Setup GitHub actions

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+* @aligent/mesh-developers
+
+.github/* @aligent/aligent-devops
+bitbucket-pipelines.yml @aligent/aligent-devops

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+    open-pull-requests-limit: 10

.github/workflows/build.yml

@@ -0,0 +1,66 @@
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      application:
+        required: true
+        type: string
+
+jobs:
+  build:
+    name: 🏭 Build all packages
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+
+      - name: Install
+        run: yarn install
+
+      - name: Build all packages
+        env:
+          BC_CLIENT_ID: ${{ secrets.BC_CLIENT_ID }}
+          BC_CLIENT_SECRET: ${{ secrets.BC_CLIENT_SECRET }}
+          BC_GRAPHQL_API: ${{ secrets.BC_GRAPHQL_API }}
+          BC_GRAPHQL_TOKEN: ${{ secrets.BC_GRAPHQL_TOKEN }}
+          BC_REST_API: ${{ secrets.BC_REST_API }}
+          JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }}
+          ORO_CLIENT_ID: ${{ secrets.ORO_CLIENT_ID }}
+          ORO_CLIENT_SECRET: ${{ secrets.ORO_CLIENT_SECRET }}
+          ORO_STORE_URL: ${{ secrets.ORO_STORE_URL }}
+          STORE_HASH: ${{ secrets.STORE_HASH }}
+          X_AUTH_TOKEN: ${{ secrets.X_AUTH_TOKEN }}
+        run: yarn nx run-many -t build
+
+      - name: Build Docker Container
+        env:
+          BC_CLIENT_ID: ${{ secrets.BC_CLIENT_ID }}
+          BC_CLIENT_SECRET: ${{ secrets.BC_CLIENT_SECRET }}
+          BC_GRAPHQL_API: ${{ secrets.BC_GRAPHQL_API }}
+          BC_GRAPHQL_TOKEN: ${{ secrets.BC_GRAPHQL_TOKEN }}
+          BC_REST_API: ${{ secrets.BC_REST_API }}
+          JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }}
+          ORO_CLIENT_ID: ${{ secrets.ORO_CLIENT_ID }}
+          ORO_CLIENT_SECRET: ${{ secrets.ORO_CLIENT_SECRET }}
+          ORO_STORE_URL: ${{ secrets.ORO_STORE_URL }}
+          STORE_HASH: ${{ secrets.STORE_HASH }}
+          X_AUTH_TOKEN: ${{ secrets.X_AUTH_TOKEN }}
+        run: yarn nx docker-build ${{ inputs.application }}
+
+      - name: Save Docker image to a tar file
+        run: |
+          docker save ${{ inputs.application }}:latest -o /tmp/${{ inputs.application }}.tar
+
+      - name: Upload Docker image as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.application }}-docker-image
+          path: /tmp/${{ inputs.application }}.tar

.github/workflows/owasp.yml

@@ -0,0 +1,93 @@
+name: OWASP Dependency Check
+
+on:
+  # schedule:
+  #   - cron: '0 0 * * *' # Runs daily at midnight
+  workflow_dispatch: # Allows manual trigger from the GitHub Actions tab
+  workflow_call:
+    inputs:
+      version:
+        type: string
+      output:
+        default: 'owasp-results'
+        type: string
+      scan_path:
+        default: '.'
+        type: string
+      cvss_fail_level:
+        default: 1
+        type: number
+      suppression_path:
+        default: 'suppression.xml'
+        type: string
+      disable_oss_index:
+        type: boolean
+    secrets:
+      OSS_INDEX_USERNAME:
+      OSS_INDEX_PASSWORD:
+      NVD_API_KEY:
+
+jobs:
+  owasp_scan:
+    name: 🛡️ OWASP Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          path: code
+
+      - name: Fetch dependency check script
+        run: |
+          if [ -z "${{ inputs.version }}" ]; then
+            VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt)
+          else
+            VERSION=${{ inputs.version }}
+          fi
+          curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
+
+      - name: Unzip dependency check
+        run: |
+          ls -la
+          unzip dependency-check
+
+      - name: Load database from cache
+        uses: actions/cache@v4
+        with:
+          path: dependency-check/data/oss_cache
+          key: owasp-database-cache
+
+      - name: Run OWASP dependency check
+        env:
+          OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+          OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+        run: |
+          mkdir ${{ inputs.output }}
+          ./dependency-check/bin/dependency-check.sh \
+          --format JUNIT \
+          --format HTML \
+          --prettyPrint \
+          --project ${{ github.event.repository.name }} \
+          --enableExperimental \
+          --out ${{ inputs.output }} \
+          -s ${{ inputs.scan_path }} \
+          --junitFailOnCVSS ${{ inputs.cvss_fail_level }} \
+          --failOnCVSS ${{ inputs.cvss_fail_level }} \
+          --suppression code/${{ inputs.suppression_path }} \
+          --ossIndexUsername ${{ secrets.OSS_INDEX_USERNAME }} \
+          --ossIndexPassword ${{ secrets.OSS_INDEX_PASSWORD }} \
+          --nvdApiKey ${{ secrets.NVD_API_KEY }} \
+          --disableOssIndex ${{ inputs.disable_oss_index }}
+
+      - name: Upload database to cache
+        uses: actions/cache@v4
+        with:
+          path: dependency-check/data/oss_cache
+          key: owasp-database-cache
+
+      - name: Upload OWASP report
+        uses: actions/upload-artifact@v4
+        with:
+          name: owasp-dependency-check-report
+          path: ${{ inputs.output }}/dependency-check-report.html

.github/workflows/publish.yml

@@ -0,0 +1,58 @@
+name: Publish to NPM
+
+on:
+  release:
+    tags:
+      - '**-[0-9]+.[0-9]+.[0-9]+'
+      - '**-[0-9]+.[0-9]+.[0-9]+-*'
+    types: [published]
+
+jobs:
+  build-and-publish:
+    name: 🚀 Publish to NPM
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.target_commitish }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+          registry-url: https://registry.npmjs.org/
+
+      - name: Install
+        run: yarn install
+
+      - name: Preparing environment for release
+        run: |
+          VERSION=$(echo $GITHUB_REF_NAME | sed 's/^.*[A-Za-z]-//g')
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "PACKAGE=$(echo $GITHUB_REF_NAME | sed "s/-${VERSION}//g")" >> $GITHUB_ENV
+
+      - name: Release
+        run: |
+          git config --global user.name "Automated NPM Release"
+          git config --global user.email "[email protected]"
+          echo "Publishing $PACKAGE @ $VERSION"
+          yarn config set registry https://registry.npmjs.org/
+          yarn nx publish $PACKAGE --ver=$VERSION --tag=latest --verbose
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          BC_CLIENT_ID: ${{ secrets.BC_CLIENT_ID }}
+          BC_CLIENT_SECRET: ${{ secrets.BC_CLIENT_SECRET }}
+          BC_GRAPHQL_API: ${{ secrets.BC_GRAPHQL_API }}
+          BC_GRAPHQL_TOKEN: ${{ secrets.BC_GRAPHQL_TOKEN }}
+          BC_REST_API: ${{ secrets.BC_REST_API }}
+          JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }}
+          ORO_CLIENT_ID: ${{ secrets.ORO_CLIENT_ID }}
+          ORO_CLIENT_SECRET: ${{ secrets.ORO_CLIENT_SECRET }}
+          ORO_STORE_URL: ${{ secrets.ORO_STORE_URL }}
+          STORE_HASH: ${{ secrets.STORE_HASH }}
+          X_AUTH_TOKEN: ${{ secrets.X_AUTH_TOKEN }}
+
+      - name: Update the package version number
+        run: git push
+        env:
+          github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pull-request.yml

@@ -0,0 +1,80 @@
+name: Pull Request Checks
+
+on:
+  pull_request:
+    branches:
+      - '**' # Trigger on all branches
+
+jobs:
+  test:
+    name: ⚙️ Run Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Fetch target
+        run: git fetch origin ${{ github.event.pull_request.base.ref }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+
+      - name: Install
+        run: yarn install
+
+      - name: Run Tests
+        run: |
+          FORCE_COLOR=true
+          DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }}  # Set branch
+          yarn nx affected:test --base=$DESTINATION_BRANCH --ci --code-coverage --parallel --max-parallel=3
+
+  code-quality:
+    name: 🕵️‍♀️ Code Quality
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Fetch target
+        run: git fetch origin ${{ github.event.pull_request.base.ref }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+
+      - name: Install
+        run: yarn install
+
+      - name: Code Quality Check
+        run: |
+          FORCE_COLOR=true
+          DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }}  # Set branch
+          yarn nx affected:lint --base=$DESTINATION_BRANCH --parallel --max-parallel=3
+          yarn nx format:check --base=$DESTINATION_BRANCH --parallel --max-parallel=3
+          yarn nx affected -t check-types --base=$DESTINATION_BRANCH --parallel --max-parallel=3
+
+  # TODO: fix the owasp pipeline
+  # owasp:
+  #   name: 🛡️ OWASP Scan
+  #   uses: ./.github/workflows/owasp.yml
+  #   secrets: inherit
+
+  build:
+    name: 👷 Build
+    strategy:
+      fail-fast: false
+      matrix:
+        application: [bigcommerce-mesh, orocommerce-mesh]
+    uses: ./.github/workflows/build.yml
+    with:
+      application: ${{ matrix.application }}
+    secrets: inherit

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Aligent
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

bitbucket-pipelines.yml

@@ -70,15 +70,6 @@ definitions:
         artifacts:
           - '*.tar.gz'
 
-    - step: &publish
-        name: 📦 Publish package to the Aligent Repository
-        script:
-          - VERSION=$(echo $BITBUCKET_TAG | sed 's/^.*[A-Za-z]-//g')
-          - PACKAGE=$(echo $BITBUCKET_TAG | sed "s/-${VERSION}//g")
-          - echo "Publishing $PACKAGE @ $VERSION"
-          - npm config set //npm.corp.aligent.consulting/:_authToken $NPM_PUBLISH_TOKEN
-          - yarn nx publish $PACKAGE --ver=$VERSION --tag=latest
-
     - step: &deploy
         name: 📦 Push to ECR
         services:
@@ -124,20 +115,8 @@ pipelines:
           - step: *build-all-containers
           - step: *code-quality
           - step: *test
-  tags:
-    'bigcommerce-graphql-module-*.*.*':
-      - step: *install
-      - step: *publish
-    'orocommerce-graphql-module-*.*.*':
-      - step: *install
-      - step: *publish
-    'maintenance-mode-plugin-*.*.*':
-      - step: *install
-      - step: *publish
-    'auth-module-*.*.*':
-      - step: *install
-      - step: *publish
 
+  # Customise this depending on requirements
   branches:
     main:
       - step: *install

package.json

@@ -1,7 +1,6 @@
 {
   "name": "@aligent/graphql-mesh-source",
   "version": "0.1.0",
-  "private": true,
   "license": "UNLICENSED",
   "devDependencies": {
     "@graphql-codegen/add": "^5.0.0",

tools/scripts/publish.mjs

@@ -57,6 +57,4 @@ try {
 }
 
 // Execute "npm publish" to publish
-execSync(
-    `npm publish --access restricted --registry https://npm.corp.aligent.consulting/ --tag ${tag}`
-);
+execSync(`npm publish --verbose --access=public --tag ${tag}`);