Skip to content

Chore: update deps #754

Chore: update deps

Chore: update deps #754

Workflow file for this run

name: Pipeline
on:
push:
branches: [main]
pull_request:
branches: [main]
# Allow to run this workflow manually
workflow_dispatch:
env:
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: .node-version
cache: npm
- name: Cache npm dependencies
id: cache-npm-deps
uses: actions/cache@v4
with:
path: |
**/node_modules
~/.cache/Cypress
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependecies
if: steps.cache-npm-deps.outputs.cache-hit != 'true'
run: npm ci
- name: Check build
run: npm run build
- name: Check format
run: npm run format:check
- name: Lint
run: npm run lint:check
- name: Run tests
run: npm test
- name: Install E2E test dependencies
run: |
npx --yes playwright install-deps
npx --yes playwright install
npx --yes playwright install msedge
- name: Run E2E tests
run: npm run test:e2e
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: playwright-test-results
path: test-results
- name: Run a11y tests
run: npm run test:a11y
env:
# Use a different port (from the one used with E2E tests) to workaround problem in CI/GitHub Actions,
# starting to occur with playwright/test 1.28.0:
# Error: http://localhost:4173 is already used ...
# See https://github.com/digitalservicebund/typescript-vite-application-template/actions/runs/3486985178/jobs/5834089375
VITE_PORT: 4183
- name: Build an image from Dockerfile
run: |
docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
- name: Login to container registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: "ghcr.io"
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image
run: |
docker tag ${{ github.repository }}:${{ github.sha }} ghcr.io/${{ github.repository }}
docker tag ${{ github.repository }}:${{ github.sha }} ghcr.io/${{ github.repository }}:${{ github.sha }}
docker push --all-tags ghcr.io/${{ github.repository }}
- name: Create SBOM
uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9 # v1.2.1
with:
image_name: ${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Send status to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
audit-licenses:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: .node-version
cache: npm
- name: Cache npm dependencies
id: cache-npm-deps
uses: actions/cache@v4
with:
path: |
**/node_modules
~/.cache/Cypress
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependecies
if: steps.cache-npm-deps.outputs.cache-hit != 'true'
run: npm ci
- name: Audit used licences
run: npm run audit:licences
- name: Send status to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
vulnerability-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: validate github workflow files to have pinned versions
uses: digitalservicebund/github-actions-linter@dccac3ada437947aada4bc901daff08ceb87c3f1 # v0.1.11
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # v0.20.0
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: "fs"
skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
exit-code: "1" # Fail the build!
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
if: always() # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
- name: Send status to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}