[#16] Implementing security for api-server #208
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
env: | |
IMAGE_NAME: activemq-artemis-jolokia-api-server | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
schedule: | |
- cron: '6 0 * * *' | |
workflow_dispatch: | |
inputs: | |
snapshot: | |
description: 'Snapshot' | |
required: false | |
default: false | |
type: boolean | |
# cancels the old active workflow if new workflow is triggered | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
analyze: | |
name: Analyze | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
language: ['javascript'] | |
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] | |
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: ${{ matrix.language }} | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
openapi: | |
name: Check that the openapi file is in sync with the generated files | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20.x | |
- name: Get cache and install dependencies | |
uses: ./.github/actions/cache-restore | |
- name: regenerate the api.md | |
continue-on-error: true | |
run: yarn build-api-doc && yarn pretty-quick | |
- name: check there is no manual changes | |
run: git diff && [ -z "$(git status --porcelain=v1 2>/dev/null)" ] && echo "✓ No manual changes." || echo "✗ api.md manually changed, please refer to the api.md for the procedure to follow for programmatically generated endpoints." && [ -z "$(git status --porcelain=v1 2>/dev/null)" ] | |
build: | |
name: Build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@v4 | |
- name: Set up Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20.x | |
- name: Get cache and install dependencies | |
uses: ./.github/actions/cache-restore | |
- name: Build project | |
run: yarn run build | |
- name: Run the test suite | |
run: yarn test:coverage | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v5 | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
- name: Check for uncommited changes | |
run: git diff --quiet --exit-code | |
- name: Set outputs | |
id: vars | |
run: | | |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT | |
- name: Check outputs | |
run: | | |
echo ${{ steps.vars.outputs.sha_short }} | |
echo ${{ steps.vars.outputs.date }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Build the image | |
id: build-image | |
uses: redhat-actions/buildah-build@v2 | |
with: | |
image: ${{ env.IMAGE_NAME }} | |
tags: dev.latest dev.${{ steps.vars.outputs.date }}.${{ steps.vars.outputs.sha_short }} | |
# If this is a PR, we only build for AMD64. For PRs we only do a sanity check test to ensure Docker builds work. | |
# If this is not a PR (e.g. a tag or merge commit), also build for ARM64 | |
platforms: linux/amd64${{github.event_name!='pull_request' && ',linux/arm64' || ''}} | |
context: . | |
dockerfiles: | | |
./Dockerfile | |
labels: | | |
quay.expires-after=90d | |
git-sha=$GITHUB_SHA | |
- name: Push the dev image to quay.io | |
# Only login if not a PR, as PRs only trigger a Docker build and not a push | |
if: ${{ github.event_name != 'pull_request' }} | |
id: push-to-quay | |
uses: redhat-actions/push-to-registry@v2 | |
with: | |
image: ${{ steps.build-image.outputs.image }} | |
tags: ${{ steps.build-image.outputs.tags }} | |
registry: quay.io/${{ secrets.QUAY_NAMESPACE }} | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} |