Skip to content

Refactoring: (step1 of 4) make creator of project clearer #3532

Refactoring: (step1 of 4) make creator of project clearer

Refactoring: (step1 of 4) make creator of project clearer #3532

Workflow file for this run

name: CI Checks
on:
pull_request:
push:
branches:
- main
jobs:
build:
name: Build Docker image
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
build-args: RAILS_ENV=test
push: false
tags: complete-app:ci
cache-from: type=gha
cache-to: type=gha,mode=min
outputs: type=docker,dest=/tmp/base.tar
-
name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: complete-app-ci
path: /tmp/base.tar
lint-and-format:
name: Linting and formatting
runs-on: ubuntu-latest
needs: build
steps:
-
name: Download artifact
uses: actions/download-artifact@v4
with:
name: complete-app-ci
path: /tmp
-
name: Load image
run: |
docker load --input /tmp/base.tar
docker image ls -a
-
name: Run linters and formaters
run: |
docker run --rm complete-app:ci /bin/bash -c "bin/standardrb -f simple && bin/erb_lint --lint-all \
&& yarn run lint:format && yarn run lint:js"
static-analysis:
name: Static analysis
runs-on: ubuntu-latest
needs: build
steps:
-
name: Download artifact
uses: actions/download-artifact@v4
with:
name: complete-app-ci
path: /tmp
-
name: Load image
run: |
docker load --input /tmp/base.tar
docker image ls -a
-
name: Run Brakeman
run: |
docker run --rm complete-app:ci /bin/bash -c "bin/brakeman"
specs:
name: Specs and coverage
runs-on: ubuntu-latest
needs: build
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Download artifact
uses: actions/download-artifact@v4
with:
name: complete-app-ci
path: /tmp
-
name: Load image
run: |
docker load --input /tmp/base.tar
docker image ls -a
-
name: Run RSpec and Simplecov
run: |
docker compose -p complete-app -f docker-compose.checks.yml \
run --name complete-app test /bin/bash -c "bin/rails spec"
-
name: Grab coverage report from container
run:
docker cp complete-app:/srv/app/coverage/coverage.json coverage/coverage.json
-
name: Shutdown containers
run: docker compose -p complete-app down && docker compose -p complete-app rm
-
name: Upload coverage report
uses: actions/upload-artifact@v4
with:
name: coverage-report
path: coverage/coverage.json
accessibility:
name: Accessibility
runs-on: ubuntu-latest
needs: build
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Download artifact
uses: actions/download-artifact@v4
with:
name: complete-app-ci
path: /tmp
-
name: Load image
run: |
docker load --input /tmp/base.tar
docker image ls -a
-
name: Run RSpec Accessibility checks
run: |
docker compose -p complete-app -f docker-compose.checks.yml \
run -e NO_COVERAGE=true --rm test /bin/bash -c "bin/rails javascript:build && bin/rspec --tag accessibility"
-
name: Shutdown containers
run: docker compose -p complete-app down && docker compose -p complete-app rm
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
needs: specs
steps:
-
name: Checkout
uses: actions/checkout@v4
-
uses: actions/download-artifact@v4
with:
name: coverage-report
path: ./coverage
-
name: Update coverage report paths
run: sed -i "s|/srv/app|/github/workspace|g" ./coverage/coverage.json
-
name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
docker:
name: Docker
runs-on: ubuntu-latest
needs: build
steps:
-
name: Download artifact
uses: actions/download-artifact@v4
with:
name: complete-app-ci
path: /tmp
-
name: Scan Docker image for CVEs
uses: aquasecurity/[email protected]
with:
input: /tmp/base.tar
format: 'sarif'
output: 'trivy-results.sarif'
limit-severities-for-sarif: true
scanners: vuln
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
github-pat: ${{ secrets.GITHUB_TOKEN }}
-
name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'