diff --git a/.github/workflows/bench.yaml b/.github/workflows/bench.yaml new file mode 100644 index 00000000..1ae15e50 --- /dev/null +++ b/.github/workflows/bench.yaml @@ -0,0 +1,43 @@ +# SPDX-License-Identifier: Apache-2.0 + +name: Benchmark CI +env: + GITHUB_TOKEN: ${{ secrets.GH_WRITE_TOKEN }} + REPO_NAME: 'performance-benchmark' + PROCCESSOR_REPO_NAME: ${{ github.event.repository.name }} +on: + push: + branches: + - 'main' +jobs: + bench: + runs-on: ubuntu-latest + steps: + - name: Clone repo + run: | + git clone https://user:$GITHUB_TOKEN@github.com/${{ github.repository_owner }}/${{ env.REPO_NAME }} + cd ${{ env.REPO_NAME }} + git config --local user.email "action@github.com" + git config --local user.name "GitHub Action" + - name: Switch to temp branch + run: | + cd ${{ env.REPO_NAME }} + git checkout temp-holder + git pull + cat "${{ env.PROCCESSOR_REPO_NAME }}".csv >> "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp + git add "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp + git stash + git checkout main + git stash apply + - name: Write data + run: | + cd ${{ env.REPO_NAME }} + echo -n $'\n' >> "${{ env.PROCCESSOR_REPO_NAME }}".csv + cat "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp >> "${{ env.PROCCESSOR_REPO_NAME }}".csv + git reset "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp + git add "${{ env.PROCCESSOR_REPO_NAME }}".csv + git commit -m "#${{ github.event.number }} Pushed update of ${{ env.PROCCESSOR_REPO_NAME }}" + - name: push data + run: | + cd ${{ env.REPO_NAME }} + git push origin main \ No newline at end of file diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 482882bf..500f7d36 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -17,10 +17,10 @@ name: Codacy Security Scan on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: [ "dev", "main" ] schedule: - cron: '17 0 * * 4' @@ -42,7 +42,7 @@ jobs: # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI - uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + uses: codacy/codacy-analysis-cli-action@3ff8e64eb4b714c4bee91b7b4eea31c6fc2c4f93 with: # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository # You can also omit the token and run the tools that support default configurations @@ -58,6 +58,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 33c05fca..88abae3e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,10 +15,10 @@ name: "CodeQL" on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: [ "dev", "main" ] schedule: - cron: '34 0 * * 4' @@ -46,7 +46,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # โ„น๏ธ Command-line programs to run using the OS shell. # ๐Ÿ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/commit-message.yaml b/.github/workflows/commit-message.yaml new file mode 100644 index 00000000..70484e60 --- /dev/null +++ b/.github/workflows/commit-message.yaml @@ -0,0 +1,66 @@ +# SPDX-License-Identifier: Apache-2.0 + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. +# Contact @moabu +name: 'Commit Message Check' +on: + pull_request: + types: + - opened + - edited + - reopened + - synchronize + push: + branches: [ "dev", "main" ] + +jobs: + check-commit-message: + name: Check Commit Message + runs-on: ubuntu-latest + + steps: + - name: Checkout Project + uses: actions/checkout@v4 + with: + # We need to fetch with a depth of 2 for pull_request so we can do HEAD^2 + fetch-depth: 2 + + - uses: actions/setup-node@v4.0.0 + with: + node-version: 14 + + - run: | + npm install --save-dev @commitlint/{config-conventional,cli} + echo "module.exports = {extends: ['@commitlint/config-conventional']};" > commitlint.config.js + + # If this workflow was triggered by a push then resolve the commit message from HEAD + - name: "[Push] Check Commit Standard" + if: github.event_name == 'push' || github.event_name == 'pull_request_target' + id: push_get_commit_message + run: | + git log --format=%B -n 1 HEAD | npx commitlint |& tee -a output.txt + echo "::set-output name=errormsg::$(tr -d "\n\r" < output.txt)" + git log --format=%B -n 1 HEAD | npx commitlint + continue-on-error: true + + # If this workflow was triggered by a pull request (open or synchronize!) then resolve the commit message from HEAD^2 + - name: "[Pull Request] Check Commit Standard" + if: github.event_name == 'pull_request' + id: pr_get_commit_message + run: | + git log --format=%B -n 1 HEAD^2 | npx commitlint |& tee -a output.txt + echo "::set-output name=errormsg::$(tr -d "\n\r" < output.txt)" + git log --format=%B -n 1 HEAD^2 | npx commitlint + continue-on-error: true + + - name: "[Push] Report Commit Standard Status" + if: steps.push_get_commit_message.outcome != 'success' && github.event_name == 'push' + run: | + curl -X POST -H 'Content-Type: application/json' --data '{"alias":"Mo-Auto","emoji":":robot:","text":":x: :cry: I am reporting a bad [commit](https://github.com/${{github.repository}}/commit/${{github.sha}}) by :thinking_face: @${{github.actor}} :x:","attachments":[{"title":"GitHub user behavior reporter","title_link":"https://www.conventionalcommits.org","text":"We are not too happy with your last [commit](https://github.com/${{github.repository}}/commit/${{github.sha}}). Here is why : ${{ steps.push_get_commit_message.outputs.errormsg }}","color":"#764FA5"}]}' ${{ secrets.GITHUBUSERBEHAVIORSLACKREPORTER }} + exit 1 + + - name: "[Pull Request] Report Commit Standard Status" + if: steps.pr_get_commit_message.outcome != 'success' && github.event_name == 'pull_request' + run: | + curl -X POST -H 'Content-Type: application/json' --data '{"alias":"Mo-Auto","emoji":":robot:","text":":x: :cry: I am reporting a bad [commit](https://github.com/${{github.repository}}/tree/$GITHUB_HEAD_REF) by :thinking_face: @${{github.actor}} :x:","attachments":[{"title":"GitHub user behavior reporter","title_link":"https://www.conventionalcommits.org","text":"We are not too happy with your last commit merging into https://github.com/${{github.repository}}/tree/${{github.base_ref}}. Here is why : ${{ steps.pr_get_commit_message.outputs.errormsg }}","color":"#764FA5"}]}' ${{ secrets.GITHUBUSERBEHAVIORSLACKREPORTER }} + exit 1 diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml new file mode 100644 index 00000000..68efbd26 --- /dev/null +++ b/.github/workflows/conventional-commits.yml @@ -0,0 +1,33 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This GitHub Actions workflow validates the title of pull requests (PRs) to ensure they follow conventional commit standards. + +name: PR Conventional Commit Validation + +on: + # Trigger this workflow on specific events related to pull requests + pull_request: + types: [opened, synchronize, reopened, edited] + +jobs: + validate-pr-title: + runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job + steps: + - name: Checkout code + uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action + + - name: PR Conventional Commit Validation + uses: ytanikin/PRConventionalCommits@1.1.0 # Use the PRConventionalCommits action to validate PR titles + with: + # Define the task types that are valid for conventional commits + task_types: '["build","ci","docs","feat","fix","perf","refactor","style","test","feat!"]' + # Map the conventional commit types to corresponding GitHub labels + custom_labels: '{"build": "build", "ci": "CI/CD", "docs": "documentation", "feat": "enhancement", "fix": "bug", "perf": "performance", "refactor": "refactor", "style": "style", "test": "test", "feat!": "enhancement breaking change"}' + # Use a personal access token (GITHUB_TOKEN) stored in GitHub secrets for authentication + token: ${{ secrets.GITHUB_TOKEN }} + add_label: 'true' diff --git a/.github/workflows/dco-check.yaml b/.github/workflows/dco-check.yaml new file mode 100644 index 00000000..a9c9b5e4 --- /dev/null +++ b/.github/workflows/dco-check.yaml @@ -0,0 +1,49 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This GitHub Actions workflow checks that all commits in a pull request (PR) have a "Signed-off-by" line to ensure Developer Certificate of Origin (DCO) compliance. + +name: DCO + +# Trigger the workflow on pull request events +on: [pull_request] + +jobs: + dco: + # Define the runner environment + runs-on: ubuntu-latest + + steps: + # Step to check out the repository + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch all history for all branches to ensure complete commit history is available + + # Step to check each commit in the pull request for a Signed-off-by line + - name: Check for DCO Sign-off + run: | + # Get the base branch and head branch of the pull request + base_branch=${{ github.event.pull_request.base.ref }} + head_branch=${{ github.event.pull_request.head.ref }} + + # Get the list of commit hashes between the head branch and base branch + commits=$(git log --pretty=format:%H origin/${head_branch}..origin/${base_branch}) + non_compliant_commits="" + + # Loop through each commit and check for the Signed-off-by line + for commit in $commits; do + # Check if the commit message contains the Signed-off-by line + if ! git show --quiet --format=%B $commit | grep -q "^Signed-off-by: "; then + # If not, add the commit hash to the list of non-compliant commits + non_compliant_commits="$non_compliant_commits $commit" + fi + done + + # If there are any non-compliant commits, output their hashes and fail the job + if [ -n "$non_compliant_commits" ]; then + echo "The following commits do not have a Signed-off-by line:" + for commit in $non_compliant_commits; do + echo "- $commit" + done + exit 1 + fi + shell: bash diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index c13575a2..b8a269e6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -19,4 +19,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v4 - name: 'Dependency Review' - uses: actions/dependency-review-action@v3 + uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/docker-image-scan.yaml b/.github/workflows/docker-image-scan.yaml new file mode 100644 index 00000000..6e5384b2 --- /dev/null +++ b/.github/workflows/docker-image-scan.yaml @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ + +name: Snyk Container + +on: + push: + branches: [ "dev", "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "dev" ] + schedule: + - cron: '23 6 * * 0' + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Build a Docker image + run: docker build -t your/image-to-test . + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: your/image-to-test + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif diff --git a/.github/workflows/dockerfile-linter.yaml b/.github/workflows/dockerfile-linter.yaml new file mode 100644 index 00000000..89f8cb4d --- /dev/null +++ b/.github/workflows/dockerfile-linter.yaml @@ -0,0 +1,49 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ "dev", "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "dev" ] + schedule: + - cron: '17 13 * * 0' + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run hadolint + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/.github/workflows/dockerhub-image-build.yaml b/.github/workflows/dockerhub-image-build.yaml new file mode 100644 index 00000000..dbf7b8fa --- /dev/null +++ b/.github/workflows/dockerhub-image-build.yaml @@ -0,0 +1,60 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +name: Publish Docker image + +on: + release: + types: [published] + +jobs: + push_to_registry: + name: Push Docker image to Docker Hub + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + attestations: write + id-token: write + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: my-docker-hub-namespace/my-docker-hub-repository + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 + with: + context: . + file: ./Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + + * name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + diff --git a/.github/workflows/gpg-verify.yml b/.github/workflows/gpg-verify.yml new file mode 100644 index 00000000..5bc2b33a --- /dev/null +++ b/.github/workflows/gpg-verify.yml @@ -0,0 +1,33 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This GitHub Actions workflow checks that all commits in a pull request (PR) have been verified with GPG signatures. + +name: GPG Verify + +on: [pull_request] # Trigger this workflow on pull request events + +jobs: + gpg-verify: + runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job + steps: + - uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action + with: + fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history + + - name: Check GPG verification status # Step to check each commit for GPG signature verification + run: | + # Get the list of commits in the pull request + commits=$(git log --pretty=format:%H origin/${{ github.event.pull_request.head.ref }}..origin/${{ github.event.pull_request.base.ref }}) + + # Check the GPG verification status of each commit + for commit in $commits; do + status=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + https://api.github.com/repos/${{ github.repository }}/commits/$commit/check-runs \ + | jq -r '.check_runs[] | select(.name == "GPG verify") | .conclusion') + + # If the GPG verification status is not successful, list the commit and exit with a non-zero status + if [[ "$status" != "success" ]]; then + echo "GPG signature verification failed for commit $commit." + exit 1 + fi + done diff --git a/.github/workflows/linting.yaml b/.github/workflows/linting.yaml new file mode 100644 index 00000000..87bbd401 --- /dev/null +++ b/.github/workflows/linting.yaml @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ "dev", "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "dev", "main" ] + schedule: + - cron: '33 13 * * 1' + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@2.1.7 + + - name: Run ESLint + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/.github/workflows/milestone.yaml b/.github/workflows/milestone.yaml new file mode 100644 index 00000000..dd67ba30 --- /dev/null +++ b/.github/workflows/milestone.yaml @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 + +name: Milestone Workflow + +on: + workflow_dispatch: + inputs: + milestoneId: + description: 'Milestone ID' + required: true + default: '1' + +jobs: + close_milestone: + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v2 + + - name: Setup Node.js (.npmrc) + uses: actions/setup-node@v3 + with: + node-version: 16.x + registry-url: https://npm.pkg.github.com/ + # Defaults to the user or organization that owns the workflow file + scope: '@frmscoe' + + - name: Install dependencies + run: npm ci + env: + GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + + - name: Close Milestone + run: | + ACCESS_TOKEN="${{ secrets.GITHUB_TOKEN }}" + MILESTONE_NUMBER=${{ github.event.inputs.milestoneId }} + API_URL="https://api.github.com" + + curl -X PATCH \ + -H "Accept: application/vnd.github.v3+json" \ + -H "Authorization: Bearer $ACCESS_TOKEN" \ + -d '{"state": "closed"}' \ + $API_URL/repos/${{ github.repository }}/milestones/$MILESTONE_NUMBER + + - name: Trigger Release Workflow + uses: peter-evans/repository-dispatch@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + event-type: release + client-payload: '{"milestone_number": "${{ github.event.inputs.milestoneId }}"}' \ No newline at end of file diff --git a/.github/workflows/njsscan.yml b/.github/workflows/njsscan.yml index 01239707..255c0f73 100644 --- a/.github/workflows/njsscan.yml +++ b/.github/workflows/njsscan.yml @@ -12,10 +12,10 @@ name: njsscan sarif on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: [ "dev", "main" ] schedule: - cron: '17 17 * * 1' @@ -39,6 +39,6 @@ jobs: with: args: '. --sarif --output results.sarif || true' - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index a0c26056..10aa4560 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -4,213 +4,43 @@ # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs name: Node.js CI + env: - NODE_ENV: 'dev' - STARTUP_TYPE: 'nats' - SERVER_URL: 'nats://localhost:4222' - ACK_POLICY: 'None' - PRODUCER_STREAM: 'temp-rule-sub' - CONSUMER_STREAM: 'event-director' - STREAM_SUBJECT: - APM_ACTIVE: false - APM_LOGGING: false - FUNCTION_NAME: ${{ github.event.repository.name }} - REDIS_DB: 0 - REDIS_AUTH: - REDIS_SERVERS: '[{"host":"127.0.0.1", "port":6379}]' - REDIS_IS_CLUSTER: false - DATABASE_URL: 'http://localhost:8529/' - DATABASE_USER: 'root' - DATABASE_PASSWORD: - DATABASE_NAME: 'networkmap' - REPO_NAME: 'performance-benchmark' - GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - GH_RW_TOKEN: '${{ secrets.GH_WRITE_TOKEN }}' + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NPM_SCOPE: "@frmscoe" NPM_REGISTRY: "https://npm.pkg.github.com/" - ENV_NEWMAN: https://raw.githubusercontent.com/frmscoe/postman/indexes/environments/Ekuta-LOCAL.postman_environment.json - THRESHOLD: 5 - ITERATION_COUNT: 1000 + NODE_ENV: 'test' + STARTUP_TYPE: 'nats' + on: push: - branches: [ "main" ] + branches: [ "dev", "main" ] pull_request: - branches: [ "main" ] + branches: [ "dev", "main" ] jobs: build: runs-on: ubuntu-latest - outputs: - responseAverage: ${{ steps.newman_test.outputs.responseAverage }} - responseMin: ${{ steps.newman_test.outputs.responseMin }} - responseMax: ${{ steps.newman_test.outputs.responseMax }} - responseSd: ${{ steps.newman_test.outputs.responseSd }} - numberOfTest: ${{ steps.newman_test.outputs.numberOfTest }} - name: integration test - permissions: - packages: write - contents: read + name: run build strategy: matrix: - node-version: [20] - redis-version: [6] + node-version: [16, 20] steps: - uses: actions/checkout@v4 - - name: Start Arango - uses: xinova/arangodb-action@v1 - with: - arangodb version: 'latest' - - - name: Setup Arango - run: newman run https://raw.githubusercontent.com/frmscoe/postman/indexes/ArangoDB%20Setup.json -e ${{ env.ENV_NEWMAN }} --timeout-request 10200 - - - name: Startup Nats - uses: onichandame/nats-action@master - with: - port: 4222 - - - name: Startup Redis - uses: supercharge/redis-github-action@1.7.0 - with: - redis-version: ${{ matrix.redis-version }} - - - name: StartUp Nats-Rest Proxy - run: docker pull ghcr.io/frmscoe/nats-utilities:latest && docker run --network=host -e NODE_ENV='dev' ghcr.io/frmscoe/nats-utilities:latest & - - - name: Setup Node.js (.npmrc) - uses: actions/setup-node@v3 + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 with: - node-version: 20.x - registry-url: https://npm.pkg.github.com/ - scope: '@frmscoe' - - - name: Install dependencies + node-version: ${{ matrix.node-version }} + cache: 'npm' + registry-url: ${{ env.NPM_REGISTRY }} + scope: ${{ env.NPM_SCOPE }} + - name: Install dependencies run: npm ci - - - name: Processor Build + - name: Run build run: npm run build - - name: Processor Start - run: npm run start & - - - name: Test Processor - run: newman run https://raw.githubusercontent.com/frmscoe/postman/main/micro_processors/EventDirectorSetupProcessor_Proxy_Test.postman_collection.json --iteration-count ${{ env.ITERATION_COUNT }} -e ${{ env.ENV_NEWMAN }} --timeout-request 10200 -r json --reporter-json-export fullReport.json - - - name: Extract Specific Field - id: newman_test - run: | - echo "##[set-output name=numberOfTest]$(jq -r '.run.stats.iterations.total' fullReport.json)" - echo "##[set-output name=responseSd]$(jq -r '.run.timings.responseSd' fullReport.json)" - echo "##[set-output name=responseMax]$(jq -r '.run.timings.responseMax' fullReport.json)" - echo "##[set-output name=responseMin]$(jq -r '.run.timings.responseMin' fullReport.json)" - echo "##[set-output name=responseAverage]$(jq -r '.run.timings.responseAverage' fullReport.json)" - - - name: Upload Results - uses: actions/upload-artifact@v3 - with: - name: Full_Report.json - path: fullReport.json - - pastbench: - if: github.event_name == 'pull_request' - runs-on: ubuntu-latest - outputs: - responseMax: ${{ steps.pre_test.outputs.responseMax }} - responseAverage: ${{ steps.pre_test.outputs.responseAverage }} - responseMin: ${{ steps.pre_test.outputs.responseMin }} - numberOfTest: ${{ steps.pre_test.outputs.numberOfTest }} - author: ${{ steps.pre_test.outputs.author }} - updatedAt: ${{ steps.pre_test.outputs.updatedAt }} - prNumber: ${{ steps.pre_test.outputs.prNumber }} - steps: - - name: Clone repo - run: | - git clone https://user:$GH_TOKEN@github.com/${{ github.repository_owner }}/${{ env.REPO_NAME }} - - name: Extract data - id: pre_test - run: | - cd ${{ env.REPO_NAME }} - input=$(tail -n 1 "${{ github.event.repository.name }}".csv) - echo "##[set-output name=responseMax]$(echo "$input" | awk -F ';' '{print $1}')" - echo "##[set-output name=responseAverage]$(echo "$input" | awk -F ';' '{print $2}')" - echo "##[set-output name=responseMin]$(echo "$input" | awk -F ';' '{print $3}')" - echo "##[set-output name=numberOfTest]$(echo "$input" | awk -F ';' '{print $4}')" - echo "##[set-output name=author]$(echo "$input" | awk -F ';' '{print $5}')" - echo "##[set-output name=updatedAt]$(echo "$input" | awk -F ';' '{print $6}')" - echo "##[set-output name=prNumber]$(echo "$input" | awk -F ';' '{print $7}')" - - output: - if: github.event_name == 'pull_request' - needs: [build, pastbench] - runs-on: ubuntu-latest - steps: - - name: Comment on PR - run: | - difference=$((${{ needs.pastbench.outputs.responseMax }} - ${{ needs.build.outputs.responseMax }})) - - if [ $difference -gt $THRESHOLD ]; then - COMMENT="โœ… Performance improved" - elif [ $difference -ge 0 ]; then - COMMENT="โœ”๏ธ Performance might have improved" - elif [ $difference -gt -$THRESHOLD ]; then - COMMENT="โš ๏ธ Performance might have declined" - else - COMMENT="โŒ Performance declined" - fi - - COMMENT_BODY="๐Ÿงช Newman Test Results
$COMMENT

Current number of tests is ${{ needs.build.outputs.numberOfTest }} and previous was ${{ needs.pastbench.outputs.numberOfTest }}

Response stats
  • Current response average is ${{ needs.build.outputs.responseAverage }}ms and previous was ${{ needs.pastbench.outputs.responseAverage }}ms
  • Current response min is ${{ needs.build.outputs.responseMin }}ms and previous was ${{ needs.pastbench.outputs.responseMin }}ms
  • Current response max is ${{ needs.build.outputs.responseMax }}ms and previous was ${{ needs.pastbench.outputs.responseMax }}ms
  • Response standard deviation ${{ needs.build.outputs.responseSd }}ms

    Previous PR was merged by ${{ needs.pastbench.outputs.author }} and Pull request number is #${{ needs.pastbench.outputs.prNumber }} at ${{ needs.pastbench.outputs.updatedAt }}" - - API_URL="https://api.github.com/repos/${{github.repository}}/issues/${{github.event.number}}/comments" - curl -X POST \ - -H "Authorization: Bearer ${{ env.GH_TOKEN }}" \ - -H "Content-Type: application/json" \ - --data-raw "{\"body\":\"$COMMENT_BODY\",\"assignee\":\"actions-user\"}" \ - $API_URL - - store: - if: github.event_name == 'pull_request' - needs: build - runs-on: ubuntu-latest - steps: - - name: Store data - run: | - # GitHub repository details - repo_owner="${{ github.repository_owner }}" - repo_name="${{ env.REPO_NAME }}" - branch_name="temp-holder" - file_path="${{ env.FUNCTION_NAME }}".csv - - # Personal access token with repo scope - access_token="${{ env.GH_RW_TOKEN }}" - - new_content="${{ needs.build.outputs.responseMax }};${{ needs.build.outputs.responseAverage }};${{ needs.build.outputs.responseMin }};${{ needs.build.outputs.numberOfTest }};${{ github.actor }};${{ github.event.pull_request.updated_at }};${{ github.event.number}}" - updated_content="$new_content" - updated_content_base64=$(echo -n "$updated_content" | base64) - - # Get the current content SHA - current_content_sha=$(curl -s -H "Authorization: token $access_token" \ - "https://api.github.com/repos/$repo_owner/$repo_name/contents/$file_path?ref=$branch_name" \ - | jq -r '.sha') - - request_payload=$(cat <> "$CHANGELOG_FILE" diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml new file mode 100644 index 00000000..b21d8848 --- /dev/null +++ b/.github/workflows/scorecard.yaml @@ -0,0 +1,75 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '35 3 * * 3' + push: + branches: [ "dev", "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/.github/workflows/terraform-security.yaml b/.github/workflows/terraform-security.yaml new file mode 100644 index 00000000..ea0b88eb --- /dev/null +++ b/.github/workflows/terraform-security.yaml @@ -0,0 +1,40 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: tfsec + +on: + push: + branches: [ "dev", "main" ] + pull_request: + branches: [ "dev" ] + schedule: + - cron: '31 11 * * 1' + +jobs: + tfsec: + name: Run tfsec sarif report + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v4 + + - name: Run tfsec + uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 + with: + sarif_file: tfsec.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: tfsec.sarif