[Snyk] Security upgrade node from 20.9.0-alpine to 20.12.0-alpine #124
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Lint & Tests | |
| on: | |
| pull_request: | |
| branches: ['*'] | |
| workflow_dispatch: | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| env: | |
| NODE_ENV: test | |
| DEPLOYMENT: ci | |
| services: | |
| postgres: | |
| image: postgis/postgis:15-3.3 | |
| env: | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_USER: postgres | |
| POSTGRES_DB: postgres | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| - 5432:5432 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: pnpm/action-setup@v2 | |
| name: pnpm setup | |
| with: | |
| version: 8 | |
| - name: Use Node.js | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: '20.9.0' | |
| cache: 'pnpm' | |
| - name: pnpm install | |
| run: | | |
| pnpm install --frozen-lockfile | |
| - name: Run lint-staged | |
| run: | | |
| pnpm exec lint-staged --diff="origin/${GITHUB_BASE_REF}...origin/${GITHUB_HEAD_REF}" | |
| - name: build ts | |
| run: | | |
| pnpm run build | |
| - name: create db credentials | |
| env: | |
| PGHOST: localhost | |
| PGUSER: postgres | |
| PGPASSWORD: postgres | |
| PGDATABASE: postgres | |
| PGPORT: 5432 | |
| run: | | |
| psql -c "CREATE ROLE app_postgraphile WITH LOGIN PASSWORD 'xyz'; \ | |
| CREATE ROLE app_user; \ | |
| CREATE ROLE app_admin; \ | |
| CREATE ROLE app_anonymous;" | |
| - name: unit tests | |
| run: | | |
| pnpm run test:unit | |
| - name: integration tests | |
| run: | | |
| pnpm run test:integration | |
| - name: Cypress install | |
| run: | | |
| pnpm --filter e2e exec cypress install | |
| - name: e2e tests | |
| env: | |
| DATABASE_URL: postgres://app_postgraphile:xyz@localhost:5432/photo-app_test | |
| run: | | |
| pnpm run test:e2e | |
| plan: | |
| env: | |
| TF_WORKSPACE: ${{ (github.event.pull_request && github.event.pull_request.base.ref == 'main') && 'production' || ((github.event.pull_request && github.event.pull_request.base.ref == 'develop') && 'development') }} | |
| TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} | |
| TF_VAR_db_app_username: ${{ secrets.DB_APP_USERNAME }} | |
| TF_VAR_db_app_password: ${{ secrets.DB_APP_PASSWORD }} | |
| TF_VAR_deployer_public_key: ${{ secrets.DEPLOYER_PUBLIC_KEY }} | |
| TF_VAR_s3_bucket_terraform: ${{ secrets.S3_BUCKET_TERRAFORM }} | |
| TF_VAR_git_sha: ${{ github.sha }} | |
| TF_VAR_cloudflare_account_id: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
| TF_VAR_cloudflare_api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| TF_VAR_jwt_public_key: ${{ secrets.JWT_PUBLIC_KEY }} | |
| TF_VAR_jwt_private_key: ${{ secrets.JWT_PRIVATE_KEY }} | |
| TF_VAR_ssl_cert: ${{ secrets.SSL_CERT }} | |
| TF_VAR_ssl_key: ${{ secrets.SSL_KEY }} | |
| TF_VAR_google_refresh_token: ${{ secrets.GOOGLE_REFRESH_TOKEN }} | |
| TF_VAR_google_credentials_web_json: ${{ secrets.GOOGLE_CREDENTIALS_WEB_JSON }} | |
| TF_VAR_google_credentials_installed_json: ${{ secrets.GOOGLE_CREDENTIALS_INSTALLED_JSON }} | |
| TF_VAR_aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| TF_VAR_aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| tf_actions_working_dir: 'terraform' | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ${{ env.tf_actions_working_dir }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v2 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: eu-north-1 | |
| - name: Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| - name: Terraform fmt | |
| id: fmt | |
| run: terraform fmt -check | |
| continue-on-error: true | |
| - name: Terraform Init | |
| id: init | |
| run: terraform init | |
| - name: Terraform Validate | |
| id: validate | |
| run: terraform validate -no-color | |
| - name: Terraform Plan | |
| id: plan | |
| run: terraform plan -no-color | |
| continue-on-error: true | |
| - uses: actions/github-script@v6 | |
| if: github.event_name == 'pull_request' | |
| env: | |
| PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| // 1. Retrieve existing bot comments for the PR | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }) | |
| const botComment = comments.find(comment => { | |
| return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style') | |
| }) | |
| // 2. Prepare format of the comment | |
| const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` | |
| #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` | |
| #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` | |
| <details><summary>Validation Output</summary> | |
| \`\`\`\n | |
| ${{ steps.validate.outputs.stdout }} | |
| \`\`\` | |
| </details> | |
| #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | |
| <details><summary>Show Plan</summary> | |
| \`\`\`\n | |
| ${process.env.PLAN} | |
| \`\`\` | |
| </details> | |
| *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`; | |
| // 3. If we have a comment, update it, otherwise create a new one | |
| if (botComment) { | |
| github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body: output | |
| }) | |
| } else { | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| } |