Skip to content

chore(sage-monorepo): update Trivy repo scanning workflow (ARCH-320) … #7902

chore(sage-monorepo): update Trivy repo scanning workflow (ARCH-320) …

chore(sage-monorepo): update Trivy repo scanning workflow (ARCH-320) … #7902

Workflow file for this run

name: CI
on:
push:
branches:
- main
- 'renovate/**'
pull_request:
merge_group:
env:
NX_BRANCH: ${{ github.event.number }}
NX_RUN_GROUP: ${{ github.run_id }}
NX_CLOUD_AUTH_TOKEN: ${{ secrets.NX_CLOUD_AUTH_TOKEN }}
NX_CLOUD_ENCRYPTION_KEY: ${{ secrets.NX_CLOUD_ENCRYPTION_KEY }}
NX_CLOUD_ENV_NAME: 'linux'
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
HEAD_REF: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.ref_name }}
HEAD_REPOSITORY: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }}
jobs:
push:
runs-on: ubuntu-22.04-4core-16GBRAM-150GBSSD
if: ${{ github.event_name != 'pull_request' }}
# env:
# NX_BRANCH: main
steps:
- uses: actions/checkout@v4
name: Checkout ${{ env.HEAD_REPOSITORY }}:${{ env.HEAD_REF }}
with:
# We need to fetch all branches and commits so that Nx affected has a base to compare
# against.
fetch-depth: 0
- name: Derive appropriate SHAs for base and head for `nx affected` commands
uses: nrwl/nx-set-shas@v4
- name: Set up the dev container
uses: ./.github/actions/setup-dev-container
- name: Lint the affected projects
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=lint"
- name: Build the affected projects
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=build,server"
- name: Test the affected projects (unit)
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=test"
- name: Test the affected projects (integration)
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=integration-test"
# - name: Scan the affected projects with Sonar
# run: |
# devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
# && nx affected --target=sonar"
- name: Publish the images of the affected projects
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin \
&& nx affected --target=publish-image"
- name: Remove the dev container
run: docker rm -f sage_devcontainer
pr:
runs-on: ubuntu-22.04-4core-16GBRAM-150GBSSD
# Runs this job if triggered by a PR and if at least one of these conditions are true:
# - the PR originate from a fork
# - the branch name does not start with `renovate/` since we know that the workflow would have
# been already triggered by the `push` event.
if: |
github.event_name == 'pull_request'
&& (
github.event.pull_request.head.repo.full_name !=
github.event.pull_request.base.repo.full_name
|| !startsWith(github.head_ref, 'renovate/')
)
steps:
- uses: actions/checkout@v4
name: Checkout merge commit
with:
# We need to fetch all branches and commits so that Nx affected has a base to compare
# against.
fetch-depth: 0
- name:
Switch from the detached HEAD of the merge commit to a new branch
# Buildx does not work on a detached HEAD
run: git switch -c new-branch
- name: Derive appropriate SHAs for base and head for `nx affected` commands
uses: nrwl/nx-set-shas@v4
- name: Set up the dev container
uses: ./.github/actions/setup-dev-container
- name: Lint the affected projects
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=lint"
- name: Build the affected projects
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=build,server"
- name: Test the affected projects (unit)
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=test"
- name: Test the affected projects (integration)
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=integration-test"
- name: Build the images of the affected projects
run: |
devcontainer exec --workspace-folder ../sage-monorepo bash -c ". ./dev-env.sh \
&& nx affected --target=build-image"
- name: Remove the dev container
run: docker rm -f sage_devcontainer