }} | ||
ORO_CLIENT_SECRET: ${{ secrets.ORO_CLIENT_SECRET }} | ||
ORO_STORE_URL: ${{ secrets.ORO_STORE_URL }} | ||
STORE_HASH: ${{ secrets.STORE_HASH }} | ||
X_AUTH_TOKEN: ${{ secrets.X_AUTH_TOKEN }} | ||
run: yarn nx run-many -t build | ||
|
||
- name: Build Docker Container | ||
env: | ||
BC_CLIENT_ID: ${{ secrets.BC_CLIENT_ID }} | ||
BC_CLIENT_SECRET: ${{ secrets.BC_CLIENT_SECRET }} | ||
BC_GRAPHQL_API: ${{ secrets.BC_GRAPHQL_API }} | ||
BC_GRAPHQL_TOKEN: ${{ secrets.BC_GRAPHQL_TOKEN }} | ||
BC_REST_API: ${{ secrets.BC_REST_API }} | ||
JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }} | ||
ORO_CLIENT_ID: ${{ secrets.ORO_CLIENT_ID }} | ||
ORO_CLIENT_SECRET: ${{ secrets.ORO_CLIENT_SECRET }} | ||
ORO_STORE_URL: ${{ secrets.ORO_STORE_URL }} | ||
STORE_HASH: ${{ secrets.STORE_HASH }} | ||
X_AUTH_TOKEN: ${{ secrets.X_AUTH_TOKEN }} | ||
run: yarn nx docker-build ${{ inputs.application }} | ||
|
||
- name: Save Docker image to a tar file | ||
run: | | ||
docker save ${{ inputs.application }}:latest -o /tmp/${{ inputs.application }}.tar | ||
- name: Upload Docker image as artifact | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: ${{ inputs.application }}-docker-image | ||
path: /tmp/${{ inputs.application }}.tar |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
name: OWASP Dependency Check | ||
|
||
on: | ||
# schedule: | ||
# - cron: '0 0 * * *' # Runs daily at midnight | ||
workflow_dispatch: # Allows manual trigger from the GitHub Actions tab | ||
workflow_call: | ||
inputs: | ||
version: | ||
type: string | ||
output: | ||
default: 'owasp-results' | ||
type: string | ||
scan_path: | ||
default: '.' | ||
type: string | ||
cvss_fail_level: | ||
default: 1 | ||
type: number | ||
suppression_path: | ||
default: 'suppression.xml' | ||
type: string | ||
disable_oss_index: | ||
type: boolean | ||
secrets: | ||
OSS_INDEX_USERNAME: | ||
OSS_INDEX_PASSWORD: | ||
NVD_API_KEY: | ||
|
||
jobs: | ||
owasp_scan: | ||
name: 🛡️ OWASP Scan | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
with: | ||
path: code | ||
|
||
- name: Fetch dependency check script | ||
run: | | ||
if [ -z "${{ inputs.version }}" ]; then | ||
VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt) | ||
else | ||
VERSION=${{ inputs.version }} | ||
fi | ||
curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip | ||
- name: Unzip dependency check | ||
run: | | ||
ls -la | ||
unzip dependency-check | ||
- name: Load database from cache | ||
uses: actions/cache@v4 | ||
with: | ||
path: dependency-check/data/oss_cache | ||
key: owasp-database-cache | ||
|
||
- name: Run OWASP dependency check | ||
env: | ||
OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }} | ||
OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }} | ||
NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | ||
run: | | ||
mkdir ${{ inputs.output }} | ||
./dependency-check/bin/dependency-check.sh \ | ||
--format JUNIT \ | ||
--format HTML \ | ||
--prettyPrint \ | ||
--project ${{ github.event.repository.name }} \ | ||
--enableExperimental \ | ||
--out ${{ inputs.output }} \ | ||
-s ${{ inputs.scan_path }} \ | ||
--junitFailOnCVSS ${{ inputs.cvss_fail_level }} \ | ||
--failOnCVSS ${{ inputs.cvss_fail_level }} \ | ||
--suppression code/${{ inputs.suppression_path }} \ | ||
--ossIndexUsername ${{ secrets.OSS_INDEX_USERNAME }} \ | ||
--ossIndexPassword ${{ secrets.OSS_INDEX_PASSWORD }} \ | ||
--nvdApiKey ${{ secrets.NVD_API_KEY }} \ | ||
--disableOssIndex ${{ inputs.disable_oss_index }} | ||
- name: Upload database to cache | ||
uses: actions/cache@v4 | ||
with: | ||
path: dependency-check/data/oss_cache | ||
key: owasp-database-cache | ||
|
||
- name: Upload OWASP report | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: owasp-dependency-check-report | ||
path: ${{ inputs.output }}/dependency-check-report.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
name: Publish to NPM | ||
|
||
on: | ||
release: | ||
tags: | ||
- '**-[0-9]+.[0-9]+.[0-9]+' | ||
- '**-[0-9]+.[0-9]+.[0-9]+-*' | ||
types: [published] | ||
|
||
jobs: | ||
build-and-publish: | ||
name: 🚀 Publish to NPM | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
ref: ${{ github.event.release.target_commitish }} | ||
|
||
- uses: actions/setup-node@v4 | ||
with: | ||
node-version-file: '.nvmrc' | ||
cache: 'yarn' | ||
registry-url: https://registry.npmjs.org/ | ||
|
||
- name: Install | ||
run: yarn install | ||
|
||
- name: Preparing environment for release | ||
run: | | ||
VERSION=$(echo $GITHUB_REF_NAME | sed 's/^.*[A-Za-z]-//g') | ||
echo "VERSION=$VERSION" >> $GITHUB_ENV | ||
echo "PACKAGE=$(echo $GITHUB_REF_NAME | sed "s/-${VERSION}//g")" >> $GITHUB_ENV | ||
- name: Release | ||
run: | | ||
git config --global user.name "Automated NPM Release" | ||
git config --global user.email "[email protected]" | ||
echo "Publishing $PACKAGE @ $VERSION" | ||
yarn config set registry https://registry.npmjs.org/ | ||
yarn nx publish $PACKAGE --ver=$VERSION --tag=latest --verbose | ||
env: | ||
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
BC_CLIENT_ID: ${{ secrets.BC_CLIENT_ID }} | ||
BC_CLIENT_SECRET: ${{ secrets.BC_CLIENT_SECRET }} | ||
BC_GRAPHQL_API: ${{ secrets.BC_GRAPHQL_API }} | ||
BC_GRAPHQL_TOKEN: ${{ secrets.BC_GRAPHQL_TOKEN }} | ||
BC_REST_API: ${{ secrets.BC_REST_API }} | ||
JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }} | ||
ORO_CLIENT_ID: ${{ secrets.ORO_CLIENT_ID }} | ||
ORO_CLIENT_SECRET: ${{ secrets.ORO_CLIENT_SECRET }} | ||
ORO_STORE_URL: ${{ secrets.ORO_STORE_URL }} | ||
STORE_HASH: ${{ secrets.STORE_HASH }} | ||
X_AUTH_TOKEN: ${{ secrets.X_AUTH_TOKEN }} | ||
|
||
- name: Update the package version number | ||
run: git push | ||
env: | ||
github-token: ${{ secrets.GITHUB_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
name: Pull Request Checks | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- '**' # Trigger on all branches | ||
|
||
jobs: | ||
test: | ||
name: ⚙️ Run Tests | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
ref: ${{ github.event.pull_request.head.ref }} | ||
|
||
- name: Fetch target | ||
run: git fetch origin ${{ github.event.pull_request.base.ref }} | ||
|
||
- uses: actions/setup-node@v4 | ||
with: | ||
node-version-file: '.nvmrc' | ||
cache: 'yarn' | ||
|
||
- name: Install | ||
run: yarn install | ||
|
||
- name: Run Tests | ||
run: | | ||
FORCE_COLOR=true | ||
DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }} # Set branch | ||
yarn nx affected:test --base=$DESTINATION_BRANCH --ci --code-coverage --parallel --max-parallel=3 | ||
code-quality: | ||
name: 🕵️♀️ Code Quality | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
ref: ${{ github.event.pull_request.head.ref }} | ||
|
||
- name: Fetch target | ||
run: git fetch origin ${{ github.event.pull_request.base.ref }} | ||
|
||
- uses: actions/setup-node@v4 | ||
with: | ||
node-version-file: '.nvmrc' | ||
cache: 'yarn' | ||
|
||
- name: Install | ||
run: yarn install | ||
|
||
- name: Code Quality Check | ||
run: | | ||
FORCE_COLOR=true | ||
DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }} # Set branch | ||
yarn nx affected:lint --base=$DESTINATION_BRANCH --parallel --max-parallel=3 | ||
yarn nx format:check --base=$DESTINATION_BRANCH --parallel --max-parallel=3 | ||
yarn nx affected -t check-types --base=$DESTINATION_BRANCH --parallel --max-parallel=3 | ||
# TODO: fix the owasp pipeline | ||
# owasp: | ||
# name: 🛡️ OWASP Scan | ||
# uses: ./.github/workflows/owasp.yml | ||
# secrets: inherit | ||
|
||
build: | ||
name: 👷 Build | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
application: [bigcommerce-mesh, orocommerce-mesh] | ||
uses: ./.github/workflows/build.yml | ||
with: | ||
application: ${{ matrix.application }} | ||
secrets: inherit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
MIT License | ||
|
||
Copyright (c) 2024 Aligent | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters