Referenced landing zone updates. #1974
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Test | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- '*.md' | |
- '.github/**' | |
pull_request: | |
branches: [ '**' ] | |
# There is an issue with GitHub required checks and paths-ignore. We don't really need to | |
# run the tests if there are only irrelevant changes (see paths-ignore above). However, | |
# we require tests to pass by making a "required check" rule on the branch. If the action | |
# is not triggered, the required check never passes and you are stuck. Therefore, we have | |
# to run tests even when we only change a markdown file. So don't do what I did and put a | |
# paths-ignore right here! | |
workflow_dispatch: {} | |
jobs: | |
bump-check: | |
runs-on: ubuntu-latest | |
outputs: | |
is-bump: ${{ steps.skiptest.outputs.is-bump }} | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Skip version bump merges | |
id: skiptest | |
uses: ./.github/actions/bump-skip | |
with: | |
event-name: ${{ github.event_name }} | |
build: | |
needs: [ bump-check ] | |
runs-on: ubuntu-latest | |
if: needs.bump-check.outputs.is-bump == 'no' | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Set up JDK | |
uses: actions/setup-java@v2 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Setup Gradle | |
uses: gradle/gradle-build-action@v2 | |
- name: Git secrets setup | |
run: | | |
git clone https://github.com/awslabs/git-secrets.git ~/git-secrets | |
cd ~/git-secrets | |
sudo make install | |
- name: Secrets check | |
run: | | |
sudo ln -s "$(which echo)" /usr/local/bin/say | |
./minnie-kenny.sh --force | |
git secrets --scan-history | |
- name: Build the project | |
run: ./scripts/build project -x test | |
tests-and-sonarqube: | |
needs: [ bump-check, build ] | |
runs-on: ubuntu-latest | |
if: needs.bump-check.outputs.is-bump == 'no' | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
services: | |
postgres: | |
image: postgres:13.1 | |
env: | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v2 | |
# Needed by sonar to get the git history for the branch the PR will be merged into. | |
with: | |
fetch-depth: 0 | |
- name: Set up JDK | |
uses: actions/setup-java@v2 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Initialize the database | |
env: | |
PGPASSWORD: postgres | |
run: | | |
psql -h localhost -U postgres -f ./scripts/postgres-init.sql | |
- name: Setup Gradle | |
uses: gradle/gradle-build-action@v2 | |
# Run tests | |
- name: Run Library and Service tests with coverage | |
run: ./scripts/run test | |
# NB: We were using a federated credential to get the needed publisher credentials for tests previously, | |
# but the GH OIDC token expiration duration is now too short (~10 minutes), causing these tests to fail after that | |
# interval. So, we are setting the AZ env vars below instead | |
- name: Integration Test with coverage | |
run: ./scripts/run integration | |
env: | |
AZURE_TENANT_ID: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_TENANT_ID }} | |
AZURE_CLIENT_SECRET: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_CLIENT_SECRET }} | |
AZURE_CLIENT_ID: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_CLIENT_ID }} | |
- name: Upload Library Test Reports | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: Library Test Reports | |
path: library/build/reports/tests | |
- name: Upload Service Test Reports | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: Service Test Reports | |
path: service/build/reports/tests | |
# The SonarQube scan is done here, so it can upload the coverage report generated by the tests. | |
- name: SonarQube scan | |
run: ./gradlew --build-cache sonarqube | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
jib: | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: 'gradle' | |
- name: Construct docker image name and tag | |
id: image-name | |
run: | | |
GITHUB_REPO=$(basename ${{ github.repository }}) | |
GIT_SHORT_HASH=$(git rev-parse --short HEAD) | |
echo "name=${GITHUB_REPO}:${GIT_SHORT_HASH}" >> $GITHUB_OUTPUT | |
- name: Build image locally with jib | |
run: | | |
DOCKER_IMAGE_NAME_AND_TAG=${{ steps.image-name.outputs.name }} \ | |
./scripts/build docker | |
- name: Run Trivy vulnerability scanner | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: ${{ steps.image-name.outputs.name }} |