fix(#25): fix push-triggered security jobs failing on main #23
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| lint-go: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: backend/go.mod | |
| - name: Install golangci-lint | |
| run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest | |
| - name: Run golangci-lint | |
| working-directory: backend | |
| run: golangci-lint run --timeout=5m | |
| lint-frontend: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| cache-dependency-path: frontend/package-lock.json | |
| - working-directory: frontend | |
| run: | | |
| npm ci --legacy-peer-deps | |
| npm run lint | |
| test-go: | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:16-alpine | |
| env: | |
| POSTGRES_DB: remedyiq | |
| POSTGRES_USER: remedyiq | |
| POSTGRES_PASSWORD: remedyiq | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd "pg_isready -U remedyiq" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| env: | |
| POSTGRES_URL: postgres://remedyiq:remedyiq@localhost:5432/remedyiq?sslmode=disable | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: backend/go.mod | |
| - name: Apply database migrations | |
| env: | |
| PGPASSWORD: remedyiq | |
| run: | | |
| for f in backend/migrations/*.up.sql; do | |
| psql -h localhost -U remedyiq -d remedyiq -f "$f" | |
| done | |
| - working-directory: backend | |
| run: go test -v -race -coverprofile=coverage.out ./... | |
| build-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build API image | |
| run: docker build -f backend/Dockerfile --target api -t remedyiq/api:ci . | |
| - name: Build Worker image | |
| run: docker build -f backend/Dockerfile --target worker -t remedyiq/worker:ci . | |
| - name: Build Frontend image | |
| run: docker build -t remedyiq/frontend:ci ./frontend | |
| - name: Scan API image with Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: remedyiq/api:ci | |
| format: table | |
| exit-code: 1 | |
| severity: HIGH,CRITICAL | |
| trivyignores: .trivyignore | |
| - name: Scan Worker image with Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: remedyiq/worker:ci | |
| format: table | |
| exit-code: 1 | |
| severity: HIGH,CRITICAL | |
| trivyignores: .trivyignore | |
| - name: Scan Frontend image with Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: remedyiq/frontend:ci | |
| format: table | |
| exit-code: 1 | |
| severity: HIGH,CRITICAL | |
| trivyignores: .trivyignore | |
| - name: Scan for secrets with Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| helm-lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: azure/setup-helm@v4 | |
| with: | |
| version: "v3.14.0" | |
| - run: helm dependency update helm/remedyiq | |
| - run: helm lint helm/remedyiq -f helm/remedyiq/values-staging.yaml | |
| - run: helm lint helm/remedyiq -f helm/remedyiq/values-prod.yaml |