Skip to content

CI

CI #1319

Workflow file for this run

name: CI
on:
push:
branches:
- main
- release
tags:
- "beta-v*"
pull_request:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# Schedule
schedule:
- cron: "0 8 * * MON,THU" # Run every Monday and Thursday at 08:00 UTC
jobs:
ci:
runs-on: ubuntu-latest
outputs:
NPM_VERSION: ${{ steps.version.outputs.NPM_VERSION }}
PUBLISH_TAG: ${{ steps.version.outputs.PUBLISH_TAG }}
IMAGE_SUFFIX: ${{ steps.version.outputs.IMAGE_SUFFIX }}
strategy:
matrix:
node-version: [20]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
check-latest: true
- run: node -v
- run: npm -v
- name: Install Dependencies & check lint
run: |
npm install
npm run lint
- id: version
run: |
npm install -g json
RETRACED_VERSION=$(echo $(cat ./package.json) | json version)
publishTag="latest"
imageSuffix=""
if [[ "$GITHUB_REF" == *\/release ]]
then
echo "Release branch"
else
echo "Dev branch"
publishTag="beta"
imageSuffix="-beta"
RETRACED_VERSION="${RETRACED_VERSION}-beta.${GITHUB_RUN_NUMBER}"
fi
echo "NPM_VERSION=${RETRACED_VERSION}" >> $GITHUB_OUTPUT
echo "PUBLISH_TAG=${publishTag}" >> $GITHUB_OUTPUT
echo "IMAGE_SUFFIX=${imageSuffix}" >> $GITHUB_OUTPUT
test:
needs: ci
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
check-latest: true
- run: node -v
- run: npm -v
- name: Run docker-compose up
id: docker_compose
uses: isbang/[email protected]
with:
compose-file: "./docker-compose.yaml"
- name: Run tests
run: |
npm install
npm run build
npm run cover:all
test-pg-search:
needs: ci
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
check-latest: true
- run: node -v
- run: npm -v
- name: Run docker-compose up
id: docker_compose
uses: isbang/[email protected]
with:
compose-file: "./docker-compose.yaml"
env:
PG_SEARCH: "true"
- name: Run tests
run: |
npm install
npm run build
npm run cover:all
build:
needs: [ci, test, test-pg-search]
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20]
steps:
- run: echo ${{ needs.ci.outputs.NPM_VERSION }}
- run: echo ${{ needs.ci.outputs.PUBLISH_TAG }}
- name: Check Out Repo
uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
check-latest: true
- name: Get short SHA
id: slug
run: |
echo "SHA7=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT
imagePath="${{ secrets.DOCKER_HUB_USERNAME }}/retraced"
if [[ "$GITHUB_REF" != *\/release ]]
then
imagePath="${{ secrets.DOCKER_HUB_USERNAME }}/retraced-beta"
fi
echo "${imagePath}"
echo "IMAGE_PATH=${imagePath}" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
if: github.ref == 'refs/heads/release'
id: buildx
uses: docker/setup-buildx-action@v3
- name: Set up QEMU
if: github.ref == 'refs/heads/release'
uses: docker/setup-qemu-action@v3
- name: Login to Docker Hub
if: github.ref == 'refs/heads/release'
uses: docker/login-action@v3
with:
username: boxyhq
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: Build and push
if: github.ref == 'refs/heads/release'
id: docker_build
uses: docker/build-push-action@v5
with:
context: ./
file: ./deploy/Dockerfile-slim
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.slug.outputs.IMAGE_PATH }}:${{ needs.ci.outputs.PUBLISH_TAG }},${{ steps.slug.outputs.IMAGE_PATH }}:${{ steps.slug.outputs.SHA7 }},${{ steps.slug.outputs.IMAGE_PATH }}:${{ needs.ci.outputs.NPM_VERSION }}
- name: Image digest
if: github.ref == 'refs/heads/release'
run: echo ${{ steps.docker_build.outputs.digest }}
- name: Login to GitHub Container Registry
if: github.ref == 'refs/heads/release'
run: |
echo "${{secrets.GITHUB_TOKEN}}" | docker login ghcr.io -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin
- name: Install Cosign
if: github.ref == 'refs/heads/release'
uses: sigstore/cosign-installer@main
- name: Check install!
if: github.ref == 'refs/heads/release'
run: cosign version
- name: place the cosign private key in a file
if: github.ref == 'refs/heads/release'
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
shell: bash
env:
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
- name: Sign the image
if: github.ref == 'refs/heads/release'
run: cosign sign --key /tmp/cosign.key -y ${{ steps.slug.outputs.IMAGE_PATH }}@${{ steps.docker_build.outputs.digest }}
env:
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
- name: Create SBOM Report [SPDX]
uses: anchore/sbom-action@v0
with:
format: spdx
artifact-name: retraced_sbom.spdx
- name: Publish report [SPDX]
uses: anchore/sbom-action/publish-sbom@v0
with:
sbom-artifact-match: ".*\\.spdx$"
- name: Create SBOM Report [CycloneDx]
uses: anchore/sbom-action@v0
with:
format: cyclonedx
artifact-name: retraced_sbom.cyclonedx
- name: Publish report [CycloneDx]
uses: anchore/sbom-action/publish-sbom@v0
with:
sbom-artifact-match: ".*\\.cyclonedx$"
- name: Download artifact for SPDX Report
if: github.ref == 'refs/heads/release'
uses: actions/download-artifact@v3
with:
name: retraced_sbom.spdx
- name: Download artifact for CycloneDx Report
if: github.ref == 'refs/heads/release'
uses: actions/download-artifact@v3
with:
name: retraced_sbom.cyclonedx
- name: Remove older SBOMs
if: github.ref == 'refs/heads/release'
run: rm -rf ./sbom*.* || true
- name: Move SPDX Report
if: github.ref == 'refs/heads/release'
run: mv retraced_sbom.spdx "./sbom.spdx"
- name: Move CycloneDx Report
if: github.ref == 'refs/heads/release'
run: mv retraced_sbom.cyclonedx "./sbom.cyclonedx"
- name: Create SBOM Report [Docker][SPDX]
if: github.ref == 'refs/heads/release'
uses: anchore/sbom-action@v0
with:
image: ${{ steps.slug.outputs.IMAGE_PATH }}:${{ needs.ci.outputs.PUBLISH_TAG }}
format: spdx
artifact-name: docker_sbom.spdx
- name: Publish report [Docker][SPDX]
if: github.ref == 'refs/heads/release'
uses: anchore/sbom-action/publish-sbom@v0
with:
sbom-artifact-match: ".*\\.spdx$"
- name: Create SBOM Report [Docker][CycloneDx]
if: github.ref == 'refs/heads/release'
uses: anchore/sbom-action@v0
with:
image: ${{ steps.slug.outputs.IMAGE_PATH }}:${{ needs.ci.outputs.PUBLISH_TAG }}
format: cyclonedx
artifact-name: docker_sbom.cyclonedx
- name: Publish report [Docker][CycloneDx]
if: github.ref == 'refs/heads/release'
uses: anchore/sbom-action/publish-sbom@v0
with:
sbom-artifact-match: ".*\\.cyclonedx$"
- name: Download artifact for SPDX Report [Docker]
if: github.ref == 'refs/heads/release'
uses: actions/download-artifact@v3
with:
name: docker_sbom.spdx
- name: Download artifact for CycloneDx Report [Docker]
if: github.ref == 'refs/heads/release'
uses: actions/download-artifact@v3
with:
name: docker_sbom.cyclonedx
- name: Create/Clear folder [Docker]
if: github.ref == 'refs/heads/release'
run: mkdir -p ./_docker/ && rm -rf ./_docker/*.* || true
- name: Move Report & cleanup [Docker]
if: github.ref == 'refs/heads/release'
run: |
mv docker_sbom.spdx "./_docker/sbom.spdx" || true
mv docker_sbom.cyclonedx ./_docker/sbom.cyclonedx || true
- name: ORAS Setup
if: github.ref == 'refs/heads/release'
run: |
ORAS_VERSION="v0.8.1"
ORAS_FILENAME="oras_0.8.1_linux_amd64.tar.gz"
curl -LO "https://github.com/oras-project/oras/releases/download/${ORAS_VERSION}/${ORAS_FILENAME}"
mkdir oras_install
tar -xvf "${ORAS_FILENAME}" -C oras_install
- name: Push SBOM reports to GitHub Container Registry & Sign the sbom images
if: github.ref == 'refs/heads/release'
run: |
result=$(./oras_install/oras push ghcr.io/${{ github.repository }}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}:service-${{ needs.ci.outputs.NPM_VERSION }} ./sbom.*)
ORAS_DIGEST=$(echo $result | grep -oE 'sha256:[a-f0-9]{64}')
if [ -z "$ORAS_DIGEST" ]; then
echo "Error: ORAS_DIGEST is empty"
exit 1
fi
cosign sign -y --key /tmp/cosign.key ghcr.io/${{ github.repository }}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}@${ORAS_DIGEST}
cd _docker || true
result=$(../oras_install/oras push ghcr.io/${{ github.repository }}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}:docker-${{ needs.ci.outputs.NPM_VERSION }} ./sbom.*)
ORAS_DIGEST=$(echo $result | grep -oE 'sha256:[a-f0-9]{64}')
if [ -z "$ORAS_DIGEST" ]; then
echo "Error: ORAS_DIGEST is empty"
exit 1
fi
cosign sign -y --key /tmp/cosign.key ghcr.io/${{ github.repository }}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}@${ORAS_DIGEST}
cd ..
env:
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}