Update dependency diffy to v3.4.3 #3307
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Checks | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
jobs: | |
build-and-cache: | |
name: Build and cache image | |
runs-on: ubuntu-latest | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Build and cache | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./Dockerfile | |
build-args: RAILS_ENV=test | |
push: false | |
tags: complete-app:latest | |
cache-from: type=gha | |
cache-to: type=gha,mode=min | |
lint-and-format: | |
name: Linting and formatting | |
runs-on: ubuntu-latest | |
needs: build-and-cache | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Build and cache | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./Dockerfile | |
build-args: | | |
RAILS_ENV=test | |
push: false | |
load: true | |
tags: complete-app:latest | |
cache-from: type=gha | |
- | |
name: Run linters and formaters | |
run: | | |
docker run --rm complete-app:latest /bin/bash -c "bin/standardrb -f simple && bin/erblint --lint-all \ | |
&& yarn run lint:format && yarn run lint:js" | |
static-analysis: | |
name: Static analysis | |
runs-on: ubuntu-latest | |
needs: build-and-cache | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Build and cache | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./Dockerfile | |
build-args: | | |
RAILS_ENV=test | |
push: false | |
load: true | |
tags: complete-app:latest | |
cache-from: type=gha | |
- | |
name: Run Brakeman | |
run: | | |
docker run --rm complete-app:latest /bin/bash -c "bin/brakeman" | |
specs: | |
name: Specs and coverage | |
runs-on: ubuntu-latest | |
needs: build-and-cache | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Build and cache | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./Dockerfile | |
build-args: | | |
RAILS_ENV=test | |
push: false | |
load: true | |
tags: complete-app:latest | |
cache-from: type=gha | |
- | |
name: Run RSpec and Simplecov | |
run: | | |
docker compose -p complete-app -f docker-compose.checks.yml \ | |
run --name complete-app test /bin/bash -c "bin/rails spec" | |
- | |
name: Grab coverage report from container | |
run: | |
docker cp complete-app:/srv/app/coverage/coverage.json coverage/coverage.json | |
- | |
name: Shutdown containers | |
run: docker compose -p complete-app down && docker compose -p complete-app rm | |
- | |
name: Upload coverage report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-report | |
path: coverage/coverage.json | |
accessibility: | |
name: Accessibility | |
runs-on: ubuntu-latest | |
needs: build-and-cache | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Build and cache | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./Dockerfile | |
build-args: RAILS_ENV=test | |
push: false | |
load: true | |
tags: complete-app:latest | |
cache-from: type=gha | |
- | |
name: Run RSpec Accessibility checks | |
run: | | |
docker compose -p complete-app -f docker-compose.checks.yml \ | |
run -e NO_COVERAGE=true --rm test /bin/bash -c "bin/rails javascript:build && bin/rspec --tag accessibility" | |
- | |
name: Shutdown containers | |
run: docker compose -p complete-app down && docker compose -p complete-app rm | |
sonarcloud: | |
name: SonarCloud | |
runs-on: ubuntu-latest | |
needs: specs | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: coverage-report | |
path: ./coverage | |
- name: Update coverage report paths | |
run: sed -i "s|/srv/app|/github/workspace|g" ./coverage/coverage.json | |
- name: SonarCloud Scan | |
uses: SonarSource/sonarcloud-github-action@master | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
docker: | |
name: Docker | |
runs-on: ubuntu-latest | |
needs: build-and-cache | |
continue-on-error: true | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Build and cache | |
id: build | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./Dockerfile | |
build-args: RAILS_ENV=development | |
push: false | |
load: true | |
tags: complete-app:latest | |
cache-from: type=gha | |
- | |
name: Generate tarball from image | |
run: | | |
docker save -o vuln-image.tar ${{ steps.build.outputs.imageid }} | |
- | |
name: Scan Docker image for CVEs | |
uses: aquasecurity/[email protected] | |
with: | |
input: /github/workspace/vuln-image.tar | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
limit-severities-for-sarif: true | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
github-pat: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Upload scan results to GitHub Security | |
uses: github/codeql-action/upload-sarif@v3 | |
if: always() | |
with: | |
sarif_file: 'trivy-results.sarif' |