[CORE-147] Update codeowners #397
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Test | |
on: | |
workflow_dispatch: {} | |
push: | |
branches: [ main ] | |
paths-ignore: [ '**.md' ] | |
pull_request: | |
# Branch settings require status checks before merging, so don't add paths-ignore. | |
branches: [ main ] | |
jobs: | |
bump-check: | |
runs-on: ubuntu-latest | |
outputs: | |
is-bump: ${{ steps.skiptest.outputs.is-bump }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Skip version bump merges | |
id: skiptest | |
uses: ./.github/actions/bump-skip | |
with: | |
event-name: ${{ github.event_name }} | |
build: | |
needs: [ bump-check ] | |
runs-on: ubuntu-latest | |
if: needs.bump-check.outputs.is-bump == 'no' | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: 'gradle' | |
- name: Git secrets setup | |
run: | | |
git clone https://github.com/awslabs/git-secrets.git ~/git-secrets | |
cd ~/git-secrets | |
git checkout 99d01d58ebcc06e237c0e3f3ff5ae628aeef6aa6 | |
sudo make install | |
- name: Secrets check | |
run: | | |
sudo ln -s "$(which echo)" /usr/local/bin/say | |
./minnie-kenny.sh --force | |
git secrets --scan-history | |
- name: Build the test harness and, by dependency, the service library | |
run: ./gradlew --build-cache build -x test | |
- name: Upload spotbugs results | |
uses: github/codeql-action/upload-sarif@main | |
with: | |
sarif_file: service/build/reports/spotbugs/main.sarif | |
jib: | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: 'gradle' | |
- name: Construct docker image name and tag | |
id: image-name | |
run: | | |
GITHUB_REPO=$(basename ${{ github.repository }}) | |
GIT_SHORT_HASH=$(git rev-parse --short HEAD) | |
echo "name=${GITHUB_REPO}:${GIT_SHORT_HASH}" >> $GITHUB_OUTPUT | |
- name: Build image locally with jib | |
run: | | |
./gradlew --build-cache :service:jibDockerBuild \ | |
--image=${{ steps.image-name.outputs.name }} \ | |
-Djib.console=plain | |
- name: Run Trivy vulnerability scanner | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: ${{ steps.image-name.outputs.name }} | |
tests-and-sonarqube: | |
needs: [ bump-check, build ] | |
runs-on: ubuntu-latest | |
if: needs.bump-check.outputs.is-bump == 'no' | |
services: | |
postgres: | |
image: postgres:13.1 | |
env: | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v3 | |
# Needed by sonar to get the git history for the branch the PR will be merged into. | |
with: | |
fetch-depth: 0 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: 'gradle' | |
- name: Git secrets setup | |
run: | | |
git clone https://github.com/awslabs/git-secrets.git ~/git-secrets | |
cd ~/git-secrets | |
git checkout 99d01d58ebcc06e237c0e3f3ff5ae628aeef6aa6 | |
sudo make install | |
- name: Secrets check | |
run: | | |
sudo ln -s "$(which echo)" /usr/local/bin/say | |
./minnie-kenny.sh --force | |
git secrets --scan-history | |
- name: initialize the database | |
env: | |
PGPASSWORD: postgres | |
run: | | |
psql -h localhost -U postgres -f ./scripts/postgres-init.sql | |
- name: Test with coverage | |
run: ./gradlew --build-cache service:test jacocoTestReport --scan | |
# The SonarQube scan is done here, so it can upload the coverage report generated by the tests. | |
- name: SonarQube scan | |
run: ./gradlew --build-cache sonarqube | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
notify-slack: | |
needs: [ bump-check, build, tests-and-sonarqube ] | |
runs-on: ubuntu-latest | |
if: failure() && github.event_name == 'push' && needs.bump-check.outputs.is-bump == 'no' | |
steps: | |
- name: Notify WSM Slack on Failure | |
uses: broadinstitute/action-slack@v3.8.0 | |
# see https://github.com/broadinstitute/action-slack | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
status: failure | |
channel: "#terra-wsm-alerts" | |
username: "TPS push to main branch" | |
author_name: "build-and-test" | |
icon_emoji: ":triangular_ruler:" | |
fields: job, commit |