Updating pipeline

.github/workflows/.tests.yml

@@ -0,0 +1,100 @@
+name: .Tests
+
+on:
+  workflow_call:
+    inputs:
+      ### Required
+      target:
+        description: PR number, test or prod
+        required: true
+        type: string
+
+      ### Typical / recommended
+      triggers:
+        description: Bash array to diff for build triggering; omit to always fire
+        required: false
+        type: string
+
+env:
+  DOMAIN: apps.silver.devops.gov.bc.ca
+  PREFIX: ${{ github.event.repository.name }}-${{ inputs.target }}
+
+jobs:
+  integration-tests:
+    name: Integration
+    runs-on: ubuntu-22.04
+    timeout-minutes: 1
+    steps:
+      - uses: actions/checkout@v4
+      - id: cache-npm
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-build-cache-node-modules-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-build-cache-node-modules-
+            ${{ runner.os }}-build-
+            ${{ runner.os }}-
+
+      - env:
+          API_NAME: nest
+          BASE_URL: https://${{ github.event.repository.name }}-${{ inputs.target }}-frontend.${{ env.DOMAIN }}
+        run: |
+          cd tests/integration
+          npm ci
+          node src/main.js
+
+  e2e-tests:
+    name: E2E
+    defaults:
+      run:
+        working-directory: frontend
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
+    strategy:
+      matrix:
+        project: [Microsoft Edge]
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout
+      - uses: actions/setup-node@v4
+        name: Setup Node
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: frontend/package-lock.json
+      - name: Install dependencies
+        run: |
+          npm ci
+          npx playwright install --with-deps
+
+      - name: Run Tests
+        env:
+          E2E_BASE_URL: https://${{ github.event.repository.name }}-${{ inputs.target }}-frontend.${{ env.DOMAIN }}/
+          CI: "true"
+        run: |
+          npx playwright test --project="${{ matrix.project }}" --reporter=html
+
+      - uses: actions/upload-artifact@v4
+        if: ${{ !cancelled() }}
+        name: upload results
+        with:
+          name: playwright-report-${{ matrix.project }}
+          path: "./frontend/playwright-report" # path from current folder
+          retention-days: 7
+
+  load-tests:
+    name: Load
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        name: [backend, frontend]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: grafana/[email protected]
+        env:
+          BACKEND_URL: https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}/api
+          FRONTEND_URL: https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}
+        with:
+          filename: ./tests/load/${{ matrix.name }}-test.js
+          flags: --vus 10 --duration 30s

.github/workflows/analysis.yml

@@ -0,0 +1,89 @@
+name: Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
+  schedule:
+    - cron: "0 11 * * 0" # 3 AM PST = 12 PM UDT, runs sundays
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  tests:
+    name: Tests
+    if: ${{ ! github.event.pull_request.draft }}
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+    strategy:
+      matrix:
+        dir: [backend, frontend]
+        include:
+          - dir: backend
+            token: SONAR_TOKEN_BACKEND
+          - dir: frontend
+            token: SONAR_TOKEN_FRONTEND
+    steps:
+      - uses: bcgov-nr/[email protected]
+        with:
+          commands: |
+            npm ci
+            npm run test:cov
+          dir: ${{ matrix.dir }}
+          node_version: "22"
+          sonar_args: >
+            -Dsonar.exclusions=**/coverage/**,**/node_modules/**,**/*spec.ts
+            -Dsonar.organization=bcgov-sonarcloud
+            -Dsonar.projectKey=quickstart-openshift_${{ matrix.dir }}
+            -Dsonar.sources=src
+            -Dsonar.tests.inclusions=**/*spec.ts
+            -Dsonar.javascript.lcov.reportPaths=./coverage/lcov.info
+          sonar_token: ${{ secrets[matrix.token] }}
+          triggers: ('${{ matrix.dir }}/')
+
+  # https://github.com/marketplace/actions/aqua-security-trivy
+  trivy:
+    name: Trivy Security Scan
+    if: ${{ ! github.event.pull_request.draft }}
+    runs-on: ubuntu-22.04
+    timeout-minutes: 1
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/[email protected]
+        with:
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          scan-type: "fs"
+          scanners: "vuln,secret,config"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
+
+  results:
+    name: Analysis Results
+    needs: [tests, trivy]
+    runs-on: ubuntu-22.04
+    steps:
+      - run: echo "Success!"
+

.github/workflows/deploy-nats.yml

@@ -54,3 +54,9 @@ jobs:
         run: |
           RELEASE_NAME=${{ github.event.repository.name }}-${{ github.event.number }}-nats
           oc label statefulset $RELEASE_NAME app=${{ github.event.repository.name }}-${{ github.event.number }}
+      - name: Label NATS PVCs
+        run: |
+          RELEASE_NAME=${{ github.event.repository.name }}-${{ github.event.number }}-nats
+          for pvc in $(oc get pvc -l release=$RELEASE_NAME -o name); do
+            oc label $pvc app=${{ github.event.repository.name }}-${{ github.event.number }}
+          done