fix(ci): introduce pr validate/edit workflow (#1781)

bcgov · Feb 2, 2024 · 62ac388 · 62ac388
1 parent c19bc72
commit 62ac388
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 78 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -14,45 +14,6 @@ concurrency:
  cancel-in-progress: true
 
 jobs:
- codeql:
- name: CodeQL
- if: ${{ ! github.event.pull_request.draft }}
- runs-on: ubuntu-22.04
- timeout-minutes: 5
- steps:
- - uses: actions/checkout@v4
- - uses: github/codeql-action/init@v3
- with:
- languages: javascript
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
- with:
- category: "/language:javascript"
-
- # https:/marketplace/actions/aqua-security-trivy
- trivy:
- name: Trivy Security Scan
- if: ${{ ! github.event.pull_request.draft }}
- runs-on: ubuntu-22.04
- timeout-minutes: 1
- steps:
- - uses: actions/checkout@v4
- - name: Run Trivy vulnerability scanner in repo mode
- uses: aquasecurity/[email protected]
- with:
- format: "sarif"
- output: "trivy-results.sarif"
- ignore-unfixed: true
- scan-type: "fs"
- scanners: "vuln,secret,config"
- severity: "CRITICAL,HIGH"
-
- - name: Upload Trivy scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v3
- with:
- sarif_file: "trivy-results.sarif"
-
  tests:
  name: Tests
  if: ${{ ! github.event.pull_request.draft }}
@@ -96,10 +57,44 @@ jobs:
  sonar_token: ${{ secrets[matrix.token] }}
  triggers: ('${{ matrix.dir }}/')
 
- results:
- name: Results
- needs: [codeql, trivy, tests]
+ codeql:
+ name: CodeQL
+ if: ${{ ! github.event.pull_request.draft }}
+ needs: [tests]
+ runs-on: ubuntu-22.04
+ timeout-minutes: 5
+ steps:
+ - uses: actions/checkout@v4
+ - uses: github/codeql-action/init@v3
+ with:
+ languages: javascript
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v3
+ with:
+ category: "/language:javascript"
+
+ # https:/marketplace/actions/aqua-security-trivy
+ trivy:
+ name: Trivy Security Scan
+ if: ${{ ! github.event.pull_request.draft }}
+ needs: [tests]
  runs-on: ubuntu-22.04
  timeout-minutes: 1
  steps:
- - run: echo "Success!"
+ - uses: actions/checkout@v4
+ - name: Run Trivy vulnerability scanner in repo mode
+ uses: aquasecurity/[email protected]
+ with:
+ format: "sarif"
+ output: "trivy-results.sarif"
+ ignore-unfixed: true
+ scan-type: "fs"
+ scanners: "vuln,secret,config"
+ severity: "CRITICAL,HIGH"
+
+ - name: Upload Trivy scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: "trivy-results.sarif"
+
diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
@@ -9,41 +9,6 @@ concurrency:
  cancel-in-progress: true
 
 jobs:
- conventional-commits:
- name: Conventional Commits
- runs-on: ubuntu-22.04
- steps:
- - uses: amannn/[email protected]
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
- pr-description-add:
- name: PR Description Add
- env:
- DOMAIN: apps.silver.devops.gov.bc.ca
- PREFIX: ${{ github.event.repository.name }}
- runs-on: ubuntu-22.04
- permissions:
- pull-requests: write
- timeout-minutes: 1
- steps:
- - uses: bcgov-nr/[email protected]
- with:
- add_markdown: |
- ---
-
- Thanks for the PR!
-
- Deployments, as required, will be available below:
- - [Frontend](https://${{ env.PREFIX }}-${{ github.event.number }}-frontend.${{ env.DOMAIN }})
- - [Backend](https://${{ env.PREFIX }}-${{ github.event.number }}-frontend.${{ env.DOMAIN }}/api)
-
- Please create PRs in draft mode. Mark as ready to enable:
- - [Analysis Workflow](https:/${{ github.repository }}/actions/workflows/analysis.yml)
-
- After merge, new images are deployed in:
- - [Merge Workflow](https:/${{ github.repository }}/actions/workflows/merge.yml)
-
  # https:/bcgov-nr/action-builder-ghcr
  builds:
  name: Builds

diff --git a/.github/workflows/pr-validate.yml b/.github/workflows/pr-validate.yml
@@ -0,0 +1,54 @@
+name: PR Validate
+
+on:
+ pull_request:
+ types: [edited, opened, reopened, synchronize]
+
+concurrency:
+ # Cancel in progress for PR open and close, but not merge_group
+ group: ${{ github.workflow }}-${{ github.event.number || github.event.merge_group.base_sha }}
+ cancel-in-progress: true
+
+jobs:
+ # PR only, skip for merge_group
+ conventional-commits:
+ name: Conventional Commits
+ runs-on: ubuntu-22.04
+ steps:
+ - uses: amannn/[email protected]
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - if: failure() && !success()
+ run: |
+ echo "Please use conventional commits in your PR title and re-run this job."
+ echo "https://www.conventionalcommits.org/en/v1.0.0/"
+ exit 1
+
+ # PR only, skip for merge_group
+ pr-description-add:
+ name: PR Description Add
+ env:
+ DOMAIN: apps.silver.devops.gov.bc.ca
+ PREFIX: ${{ github.event.repository.name }}
+ runs-on: ubuntu-22.04
+ permissions:
+ pull-requests: write
+ timeout-minutes: 1
+ steps:
+ - uses: bcgov-nr/[email protected]
+ with:
+ add_markdown: |
+ ---
+
+ Thanks for the PR!
+
+ Deployments, as required, will be available below:
+ - [Frontend](https://${{ env.PREFIX }}-${{ github.event.number }}-frontend.${{ env.DOMAIN }})
+ - [Backend](https://${{ env.PREFIX }}-${{ github.event.number }}-frontend.${{ env.DOMAIN }}/api)
+
+ Please create PRs in draft mode. Mark as ready to enable:
+ - [Analysis Workflow](https:/${{ github.repository }}/actions/workflows/analysis.yml)
+
+ After merge, new images are deployed in:
+ - [Merge Workflow](https:/${{ github.repository }}/actions/workflows/merge.yml)