fix: pom.xml to reduce vulnerabilities #277
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ScaleUp Application CI workflow | |
on: | |
push: | |
branches: | |
- '**' # Trigger on any branch push | |
jobs: | |
set-env: | |
name: Setup Environment | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 20.15.0 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
- name: Install Node.js packages | |
run: npm install | |
- name: Cache Node Modules | |
uses: actions/cache@v3 | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
package: | |
name: Package App | |
runs-on: ubuntu-latest | |
needs: set-env | |
if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.pull_request.title, '[skip ci]') && !contains(github.event.pull_request.title, '[ci skip]')" | |
timeout-minutes: 10 | |
env: | |
NODE_VERSION: 20.15.0 | |
SPRING_OUTPUT_ANSI_ENABLED: DETECT | |
SPRING_JPA_SHOW_SQL: false | |
JHI_DISABLE_WEBPACK_LOGS: true | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 20.15.0 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
- name: Package application | |
run: npm run java:jar:prod | |
- name: Upload Build Artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: packaged-application | |
path: | | |
target/*.jar | |
target/classes | |
retention-days: 1 # Retain the build artifacts for 1 day | |
# Push to Docker | |
jib-build: | |
name: containerize | |
runs-on: ubuntu-latest | |
needs: package | |
env: | |
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | |
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
- name: Push to Docker registry w/o IT | |
run: ./mvnw package -Pprod verify jib:build -Djib.to.image=shenanquek97/scaleup -Djib.to.auth.username=${DOCKER_USERNAME} -Djib.to.auth.password=${DOCKER_PASSWORD} -DskipTests | |
if: github.ref != 'refs/heads/main' || github.ref != 'refs/heads/testing-uat' | |
- name: Push to Docker registry w IT | |
run: ./mvnw package -Pprod verify jib:build -Djib.to.image=shenanquek97/scaleup -Djib.to.auth.username=${DOCKER_USERNAME} -Djib.to.auth.password=${DOCKER_PASSWORD} | |
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/testing-uat' | |
backend-test: | |
name: Backend Test Stage | |
runs-on: ubuntu-latest | |
needs: package | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
- name: Run backend test | |
run: | | |
chmod +x mvnw | |
npm run ci:backend:test | |
- name: Upload Backend Test Report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: backend-test-report | |
path: target/surefire-reports/*.xml | |
retention-days: 1 | |
frontend-test: | |
name: Frontend Test Stage | |
runs-on: ubuntu-latest | |
needs: package | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 20.15.0 | |
- name: Install Node.js Packages | |
run: npm install | |
- name: Run frontend test | |
run: npm run ci:frontend:test | |
- name: Upload Frontend Test Report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: jest-test-reports | |
path: ./target/test-results/TESTS-results-jest.xml # Adjusted to match your Jest output configuration | |
retention-days: 1 | |
sonar: | |
name: Sonar SAST Scan | |
runs-on: ubuntu-latest | |
needs: [backend-test, frontend-test] | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v3 | |
with: | |
java-version: 17 | |
distribution: 'zulu' # Alternative distribution options are available. | |
- name: Cache SonarCloud packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.sonar/cache | |
key: ${{ runner.os }}-sonar | |
restore-keys: ${{ runner.os }}-sonar | |
- name: Cache Maven packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-m2 | |
- name: Build and analyze | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
if: github.ref != 'refs/heads/main' | |
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup | |
- name: Build and analyze for main | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
if: github.ref == 'refs/heads/main' | |
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup #-Dsonar.qualitygate.wait=true | |
snyk: | |
name: Vulnerability Scanning with Synk | |
needs: [backend-test, frontend-test] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@master | |
- name: Run Snyk to check for vulnerabilities | |
uses: snyk/actions/maven@master | |
continue-on-error: true # To make sure that SARIF upload gets called | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
args: --sarif-file-output=snyk.sarif | |
# - name: Upload result to GitHub Code Scanning | |
# uses: github/codeql-action/upload-sarif@v3 | |
# with: | |
# sarif_file: snyk.sarif | |
dast-scan: | |
name: DAST OWASP ZAP Scans | |
runs-on: ubuntu-latest | |
needs: [backend-test, frontend-test] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Change script permission | |
run: | | |
chmod +x script/zap-script.sh | |
- name: ZAP scan | |
run: script/zap-script.sh | |
- name: Archive production artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: zap report | |
path: | | |
./zap_baseline_report.html | |
retention-days: 1 | |
deploy-to-sit: | |
name: Deploy to SIT | |
needs: jib-build | |
runs-on: ubuntu-latest | |
if: github.ref == 'refs/heads/testing-sit' # Only apply changes on sit branch | |
env: | |
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | |
steps: | |
- name: Deploy to EC2 | |
uses: appleboy/ssh-action@master | |
with: | |
host: ec2-52-77-34-58.ap-southeast-1.compute.amazonaws.com # Change this to SIT host | |
username: ubuntu | |
key: ${{ secrets.EC2_PRIVATE_KEY }} | |
port: 22 | |
script: | | |
sudo docker pull ${{ secrets.DOCKER_USERNAME }}/scaleup:latest | |
if [ "$(sudo docker ps -q -f name=scaleUp)" ]; then | |
sudo docker stop scaleUp | |
sudo docker rm scaleUp | |
elif [ "$(sudo docker ps -a -q -f name=scaleUp)" ]; then | |
sudo docker rm scaleUp | |
fi | |
sudo docker run -d -p 80:80 --name scaleUp ${{ secrets.DOCKER_USERNAME }}/scaleup:latest | |
deploy-to-main: | |
name: Deploy to Production | |
needs: [jib-build, dast-scan, snyk, sonar] | |
runs-on: ubuntu-latest | |
if: github.ref == 'refs/heads/main' # Only apply changes on main branch | |
env: | |
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | |
steps: | |
- name: Deploy to EC2 | |
uses: appleboy/ssh-action@master | |
with: | |
host: ec2-54-255-11-22.ap-southeast-1.compute.amazonaws.com # Change to Prod host | |
username: ubuntu | |
key: ${{ secrets.EC2_PRIVATE_KEY_PROD }} | |
port: 22 | |
script: | | |
sudo docker pull ${{ secrets.DOCKER_USERNAME }}/scaleup:latest | |
if [ "$(sudo docker ps -q -f name=scaleUp)" ]; then | |
sudo docker stop scaleUp | |
sudo docker rm scaleUp | |
elif [ "$(sudo docker ps -a -q -f name=scaleUp)" ]; then | |
sudo docker rm scaleUp | |
fi | |
sudo docker run -d -p 80:80 --name scaleUp ${{ secrets.DOCKER_USERNAME }}/scaleup:latest |