Skip to content

Revert "Remove the Single Worksheet task from Conversions" #3309

Revert "Remove the Single Worksheet task from Conversions"

Revert "Remove the Single Worksheet task from Conversions" #3309

Workflow file for this run

name: CI Checks
on:
pull_request:
push:
branches:
- main
jobs:
build-and-cache:
name: Build and cache image
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
build-args: RAILS_ENV=test
push: false
tags: complete-app:latest
cache-from: type=gha
cache-to: type=gha,mode=min
lint-and-format:
name: Linting and formatting
runs-on: ubuntu-latest
needs: build-and-cache
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
build-args: |
RAILS_ENV=test
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
-
name: Run linters and formaters
run: |
docker run --rm complete-app:latest /bin/bash -c "bin/standardrb -f simple && bin/erblint --lint-all \
&& yarn run lint:format && yarn run lint:js"
static-analysis:
name: Static analysis
runs-on: ubuntu-latest
needs: build-and-cache
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
build-args: |
RAILS_ENV=test
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
-
name: Run Brakeman
run: |
docker run --rm complete-app:latest /bin/bash -c "bin/brakeman"
specs:
name: Specs and coverage
runs-on: ubuntu-latest
needs: build-and-cache
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
build-args: |
RAILS_ENV=test
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
-
name: Run RSpec and Simplecov
run: |
docker compose -p complete-app -f docker-compose.checks.yml \
run --name complete-app test /bin/bash -c "bin/rails spec"
-
name: Grab coverage report from container
run:
docker cp complete-app:/srv/app/coverage/coverage.json coverage/coverage.json
-
name: Shutdown containers
run: docker compose -p complete-app down && docker compose -p complete-app rm
-
name: Upload coverage report
uses: actions/upload-artifact@v4
with:
name: coverage-report
path: coverage/coverage.json
accessibility:
name: Accessibility
runs-on: ubuntu-latest
needs: build-and-cache
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
build-args: RAILS_ENV=test
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
-
name: Run RSpec Accessibility checks
run: |
docker compose -p complete-app -f docker-compose.checks.yml \
run -e NO_COVERAGE=true --rm test /bin/bash -c "bin/rails javascript:build && bin/rspec --tag accessibility"
-
name: Shutdown containers
run: docker compose -p complete-app down && docker compose -p complete-app rm
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
needs: specs
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/download-artifact@v4
with:
name: coverage-report
path: ./coverage
- name: Update coverage report paths
run: sed -i "s|/srv/app|/github/workspace|g" ./coverage/coverage.json
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
docker:
name: Docker
runs-on: ubuntu-latest
needs: build-and-cache
continue-on-error: true
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
id: build
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
build-args: RAILS_ENV=development
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
-
name: Generate tarball from image
run: |
docker save -o vuln-image.tar ${{ steps.build.outputs.imageid }}
-
name: Scan Docker image for CVEs
uses: aquasecurity/[email protected]
with:
input: /github/workspace/vuln-image.tar
format: 'sarif'
output: 'trivy-results.sarif'
limit-severities-for-sarif: true
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
github-pat: ${{ secrets.GITHUB_TOKEN }}
-
name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'