Skip to content

Referenced landing zone updates. #1974

Referenced landing zone updates.

Referenced landing zone updates. #1974

name: Build and Test
on:
push:
branches:
- main
paths-ignore:
- '*.md'
- '.github/**'
pull_request:
branches: [ '**' ]
# There is an issue with GitHub required checks and paths-ignore. We don't really need to
# run the tests if there are only irrelevant changes (see paths-ignore above). However,
# we require tests to pass by making a "required check" rule on the branch. If the action
# is not triggered, the required check never passes and you are stuck. Therefore, we have
# to run tests even when we only change a markdown file. So don't do what I did and put a
# paths-ignore right here!
workflow_dispatch: {}
jobs:
bump-check:
runs-on: ubuntu-latest
outputs:
is-bump: ${{ steps.skiptest.outputs.is-bump }}
steps:
- uses: actions/checkout@v2
- name: Skip version bump merges
id: skiptest
uses: ./.github/actions/bump-skip
with:
event-name: ${{ github.event_name }}
build:
needs: [ bump-check ]
runs-on: ubuntu-latest
if: needs.bump-check.outputs.is-bump == 'no'
steps:
- uses: actions/checkout@v2
- name: Set up JDK
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'temurin'
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
- name: Git secrets setup
run: |
git clone https://github.com/awslabs/git-secrets.git ~/git-secrets
cd ~/git-secrets
sudo make install
- name: Secrets check
run: |
sudo ln -s "$(which echo)" /usr/local/bin/say
./minnie-kenny.sh --force
git secrets --scan-history
- name: Build the project
run: ./scripts/build project -x test
tests-and-sonarqube:
needs: [ bump-check, build ]
runs-on: ubuntu-latest
if: needs.bump-check.outputs.is-bump == 'no'
permissions:
contents: 'read'
id-token: 'write'
services:
postgres:
image: postgres:13.1
env:
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
steps:
- uses: actions/checkout@v2
# Needed by sonar to get the git history for the branch the PR will be merged into.
with:
fetch-depth: 0
- name: Set up JDK
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'temurin'
- name: Initialize the database
env:
PGPASSWORD: postgres
run: |
psql -h localhost -U postgres -f ./scripts/postgres-init.sql
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
# Run tests
- name: Run Library and Service tests with coverage
run: ./scripts/run test
# NB: We were using a federated credential to get the needed publisher credentials for tests previously,
# but the GH OIDC token expiration duration is now too short (~10 minutes), causing these tests to fail after that
# interval. So, we are setting the AZ env vars below instead
- name: Integration Test with coverage
run: ./scripts/run integration
env:
AZURE_TENANT_ID: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_TENANT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_CLIENT_SECRET }}
AZURE_CLIENT_ID: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_CLIENT_ID }}
- name: Upload Library Test Reports
uses: actions/upload-artifact@v4
if: always()
with:
name: Library Test Reports
path: library/build/reports/tests
- name: Upload Service Test Reports
uses: actions/upload-artifact@v4
if: always()
with:
name: Service Test Reports
path: service/build/reports/tests
# The SonarQube scan is done here, so it can upload the coverage report generated by the tests.
- name: SonarQube scan
run: ./gradlew --build-cache sonarqube
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jib:
needs: [ build ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: Construct docker image name and tag
id: image-name
run: |
GITHUB_REPO=$(basename ${{ github.repository }})
GIT_SHORT_HASH=$(git rev-parse --short HEAD)
echo "name=${GITHUB_REPO}:${GIT_SHORT_HASH}" >> $GITHUB_OUTPUT
- name: Build image locally with jib
run: |
DOCKER_IMAGE_NAME_AND_TAG=${{ steps.image-name.outputs.name }} \
./scripts/build docker
- name: Run Trivy vulnerability scanner
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.image-name.outputs.name }}