119 lines
3.1 KiB
YAML
119 lines
3.1 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [master, develop]
|
|
pull_request:
|
|
branches: [master, develop]
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: harbor.simonmalm.com/infra/gitea-runner:latest
|
|
credentials:
|
|
username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
|
|
password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
|
|
defaults:
|
|
run:
|
|
shell: nu {0}
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Cache dependencies
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.bun/install/cache
|
|
node_modules
|
|
key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-bun-
|
|
|
|
- name: Install dependencies
|
|
run: just install
|
|
|
|
- name: Install Playwright browsers
|
|
run: just install-browsers
|
|
|
|
- name: Run CI pipeline
|
|
run: just ci
|
|
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: harbor.simonmalm.com/infra/gitea-runner:latest
|
|
credentials:
|
|
username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
|
|
password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
|
|
defaults:
|
|
run:
|
|
shell: nu {0}
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install dependencies
|
|
run: just install
|
|
|
|
- name: Run security audit
|
|
run: just audit
|
|
continue-on-error: true
|
|
|
|
- name: Run Semgrep security scan
|
|
uses: semgrep/semgrep-action@v1
|
|
with:
|
|
config: >-
|
|
p/security-audit
|
|
p/secrets
|
|
p/owasp-top-ten
|
|
p/javascript
|
|
p/typescript
|
|
generateSarif: '1'
|
|
# Token only needed for Semgrep Cloud features (optional)
|
|
env:
|
|
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
|
|
continue-on-error: true
|
|
|
|
docker-build:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: harbor.simonmalm.com/infra/gitea-runner:latest
|
|
credentials:
|
|
username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
|
|
password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
|
|
defaults:
|
|
run:
|
|
shell: nu {0}
|
|
needs: [test, security]
|
|
if: github.ref == 'refs/heads/master'
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
|
|
- name: Log in to Container Registry
|
|
uses: docker/login-action@v2
|
|
with:
|
|
registry: ${{ vars.DOCKER_REGISTRY }}
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
- name: Build and push Docker image
|
|
uses: docker/build-push-action@v4
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm64
|
|
push: true
|
|
tags: |
|
|
${{ vars.DOCKER_REGISTRY }}/${{ vars.DOCKER_REPOSITORY }}:latest
|
|
${{ vars.DOCKER_REGISTRY }}/${{ vars.DOCKER_REPOSITORY }}:${{ github.sha }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|