fix(ci): init cleanup and job consolidation (#209)

bcgov · Jan 31, 2024 · 8012fe0 · 8012fe0
1 parent eb97282
commit 8012fe0
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 200 deletions.
diff --git a/.github/workflows/unit-tests.yml → .github/workflows/analysis.yml b/.github/workflows/unit-tests.yml → .github/workflows/analysis.yml
@@ -1,4 +1,4 @@
-name: Unit Tests and Analysis
+name: Analysis
 
 on:
   pull_request:
@@ -12,15 +12,15 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  tests-backend:
-    name: Backend Unit Tests
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+  tests:
+    name: Tests
+    if: ${{ ! github.event.pull_request.draft }}
     runs-on: ubuntu-22.04
     steps:
       - uses: bcgov-nr/[email protected]
         with:
           commands: |
-            mvn -B verify -Pall-tests checkstyle:checkstyle -Dcheckstyle.skip=false --file pom.xml
+            mvn -B verify -P all-tests checkstyle:checkstyle -Dcheckstyle.skip=false
           dir: .
           java-cache: maven
           java-distribution: temurin
@@ -29,6 +29,7 @@ jobs:
             -Dsonar.organization=bcgov-sonarcloud
             -Dsonar.projectKey=bcgov_forest-client-api
           sonar_token: ${{ secrets.SONAR_TOKEN }}
+
       - name: Archive CycloneDX
         continue-on-error: true
         uses: actions/upload-artifact@v4
@@ -66,24 +67,38 @@ jobs:
 
   # https://github.com/marketplace/actions/aqua-security-trivy
   trivy:
-    name: Repository Report
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    name: Trivy Security Scan
+    if: ${{ ! github.event.pull_request.draft }}
     runs-on: ubuntu-22.04
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/[email protected]
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/[email protected]
         with:
-          scan-type: "fs"
           format: "sarif"
-          output: "trivy-results.sarif"
           ignore-unfixed: true
-          severity: "CRITICAL,HIGH"
+          output: "trivy-results.sarif"
+          scan-type: "fs"
           scanners: "vuln,secret,config"
+          severity: "CRITICAL,HIGH"
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+      - uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: "trivy-results.sarif"
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: "temurin"
+          java-version: "17"
+          cache: "maven"
+      - uses: github/codeql-action/init@v3
+      - run: ./mvnw clean package
+      - uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/merge-main.yml → .github/workflows/merge.yml b/.github/workflows/merge-main.yml → .github/workflows/merge.yml
@@ -1,98 +1,23 @@
-name: Merge to Main
+name: Merge
 
 on:
   push:
-    branches:
-      - main
+    branches: [main]
     paths-ignore:
       - "**.md"
   workflow_dispatch:
 
 env:
-  REGISTRY: ghcr.io
-  NAME: ${{ github.event.repository.name }}
+  DOMAIN: apps.silver.devops.gov.bc.ca
   NS: nr-d2723f
 
 concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: true
 
 jobs:
-  codeql:
-    name: Semantic Code Analysis
-    runs-on: ubuntu-22.04
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Initialize
-        uses: github/codeql-action/init@v3
-        with:
-          languages: java
-
-      - name: Set up JDK 17 and Caching maven dependencies
-        uses: actions/setup-java@v4
-        with:
-          distribution: "temurin"
-          java-version: "17"
-          cache: "maven"
-
-      - name: Build for Java
-        run: ./mvnw clean package
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-
-  sonarcloud:
-    name: Static Analysis
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: bcgov-nr/[email protected]
-        with:
-          commands: |
-            mvn -B verify -P all-tests checkstyle:checkstyle -Dcheckstyle.skip=false --file pom.xml
-          dir: .
-          java-cache: maven
-          java-distribution: temurin
-          java-version: "17"
-          sonar_args: >
-            -Dsonar.organization=bcgov-sonarcloud
-            -Dsonar.projectKey=bcgov_forest-client-api
-          sonar_token: ${{ secrets.SONAR_TOKEN }}
-
-  trivy-repo:
-    name: Repository Report
-    needs:
-      - codeql
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/[email protected]
-        with:
-          scan-type: "fs"
-          format: "sarif"
-          output: "trivy-results.sarif"
-          ignore-unfixed: true
-          severity: "CRITICAL,HIGH"
-          scanners: "vuln,secret,config"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: "trivy-results.sarif"
-
   deploy-test:
     name: TEST Deployment
-    needs:
-      - trivy-repo
-      - sonarcloud
     runs-on: ubuntu-22.04
     outputs:
       tag: ${{ steps.changelog.outputs.tag }}
@@ -101,12 +26,8 @@ jobs:
       discussions: write
     environment:
       name: test
-    env:
-      ZONE: test
-      DOMAIN: apps.silver.devops.gov.bc.ca
     steps:
       - uses: actions/checkout@v4
-
       - name: Deploys
         uses: bcgov-nr/[email protected]
         with:
@@ -123,7 +44,7 @@ jobs:
             -p ORACLEDB_HOST=${{ secrets.ORACLEDB_HOST }}
             -p ORACLEDB_SERVICENAME=${{ secrets.ORACLEDB_SERVICENAME }}
             -p ORACLEDB_SECRET=${{ secrets.ORACLEDB_SECRET }}
-            -p ZONE=${{ env.ZONE }}
+            -p ZONE=test
 
       - name: Publish API
         uses: bcgov-nr/[email protected]
@@ -137,15 +58,15 @@ jobs:
         uses: matt-ball/newman-action@master
         with:
           collection: postman/FCA.postman_collection.json
-          envVar: '[{"key":"URL_FCA","value":"https://${{ env.NAME }}-test-backend.${{ env.DOMAIN }}"}]'
+          envVar: '[{"key":"URL_FCA","value":"https://${{ github.event.repository.name }}-test-backend.${{ env.DOMAIN }}"}]'
           reporters: '["cli"]'
           folder: '["general"]'
 
       - name: Postman Smoke Test on API Gateway
         uses: matt-ball/newman-action@master
         with:
           collection: postman/FCA.postman_collection.json
-          envVar: '[{"key":"URL_FCA","value":"https://${{ env.NAME }}-test.api.gov.bc.ca"}]'
+          envVar: '[{"key":"URL_FCA","value":"https://${{ github.event.repository.name }}-test.api.gov.bc.ca"}]'
           reporters: '["cli"]'
           folder: '["general"]'
 
@@ -171,47 +92,33 @@ jobs:
           name: ${{ steps.changelog.outputs.tag }}
           body: ${{ steps.changelog.outputs.clean_changelog }}
 
-      - name: Log in to the Container registry
-        uses: docker/login-action@3d58c274f17dffee475a5520cbe67f0a882c4dbb
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
   image-promotions:
     name: Image Promotions
-    needs:
-      - deploy-test
+    needs: [deploy-test]
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        component: [api, init]
         tag: [prod, "${{ needs.deploy-test.outputs.tag }}"]
     steps:
-      - name: Promoting ${{ matrix.component }}
+      - name: Promoting API
         if: ${{ matrix.tag != '' }}
         uses: shrink/actions-docker-registry-tag@v3
         with:
-          registry: ${{ env.REGISTRY }}
-          repository: ${{ github.repository }}/${{ matrix.component }}
+          registry: ghcr.io
+          repository: ${{ github.repository }}/api
           target: test
           tags: ${{ matrix.tag }}
 
-      - name: Promoting ${{ matrix.component }}
+      - name: Promoting API
         if: ${{ matrix.tag == '' }}
         run: echo "Tag is empty, promotion step skipped"
 
   deploy-prod:
     name: PROD Deployment
-    needs:
-      - image-promotions
+    needs: [image-promotions]
     runs-on: ubuntu-22.04
     environment:
       name: prod
-    env:
-      ZONE: prod
-      PREV: test
-      DOMAIN: apps.silver.devops.gov.bc.ca
     steps:
       - uses: actions/checkout@v4
 
@@ -231,7 +138,8 @@ jobs:
             -p ORACLEDB_HOST=${{ secrets.ORACLEDB_HOST }}
             -p ORACLEDB_SERVICENAME=${{ secrets.ORACLEDB_SERVICENAME }}
             -p ORACLEDB_SECRET=${{ secrets.ORACLEDB_SECRET }}
-            -p ZONE=${{ env.ZONE }}
+            -p ZONE=prod
+
       - name: Publish API
         uses: bcgov-nr/[email protected]
         with:
@@ -244,14 +152,14 @@ jobs:
         uses: matt-ball/newman-action@master
         with:
           collection: postman/FCA.postman_collection.json
-          envVar: '[{"key":"URL_FCA","value":"https://${{ env.NAME }}-prod-backend.${{ env.DOMAIN }}"}]'
+          envVar: '[{"key":"URL_FCA","value":"https://${{ github.event.repository.name }}-prod-backend.${{ env.DOMAIN }}"}]'
           reporters: '["cli"]'
           folder: '["general"]'
 
       - name: Postman Smoke Test on API Gateway
         uses: matt-ball/newman-action@master
         with:
           collection: postman/FCA.postman_collection.json
-          envVar: '[{"key":"URL_FCA","value":"https://${{ env.NAME }}-prod.api.gov.bc.ca"}]'
+          envVar: '[{"key":"URL_FCA","value":"https://${{ github.event.repository.name }}-prod.api.gov.bc.ca"}]'
           reporters: '["cli"]'
           folder: '["general"]'