-
Notifications
You must be signed in to change notification settings - Fork 0
150 lines (144 loc) · 4.36 KB
/
pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Pipeline
on:
# Run on any branch receiving a push
push:
# Allow manual trigger of the workflow
workflow_dispatch:
jobs:
# Talisman Secrets Check
talisman-check:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect secrets in incoming commits with Talisman
uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb
# Trivy Vulnerability Scan
trivy-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write # upload-sarif
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@a20de5420d57c4102486cdd9578b45609c99d7eb
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
scan-type: "fs"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
- name: Verify SARIF file exists
run: ls -la trivy-results.sarif
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy scan results to GitHub Security tab
if: ${{ always() && github.ref == 'refs/heads/main' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
# Formatting, code quality and types check
check-style:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./.node-version
cache: npm
cache-dependency-path: ./package-lock.json
- name: Cache
uses: actions/cache@v4
id: cache-npm
with:
path: /home/runner/.npm
key: npm-cache-${{ hashFiles('./package-lock.json') }}
- name: Install dependencies
run: npm ci
- name: Check formatting
run: npm run prettier:check
- name: Check code style
run: npm run eslint:check
- name: Check types
run: npm run typecheck
# Automated tests
test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./.node-version
cache: npm
cache-dependency-path: ./package-lock.json
- name: Cache
uses: actions/cache@v4
id: cache-npm
with:
path: /home/runner/.npm
key: npm-cache-${{ hashFiles('./package-lock.json') }}
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm run test
# Deploy Storybook to GitHub Pages
build-and-deploy-storybook:
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- talisman-check
- trivy-scan
- check-style
- test
permissions:
contents: read
pages: write
id-token: write
concurrency:
group: "pages"
cancel-in-progress: true
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./.node-version
cache: npm
cache-dependency-path: ./package-lock.json
- name: Cache
uses: actions/cache@v4
id: cache-npm
with:
path: /home/runner/.npm
key: npm-cache-${{ hashFiles('./package-lock.json') }}
- name: Install dependencies
run: npm ci
- name: Build Storybook
run: npm run build:storybook
- name: Setup Pages
uses: actions/configure-pages@v2
- name: Upload Storybook artifact
uses: actions/upload-pages-artifact@v1
with:
path: ./storybook-static
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v1