chore(sage-monorepo): update Trivy repo scanning workflow (ARCH-320) #7900
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
- 'renovate/**' | |
pull_request: | |
merge_group: | |
env: | |
NX_BRANCH: ${{ github.event.number }} | |
NX_RUN_GROUP: ${{ github.run_id }} | |
NX_CLOUD_AUTH_TOKEN: ${{ secrets.NX_CLOUD_AUTH_TOKEN }} | |
NX_CLOUD_ENCRYPTION_KEY: ${{ secrets.NX_CLOUD_ENCRYPTION_KEY }} | |
NX_CLOUD_ENV_NAME: 'linux' | |
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
HEAD_REF: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.ref_name }} | |
HEAD_REPOSITORY: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }} | |
jobs: | |
push: | |
runs-on: ubuntu-22.04-4core-16GBRAM-150GBSSD | |
if: ${{ github.event_name != 'pull_request' }} | |
# env: | |
# NX_BRANCH: main | |
steps: | |
- uses: actions/checkout@v4 | |
name: Checkout ${{ env.HEAD_REPOSITORY }}:${{ env.HEAD_REF }} | |
with: | |
# We need to fetch all branches and commits so that Nx affected has a base to compare | |
# against. | |
fetch-depth: 0 | |
- name: Derive appropriate SHAs for base and head for `nx affected` commands | |
uses: nrwl/nx-set-shas@v4 | |
- name: Set up the dev container | |
uses: ./.github/actions/setup-dev-container | |
- name: Lint the affected projects | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=lint" | |
- name: Build the affected projects | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=build,server" | |
- name: Test the affected projects (unit) | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=test" | |
- name: Test the affected projects (integration) | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=integration-test" | |
# - name: Scan the affected projects with Sonar | |
# run: | | |
# devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
# && nx affected --target=sonar" | |
- name: Publish the images of the affected projects | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin \ | |
&& nx affected --target=publish-image" | |
- name: Remove the dev container | |
run: docker rm -f sage_devcontainer | |
pr: | |
runs-on: ubuntu-22.04-4core-16GBRAM-150GBSSD | |
# Runs this job if triggered by a PR and if at least one of these conditions are true: | |
# - the PR originate from a fork | |
# - the branch name does not start with `renovate/` since we know that the workflow would have | |
# been already triggered by the `push` event. | |
if: | | |
github.event_name == 'pull_request' | |
&& ( | |
github.event.pull_request.head.repo.full_name != | |
github.event.pull_request.base.repo.full_name | |
|| !startsWith(github.head_ref, 'renovate/') | |
) | |
steps: | |
- uses: actions/checkout@v4 | |
name: Checkout merge commit | |
with: | |
# We need to fetch all branches and commits so that Nx affected has a base to compare | |
# against. | |
fetch-depth: 0 | |
- name: | |
Switch from the detached HEAD of the merge commit to a new branch | |
# Buildx does not work on a detached HEAD | |
run: git switch -c new-branch | |
- name: Derive appropriate SHAs for base and head for `nx affected` commands | |
uses: nrwl/nx-set-shas@v4 | |
- name: Set up the dev container | |
uses: ./.github/actions/setup-dev-container | |
- name: Lint the affected projects | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=lint" | |
- name: Build the affected projects | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=build,server" | |
- name: Test the affected projects (unit) | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=test" | |
- name: Test the affected projects (integration) | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=integration-test" | |
- name: Build the images of the affected projects | |
run: | | |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \ | |
&& nx affected --target=build-image" | |
- name: Remove the dev container | |
run: docker rm -f sage_devcontainer |