-
Notifications
You must be signed in to change notification settings - Fork 1
167 lines (145 loc) · 5.06 KB
/
build-and-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: Build and Test
on:
push:
branches:
- main
paths-ignore:
- '*.md'
- '.github/**'
pull_request:
branches: [ '**' ]
# There is an issue with GitHub required checks and paths-ignore. We don't really need to
# run the tests if there are only irrelevant changes (see paths-ignore above). However,
# we require tests to pass by making a "required check" rule on the branch. If the action
# is not triggered, the required check never passes and you are stuck. Therefore, we have
# to run tests even when we only change a markdown file. So don't do what I did and put a
# paths-ignore right here!
workflow_dispatch: {}
jobs:
bump-check:
runs-on: ubuntu-latest
outputs:
is-bump: ${{ steps.skiptest.outputs.is-bump }}
steps:
- uses: actions/checkout@v2
- name: Skip version bump merges
id: skiptest
uses: ./.github/actions/bump-skip
with:
event-name: ${{ github.event_name }}
build:
needs: [ bump-check ]
runs-on: ubuntu-latest
if: needs.bump-check.outputs.is-bump == 'no'
steps:
- uses: actions/checkout@v2
- name: Set up JDK
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'temurin'
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
- name: Git secrets setup
run: |
git clone https://github.com/awslabs/git-secrets.git ~/git-secrets
cd ~/git-secrets
sudo make install
- name: Secrets check
run: |
sudo ln -s "$(which echo)" /usr/local/bin/say
./minnie-kenny.sh --force
git secrets --scan-history
- name: Build the project
run: ./scripts/build project -x test
tests-and-sonarqube:
needs: [ bump-check, build ]
runs-on: ubuntu-latest
if: needs.bump-check.outputs.is-bump == 'no'
permissions:
contents: 'read'
id-token: 'write'
services:
postgres:
image: postgres:13.1
env:
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
steps:
- uses: actions/checkout@v2
# Needed by sonar to get the git history for the branch the PR will be merged into.
with:
fetch-depth: 0
- name: Set up JDK
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'temurin'
- name: Initialize the database
env:
PGPASSWORD: postgres
run: |
psql -h localhost -U postgres -f ./scripts/postgres-init.sql
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
# Run tests
- name: Run Library and Service tests with coverage
run: ./scripts/run test
# NB: We were using a federated credential to get the needed publisher credentials for tests previously,
# but the GH OIDC token expiration duration is now too short (~10 minutes), causing these tests to fail after that
# interval. So, we are setting the AZ env vars below instead
- name: Integration Test with coverage
run: ./scripts/run integration
env:
AZURE_TENANT_ID: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_TENANT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_CLIENT_SECRET }}
AZURE_CLIENT_ID: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_CLIENT_ID }}
- name: Upload Library Test Reports
uses: actions/upload-artifact@v4
if: always()
with:
name: Library Test Reports
path: library/build/reports/tests
- name: Upload Service Test Reports
uses: actions/upload-artifact@v4
if: always()
with:
name: Service Test Reports
path: service/build/reports/tests
# The SonarQube scan is done here, so it can upload the coverage report generated by the tests.
- name: SonarQube scan
run: ./gradlew --build-cache sonarqube
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jib:
needs: [ build ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: Construct docker image name and tag
id: image-name
run: |
GITHUB_REPO=$(basename ${{ github.repository }})
GIT_SHORT_HASH=$(git rev-parse --short HEAD)
echo "name=${GITHUB_REPO}:${GIT_SHORT_HASH}" >> $GITHUB_OUTPUT
- name: Build image locally with jib
run: |
DOCKER_IMAGE_NAME_AND_TAG=${{ steps.image-name.outputs.name }} \
./scripts/build docker
- name: Run Trivy vulnerability scanner
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.image-name.outputs.name }}