145 lines
3.1 KiB
YAML
145 lines
3.1 KiB
YAML
name: Code Review - TypeScript
|
|
|
|
on:
|
|
pull_request:
|
|
branches: ['main', 'dev']
|
|
paths: ['ts/**', 'yarn.lock']
|
|
push:
|
|
paths: ['ts/**', 'yarn.lock']
|
|
|
|
jobs:
|
|
format:
|
|
name: Format
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup Node
|
|
uses: actions/setup-node@v3
|
|
with:
|
|
node-version: '16'
|
|
cache: 'yarn'
|
|
|
|
- name: Install dependencies
|
|
run: yarn install --frozen-lockfile
|
|
|
|
- name: Format
|
|
run: yarn format
|
|
|
|
lint:
|
|
name: Lint
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup Node
|
|
uses: actions/setup-node@v3
|
|
with:
|
|
node-version: '16'
|
|
cache: 'yarn'
|
|
|
|
- name: Install dependencies
|
|
run: yarn install --frozen-lockfile
|
|
|
|
- name: Lint
|
|
run: yarn lint
|
|
|
|
test:
|
|
name: Test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup Node
|
|
uses: actions/setup-node@v3
|
|
with:
|
|
node-version: '16'
|
|
cache: 'yarn'
|
|
|
|
- name: Install dependencies
|
|
run: yarn install --frozen-lockfile
|
|
|
|
- name: Run Test
|
|
run: yarn test
|
|
|
|
sast:
|
|
name: Security Scan
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: returntocorp/semgrep
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Run semgrep
|
|
run: semgrep ci --sarif --output=semgrep-results.sarif
|
|
env:
|
|
SEMGREP_RULES: p/typescript
|
|
|
|
- name: Upload output
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
if: always()
|
|
with:
|
|
sarif_file: semgrep-results.sarif
|
|
|
|
sca:
|
|
name: Dependency Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
# Report all vulnerabilities in security tab
|
|
- name: Report on all vulnerabilities
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: 'yarn.lock'
|
|
ignore-unfixed: true
|
|
hide-progress: true
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
|
|
# Fail the job on critical vulnerabiliies with fix available
|
|
- name: Fail on critical vulnerabilities
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: 'yarn.lock'
|
|
ignore-unfixed: true
|
|
hide-progress: true
|
|
format: 'table'
|
|
severity: 'CRITICAL'
|
|
exit-code: '1'
|
|
|
|
- name: Upload output
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
if: always()
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
yarn-pass:
|
|
name: Yarn tests pass
|
|
needs: ['format', 'lint', 'test']
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: echo ok
|
|
|
|
security-pass:
|
|
name: Security tests pass
|
|
needs: ['sca', 'sast']
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: echo ok
|
|
|
|
all-pass:
|
|
name: All tests pass 🚀
|
|
needs: ['yarn-pass', 'security-pass']
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: echo ok
|