Skip to content

modify ci permissions #31

modify ci permissions

modify ci permissions #31

Workflow file for this run

#
name: React.js CI
on:
push:
branches: "main"
permissions:
contents: write
jobs:
frontend-test:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./quiz-app
strategy:
matrix:
node-version: [20.x]
architecture: [x64]
steps:
- name: Check-out git repository
uses: actions/checkout@v4
- name: USE NODEJS ${{ matrix.node-version }} - ${{ matrix.architecture }}
uses: actions/setup-node@v4
- name: Install project dependencies
working-directory: ./quiz-app
run: |
npm i
npm run lint
npm install --save-dev --save-exact prettier
npm run prettier
npm test
env:
CI: true
- name: Build
run: npm run build
working-directory: ./quiz-app
# Setup sonar-scanner
- name: Setup SonarQube
uses: warchant/setup-sonar-scanner@v8
- name: Analyze with SonarCloud
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets._GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
projectBaseDir: quiz-app
args: >
-Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
-Dsonar.host.url=${{ secrets.SONAR_URL }}
-Dsonar.login=${{ secrets.SONAR_TOKEN }}
-Dsonar.sources=src/
-Dsonar.verbose=true
backend-test:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./backend
strategy:
matrix:
node-version: [20.x]
architecture: [x64]
steps:
- name: Check-out git repository
uses: actions/checkout@v4
- name: USE NODEJS ${{ matrix.node-version }} - ${{ matrix.architecture }}
uses: actions/setup-node@v4
- name: Install project dependencies
working-directory: ./backend
run: |
npm i
npm run lint
npm install --save-dev --save-exact prettier
npm run prettier
npm test
env:
CI: true
# Setup sonar-scanner
- name: Setup SonarQube
uses: warchant/setup-sonar-scanner@v8
- name: Analyze with SonarCloud
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets._GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
projectBaseDir: backend
args: >
-Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
-Dsonar.host.url=${{ secrets.SONAR_URL }}
-Dsonar.login=${{ secrets.SONAR_TOKEN }}
-Dsonar.sources=.
-Dsonar.verbose=true
frontend-security:
needs: frontend-test
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./quiz-app
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Install Snyk CLI
uses: snyk/actions/setup@master
with:
version: latest
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Authenticate
run: snyk auth ${{ secrets.SNYK_TOKEN }}
- name: Snyk Code Test
run: snyk code test --all-projects
continue-on-error: true
backend-security:
needs: backend-test
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./backend
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Install Snyk CLI
uses: snyk/actions/setup@master
with:
version: latest
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Authenticate
run: snyk auth ${{ secrets.SNYK_TOKEN }}
- name: Snyk Code Test
run: snyk code test --all-projects
continue-on-error: true
frontend-image:
needs: frontend-security
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
steps:
- uses: actions/checkout@v4
- name: Build and push backend Docker image
working-directory: ./quiz-app
run: |
docker build . -t ${{ secrets.DOCKER_USERNAME }}/frontend-js:${{ github.run_number }}
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
docker push ${{ secrets.DOCKER_USERNAME }}/frontend-js:${{ github.run_number }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/frontend-js:${{ github.run_number }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Install Snyk CLI
uses: snyk/actions/setup@master
with:
snyk-token: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Authenticate
run: snyk auth ${{ secrets.SNYK_TOKEN }}
- name: Snyk Container monitor
run: snyk container monitor ${{ secrets.DOCKER_USERNAME }}/frontend-js --file=Dockerfile
working-directory: ./quiz-app
- name: Run Snyk to check for vulnerabilities in the Docker image
uses: snyk/actions/docker@master
with:
image: ${{ secrets.DOCKER_USERNAME }}/frontend-js
args: --file=quiz-app/Dockerfile --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: true
backend-image:
needs: backend-security
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
steps:
- uses: actions/checkout@v4
- name: Build and push backend Docker image
working-directory: ./backend
run: |
docker build . -t ${{ secrets.DOCKER_USERNAME }}/backend-api:${{ github.run_number }}
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
docker push ${{ secrets.DOCKER_USERNAME }}/backend-api:${{ github.run_number }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/backend-api:${{ github.run_number }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Install Snyk CLI
uses: snyk/actions/setup@master
with:
snyk-token: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Authenticate
run: snyk auth ${{ secrets.SNYK_TOKEN }}
- name: Snyk Container monitor
run: snyk container monitor ${{ secrets.DOCKER_USERNAME }}/backend-api --file=Dockerfile
working-directory: ./backend
- name: Run Snyk to check for vulnerabilities in the Docker image
uses: snyk/actions/docker@master
with:
image: ${{ secrets.DOCKER_USERNAME }}/backend-api
args: --file=backend/Dockerfile --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: true
k8s-manifest-scan:
needs: [backend-security, frontend-security]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Snyk to check Kubernetes manifest file for issues
uses: snyk/actions/iac@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
file: kubernetes-manifest/
args: --severity-threshold=high
update-images-at-manifest-files:
needs: [k8s-manifest-scan, backend-image, frontend-image]
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Git
run: |
git config user.email "ebrahem.mohamedzaghloul@gmail.com"
git config user.name "ibrahimzaghloul"
- name: Change image version in frontend and backend deployment files
run: |
echo "change image version .."
sed -i "s|image:.*frontend-js:.*|image: ${{ secrets.DOCKER_USERNAME }}/frontend-js:${{ github.run_number }}|g" kubernetes-manifest/frontend.yaml
sed -i "s|image:.*backend-api:.*|image: ${{ secrets.DOCKER_USERNAME }}/backend-api:${{ github.run_number }}|g" kubernetes-manifest/backend.yaml
- name: Commit changes
run: |
git add .
git commit -m "Update deployment image to version ${{ github.run_number }}"
- name: Push changes
uses: ad-m/github-push-action@v0.6.0
with:
github_token: ${{ secrets._GITHUB_TOKEN }}
branch: main # Update the branch name to 'main'