Skip to content

chore: bump ossf/scorecard-action from 2.3.0 to 2.3.1 (#744) #706

chore: bump ossf/scorecard-action from 2.3.0 to 2.3.1 (#744)

chore: bump ossf/scorecard-action from 2.3.0 to 2.3.1 (#744) #706

Workflow file for this run

name: CI/CD
on:
pull_request:
branches:
- main
push:
branches:
- main
permissions:
contents: read
concurrency:
group: ci-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
test:
if: ${{ github.event_name == 'pull_request' }}
strategy:
fail-fast: false
matrix:
command:
- 'build'
- 'lint:check'
- 'format:check'
- 'test:unit'
runs-on: ubuntu-20.04
name: Test on Node.js 16 ( ${{ matrix.command }} )
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 0
- name: Set Up Node.js
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
with:
node-version: 16
cache: npm
- name: Add required npm registry
run: npm config set '@bit:registry' https://node.bit.dev
- name: Install Dependencies
run: npm ci --ignore-scripts
- name: Run ${{ matrix.command }}
run: npm run ${{ matrix.command }}
build:
if: ${{ github.event_name == 'push' && github.ref_type == 'branch' }}
runs-on: ubuntu-20.04
name: Build
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 0
- name: Set Up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3
- name: Set Up Docker Buildx
id: set-up-buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
with:
install: true
- name: Cache Docker Layers
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Build Docker
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09
with:
builder: ${{ steps.set-up-buildx.outputs.name }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
context: .
file: .maintain/docker/Dockerfile
tags: ${{ github.repository }}:${{ github.sha }}
outputs: type=docker,dest=/tmp/docker_image.tar
- name: Move Cache Docker Layers
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
- name: Upload Build to Artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: build_${{ github.sha }}
path: |
/tmp/docker_image.tar
retention-days: 5
release-please:
needs:
- build
runs-on: ubuntu-20.04
name: Release Please
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 0
- name: Release
id: release
uses: google-github-actions/release-please-action@4c5670f886fe259db4d11222f7dff41c1382304d
with:
token: ${{ secrets.PAT }}
fork: true
release-type: node
package-name: ${{ github.event.repository.name }}
include-v-in-tag: false
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
publish-docker:
needs:
- release-please
runs-on: ubuntu-20.04
name: Publish Docker
steps:
- name: Login to DockerHub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Download Build from Artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
with:
name: build_${{ github.sha }}
path: /tmp
- name: Load Downloaded Image
run: |
docker load --input /tmp/docker_image.tar
docker images --no-trunc --digests ${{ github.repository }}
- name: Tag as Release Version
if: ${{ needs.release-please.outputs.release_created }}
run: |
docker tag ${{ github.repository }}:${{ github.sha }} ${{ github.repository }}:${{ needs.release-please.outputs.tag_name }}
docker tag ${{ github.repository }}:${{ github.sha }} ${{ github.repository }}:latest
docker images --no-trunc --digests ${{ github.repository }}
- name: Push
run: docker image push -a ${{ github.repository }}
deploy:
needs:
- release-please
- publish-docker
permissions:
contents: read
id-token: write
strategy:
max-parallel: 1
matrix:
is_release:
- ${{ needs.release-please.outputs.release_created || false }}
environment:
- TESTNET
- MAINNET
exclude:
- is_release: false
environment: MAINNET
environment: ${{ matrix.environment }}
runs-on: ubuntu-20.04
name: Deploy to ${{ matrix.environment }}
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 0
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033
with:
workload_identity_provider: ${{ secrets[format('{0}_{1}', matrix.environment, 'GCP_WORKLOAD_IDENTITY_PROVIDER')] }}
service_account: ${{ secrets[format('{0}_{1}', matrix.environment, 'GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT')] }}
- name: Set Up Google Cloud SDK
uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b
- name: Get GKE Credentials
uses: google-github-actions/get-gke-credentials@35ab0d2b2d48792c19f09325413bd185c8d44394
with:
cluster_name: ${{ secrets[format('{0}_{1}', matrix.environment, 'GKE_CLUSTER_NAME')] }}
location: ${{ secrets[format('{0}_{1}', matrix.environment, 'GKE_LOCATION')] }}
use_internal_ip: true
- name: Tunneling SSH connections
run: |
gcloud compute ssh ${{ secrets[format('{0}_{1}', matrix.environment, 'GCE_BASTION_INSTANCE_NAME')] }} \
--project=${{ secrets[format('{0}_{1}', matrix.environment, 'GCP_PROJECT_ID')] }} \
--zone ${{ secrets[format('{0}_{1}', matrix.environment, 'GCE_BASTION_INSTANCE_ZONE')] }} \
--ssh-flag '-4 -L 8888:127.0.0.1:8888 -N -q -f' \
--tunnel-through-iap \
--quiet
- name: Set Up Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
with:
version: v3.10.0
- name: Perform Deployment
run: |
helm repo add debionetwork https://charts.debio.network
helm repo update
HTTPS_PROXY=127.0.0.1:8888 helm upgrade ${{ github.event.repository.name }} debionetwork/debio-app-deployer \
--install \
--set-string nameOverride=${{ github.event.repository.name }} \
--set-string image.repository=${{ github.repository }} \
--set-string image.tag=${{ needs.release-please.outputs.tag_name || github.sha }} \
--set-string serviceAccount.name=${{ github.event.repository.name }} \
--set-string serviceAccount.annotations.'iam\.gke\.io/gcp-service-account'=${{ github.event.repository.name }}@${{ secrets[format('{0}_{1}', matrix.environment, 'GCP_PROJECT_ID')] }}.iam.gserviceaccount.com \
--set config.secretsStore.enabled=true \
--set-string config.secretsStore.providerClass=${{ github.event.repository.name }}-secrets-store-provider \
--set-string config.secretsStore.name=${{ github.event.repository.name }}-secrets-store \
--set containerPort=80 \
--set service.port=80 \
--set-string resources.requests.cpu=100m \
--set-string resources.requests.memory=128Mi \
--set-string resources.limits.cpu=300m \
--set-string resources.limits.memory=256Mi \
--set replicaCount=1 \
--set autoscaling.enabled=true \
--set autoscaling.minReplicas=1 \
--set autoscaling.maxReplicas=5 \
--set-string nodeSelector.node_pool=general \
--set-string nodeSelector.'iam\.gke\.io/gke-metadata-server-enabled'='true'
HTTPS_PROXY=127.0.0.1:8888 kubectl rollout status deployment/${{ github.event.repository.name }}
- name: Clean Up Tunneling SSH Connections
if: always()
run: |
kill -9 $(lsof -ti:8888)
gcloud compute os-login ssh-keys remove --key-file=/home/runner/.ssh/google_compute_engine.pub