Refactoring: (step1 of 4) make creator of project clearer #3532
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Checks | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
jobs: | |
build: | |
name: Build Docker image | |
runs-on: ubuntu-latest | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Build | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./Dockerfile | |
build-args: RAILS_ENV=test | |
push: false | |
tags: complete-app:ci | |
cache-from: type=gha | |
cache-to: type=gha,mode=min | |
outputs: type=docker,dest=/tmp/base.tar | |
- | |
name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: complete-app-ci | |
path: /tmp/base.tar | |
lint-and-format: | |
name: Linting and formatting | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- | |
name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: complete-app-ci | |
path: /tmp | |
- | |
name: Load image | |
run: | | |
docker load --input /tmp/base.tar | |
docker image ls -a | |
- | |
name: Run linters and formaters | |
run: | | |
docker run --rm complete-app:ci /bin/bash -c "bin/standardrb -f simple && bin/erb_lint --lint-all \ | |
&& yarn run lint:format && yarn run lint:js" | |
static-analysis: | |
name: Static analysis | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- | |
name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: complete-app-ci | |
path: /tmp | |
- | |
name: Load image | |
run: | | |
docker load --input /tmp/base.tar | |
docker image ls -a | |
- | |
name: Run Brakeman | |
run: | | |
docker run --rm complete-app:ci /bin/bash -c "bin/brakeman" | |
specs: | |
name: Specs and coverage | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: complete-app-ci | |
path: /tmp | |
- | |
name: Load image | |
run: | | |
docker load --input /tmp/base.tar | |
docker image ls -a | |
- | |
name: Run RSpec and Simplecov | |
run: | | |
docker compose -p complete-app -f docker-compose.checks.yml \ | |
run --name complete-app test /bin/bash -c "bin/rails spec" | |
- | |
name: Grab coverage report from container | |
run: | |
docker cp complete-app:/srv/app/coverage/coverage.json coverage/coverage.json | |
- | |
name: Shutdown containers | |
run: docker compose -p complete-app down && docker compose -p complete-app rm | |
- | |
name: Upload coverage report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-report | |
path: coverage/coverage.json | |
accessibility: | |
name: Accessibility | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: complete-app-ci | |
path: /tmp | |
- | |
name: Load image | |
run: | | |
docker load --input /tmp/base.tar | |
docker image ls -a | |
- | |
name: Run RSpec Accessibility checks | |
run: | | |
docker compose -p complete-app -f docker-compose.checks.yml \ | |
run -e NO_COVERAGE=true --rm test /bin/bash -c "bin/rails javascript:build && bin/rspec --tag accessibility" | |
- | |
name: Shutdown containers | |
run: docker compose -p complete-app down && docker compose -p complete-app rm | |
sonarcloud: | |
name: SonarCloud | |
runs-on: ubuntu-latest | |
needs: specs | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
uses: actions/download-artifact@v4 | |
with: | |
name: coverage-report | |
path: ./coverage | |
- | |
name: Update coverage report paths | |
run: sed -i "s|/srv/app|/github/workspace|g" ./coverage/coverage.json | |
- | |
name: SonarCloud Scan | |
uses: SonarSource/sonarcloud-github-action@master | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
docker: | |
name: Docker | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- | |
name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: complete-app-ci | |
path: /tmp | |
- | |
name: Scan Docker image for CVEs | |
uses: aquasecurity/[email protected] | |
with: | |
input: /tmp/base.tar | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
limit-severities-for-sarif: true | |
scanners: vuln | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
github-pat: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Upload scan results to GitHub Security | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'trivy-results.sarif' |