Skip to content

[#16] Implementing security for api-server #208

[#16] Implementing security for api-server

[#16] Implementing security for api-server #208

Workflow file for this run

name: CI
env:
IMAGE_NAME: activemq-artemis-jolokia-api-server
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '6 0 * * *'
workflow_dispatch:
inputs:
snapshot:
description: 'Snapshot'
required: false
default: false
type: boolean
# cancels the old active workflow if new workflow is triggered
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ['javascript']
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
openapi:
name: Check that the openapi file is in sync with the generated files
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
- name: Get cache and install dependencies
uses: ./.github/actions/cache-restore
- name: regenerate the api.md
continue-on-error: true
run: yarn build-api-doc && yarn pretty-quick
- name: check there is no manual changes
run: git diff && [ -z "$(git status --porcelain=v1 2>/dev/null)" ] && echo "✓ No manual changes." || echo "✗ api.md manually changed, please refer to the api.md for the procedure to follow for programmatically generated endpoints." && [ -z "$(git status --porcelain=v1 2>/dev/null)" ]
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout the repo
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
- name: Get cache and install dependencies
uses: ./.github/actions/cache-restore
- name: Build project
run: yarn run build
- name: Run the test suite
run: yarn test:coverage
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
- name: Check for uncommited changes
run: git diff --quiet --exit-code
- name: Set outputs
id: vars
run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT
- name: Check outputs
run: |
echo ${{ steps.vars.outputs.sha_short }}
echo ${{ steps.vars.outputs.date }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Build the image
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.IMAGE_NAME }}
tags: dev.latest dev.${{ steps.vars.outputs.date }}.${{ steps.vars.outputs.sha_short }}
# If this is a PR, we only build for AMD64. For PRs we only do a sanity check test to ensure Docker builds work.
# If this is not a PR (e.g. a tag or merge commit), also build for ARM64
platforms: linux/amd64${{github.event_name!='pull_request' && ',linux/arm64' || ''}}
context: .
dockerfiles: |
./Dockerfile
labels: |
quay.expires-after=90d
git-sha=$GITHUB_SHA
- name: Push the dev image to quay.io
# Only login if not a PR, as PRs only trigger a Docker build and not a push
if: ${{ github.event_name != 'pull_request' }}
id: push-to-quay
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }}
registry: quay.io/${{ secrets.QUAY_NAMESPACE }}
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}