diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..93409ae2 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,4 @@ +* @aligent/mesh-developers + +.github/* @aligent/aligent-devops +bitbucket-pipelines.yml @aligent/aligent-devops diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..a3943c2a --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 +updates: + - package-ecosystem: 'npm' + directory: '/' + schedule: + interval: 'daily' + open-pull-requests-limit: 10 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..ab71d929 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,66 @@ +name: Build + +on: + workflow_call: + inputs: + application: + required: true + type: string + +jobs: + build: + name: 🏭 Build all packages + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - uses: actions/setup-node@v4 + with: + node-version-file: '.nvmrc' + cache: 'yarn' + + - name: Install + run: yarn install + + - name: Build all packages + env: + BC_CLIENT_ID: ${{ secrets.BC_CLIENT_ID }} + BC_CLIENT_SECRET: ${{ secrets.BC_CLIENT_SECRET }} + BC_GRAPHQL_API: ${{ secrets.BC_GRAPHQL_API }} + BC_GRAPHQL_TOKEN: ${{ secrets.BC_GRAPHQL_TOKEN }} + BC_REST_API: ${{ secrets.BC_REST_API }} + JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }} + ORO_CLIENT_ID: ${{ secrets.ORO_CLIENT_ID }} + ORO_CLIENT_SECRET: ${{ secrets.ORO_CLIENT_SECRET }} + ORO_STORE_URL: ${{ secrets.ORO_STORE_URL }} + STORE_HASH: ${{ secrets.STORE_HASH }} + X_AUTH_TOKEN: ${{ secrets.X_AUTH_TOKEN }} + run: yarn nx run-many -t build + + - name: Build Docker Container + env: + BC_CLIENT_ID: ${{ secrets.BC_CLIENT_ID }} + BC_CLIENT_SECRET: ${{ secrets.BC_CLIENT_SECRET }} + BC_GRAPHQL_API: ${{ secrets.BC_GRAPHQL_API }} + BC_GRAPHQL_TOKEN: ${{ secrets.BC_GRAPHQL_TOKEN }} + BC_REST_API: ${{ secrets.BC_REST_API }} + JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }} + ORO_CLIENT_ID: ${{ secrets.ORO_CLIENT_ID }} + ORO_CLIENT_SECRET: ${{ secrets.ORO_CLIENT_SECRET }} + ORO_STORE_URL: ${{ secrets.ORO_STORE_URL }} + STORE_HASH: ${{ secrets.STORE_HASH }} + X_AUTH_TOKEN: ${{ secrets.X_AUTH_TOKEN }} + run: yarn nx docker-build ${{ inputs.application }} + + - name: Save Docker image to a tar file + run: | + docker save ${{ inputs.application }}:latest -o /tmp/${{ inputs.application }}.tar + + - name: Upload Docker image as artifact + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.application }}-docker-image + path: /tmp/${{ inputs.application }}.tar diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml new file mode 100644 index 00000000..f0b6d844 --- /dev/null +++ b/.github/workflows/owasp.yml @@ -0,0 +1,93 @@ +name: OWASP Dependency Check + +on: + # schedule: + # - cron: '0 0 * * *' # Runs daily at midnight + workflow_dispatch: # Allows manual trigger from the GitHub Actions tab + workflow_call: + inputs: + version: + type: string + output: + default: 'owasp-results' + type: string + scan_path: + default: '.' + type: string + cvss_fail_level: + default: 1 + type: number + suppression_path: + default: 'suppression.xml' + type: string + disable_oss_index: + type: boolean + secrets: + OSS_INDEX_USERNAME: + OSS_INDEX_PASSWORD: + NVD_API_KEY: + +jobs: + owasp_scan: + name: 🛡️ OWASP Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + path: code + + - name: Fetch dependency check script + run: | + if [ -z "${{ inputs.version }}" ]; then + VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt) + else + VERSION=${{ inputs.version }} + fi + curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip + + - name: Unzip dependency check + run: | + ls -la + unzip dependency-check + + - name: Load database from cache + uses: actions/cache@v4 + with: + path: dependency-check/data/oss_cache + key: owasp-database-cache + + - name: Run OWASP dependency check + env: + OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }} + OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }} + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + run: | + mkdir ${{ inputs.output }} + ./dependency-check/bin/dependency-check.sh \ + --format JUNIT \ + --format HTML \ + --prettyPrint \ + --project ${{ github.event.repository.name }} \ + --enableExperimental \ + --out ${{ inputs.output }} \ + -s ${{ inputs.scan_path }} \ + --junitFailOnCVSS ${{ inputs.cvss_fail_level }} \ + --failOnCVSS ${{ inputs.cvss_fail_level }} \ + --suppression code/${{ inputs.suppression_path }} \ + --ossIndexUsername ${{ secrets.OSS_INDEX_USERNAME }} \ + --ossIndexPassword ${{ secrets.OSS_INDEX_PASSWORD }} \ + --nvdApiKey ${{ secrets.NVD_API_KEY }} \ + --disableOssIndex ${{ inputs.disable_oss_index }} + + - name: Upload database to cache + uses: actions/cache@v4 + with: + path: dependency-check/data/oss_cache + key: owasp-database-cache + + - name: Upload OWASP report + uses: actions/upload-artifact@v4 + with: + name: owasp-dependency-check-report + path: ${{ inputs.output }}/dependency-check-report.html diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 00000000..c9271d97 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,58 @@ +name: Publish to NPM + +on: + release: + tags: + - '**-[0-9]+.[0-9]+.[0-9]+' + - '**-[0-9]+.[0-9]+.[0-9]+-*' + types: [published] + +jobs: + build-and-publish: + name: 🚀 Publish to NPM + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.release.target_commitish }} + + - uses: actions/setup-node@v4 + with: + node-version-file: '.nvmrc' + cache: 'yarn' + registry-url: https://registry.npmjs.org/ + + - name: Install + run: yarn install + + - name: Preparing environment for release + run: | + VERSION=$(echo $GITHUB_REF_NAME | sed 's/^.*[A-Za-z]-//g') + echo "VERSION=$VERSION" >> $GITHUB_ENV + echo "PACKAGE=$(echo $GITHUB_REF_NAME | sed "s/-${VERSION}//g")" >> $GITHUB_ENV + + - name: Release + run: | + git config --global user.name "Automated NPM Release" + git config --global user.email "devops+npm-deploy@aligent.com.au" + echo "Publishing $PACKAGE @ $VERSION" + yarn config set registry https://registry.npmjs.org/ + yarn nx publish $PACKAGE --ver=$VERSION --tag=latest --verbose + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + BC_CLIENT_ID: ${{ secrets.BC_CLIENT_ID }} + BC_CLIENT_SECRET: ${{ secrets.BC_CLIENT_SECRET }} + BC_GRAPHQL_API: ${{ secrets.BC_GRAPHQL_API }} + BC_GRAPHQL_TOKEN: ${{ secrets.BC_GRAPHQL_TOKEN }} + BC_REST_API: ${{ secrets.BC_REST_API }} + JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }} + ORO_CLIENT_ID: ${{ secrets.ORO_CLIENT_ID }} + ORO_CLIENT_SECRET: ${{ secrets.ORO_CLIENT_SECRET }} + ORO_STORE_URL: ${{ secrets.ORO_STORE_URL }} + STORE_HASH: ${{ secrets.STORE_HASH }} + X_AUTH_TOKEN: ${{ secrets.X_AUTH_TOKEN }} + + - name: Update the package version number + run: git push + env: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml new file mode 100644 index 00000000..720dfbd4 --- /dev/null +++ b/.github/workflows/pull-request.yml @@ -0,0 +1,80 @@ +name: Pull Request Checks + +on: + pull_request: + branches: + - '**' # Trigger on all branches + +jobs: + test: + name: ⚙️ Run Tests + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.ref }} + + - name: Fetch target + run: git fetch origin ${{ github.event.pull_request.base.ref }} + + - uses: actions/setup-node@v4 + with: + node-version-file: '.nvmrc' + cache: 'yarn' + + - name: Install + run: yarn install + + - name: Run Tests + run: | + FORCE_COLOR=true + DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }} # Set branch + yarn nx affected:test --base=$DESTINATION_BRANCH --ci --code-coverage --parallel --max-parallel=3 + + code-quality: + name: 🕵️‍♀️ Code Quality + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.ref }} + + - name: Fetch target + run: git fetch origin ${{ github.event.pull_request.base.ref }} + + - uses: actions/setup-node@v4 + with: + node-version-file: '.nvmrc' + cache: 'yarn' + + - name: Install + run: yarn install + + - name: Code Quality Check + run: | + FORCE_COLOR=true + DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }} # Set branch + yarn nx affected:lint --base=$DESTINATION_BRANCH --parallel --max-parallel=3 + yarn nx format:check --base=$DESTINATION_BRANCH --parallel --max-parallel=3 + yarn nx affected -t check-types --base=$DESTINATION_BRANCH --parallel --max-parallel=3 + + # TODO: fix the owasp pipeline + # owasp: + # name: 🛡️ OWASP Scan + # uses: ./.github/workflows/owasp.yml + # secrets: inherit + + build: + name: 👷 Build + strategy: + fail-fast: false + matrix: + application: [bigcommerce-mesh, orocommerce-mesh] + uses: ./.github/workflows/build.yml + with: + application: ${{ matrix.application }} + secrets: inherit diff --git a/.yarnrc b/.yarnrc deleted file mode 100644 index fc5e2b45..00000000 --- a/.yarnrc +++ /dev/null @@ -1 +0,0 @@ -"@aligent:registry" "https://npm.corp.aligent.consulting/" diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..26f3f775 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 Aligent + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml index b75c54ff..92f0de8f 100644 --- a/bitbucket-pipelines.yml +++ b/bitbucket-pipelines.yml @@ -70,15 +70,6 @@ definitions: artifacts: - '*.tar.gz' - - step: &publish - name: 📦 Publish package to the Aligent Repository - script: - - VERSION=$(echo $BITBUCKET_TAG | sed 's/^.*[A-Za-z]-//g') - - PACKAGE=$(echo $BITBUCKET_TAG | sed "s/-${VERSION}//g") - - echo "Publishing $PACKAGE @ $VERSION" - - npm config set //npm.corp.aligent.consulting/:_authToken $NPM_PUBLISH_TOKEN - - yarn nx publish $PACKAGE --ver=$VERSION --tag=latest - - step: &deploy name: 📦 Push to ECR services: @@ -124,20 +115,8 @@ pipelines: - step: *build-all-containers - step: *code-quality - step: *test - tags: - 'bigcommerce-graphql-module-*.*.*': - - step: *install - - step: *publish - 'orocommerce-graphql-module-*.*.*': - - step: *install - - step: *publish - 'maintenance-mode-plugin-*.*.*': - - step: *install - - step: *publish - 'auth-module-*.*.*': - - step: *install - - step: *publish + # Customise this depending on requirements branches: main: - step: *install diff --git a/package.json b/package.json index 69aec4ae..e246b222 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,6 @@ { "name": "@aligent/graphql-mesh-source", "version": "0.1.0", - "private": true, "license": "UNLICENSED", "devDependencies": { "@graphql-codegen/add": "^5.0.0", diff --git a/tools/scripts/publish.mjs b/tools/scripts/publish.mjs index 19f1f5b1..893ea35a 100644 --- a/tools/scripts/publish.mjs +++ b/tools/scripts/publish.mjs @@ -57,6 +57,4 @@ try { } // Execute "npm publish" to publish -execSync( - `npm publish --access restricted --registry https://npm.corp.aligent.consulting/ --tag ${tag}` -); +execSync(`npm publish --verbose --access=public --tag ${tag}`);