From 02cb9ddc5ee2f3a7d5e7b299bb83815230a528e2 Mon Sep 17 00:00:00 2001 From: aleks-ivanov Date: Wed, 24 Feb 2021 13:58:06 +0000 Subject: [PATCH 1/7] add Pipeline Foundation templates --- .github/dependabot.yml | 15 ++ .github/workflows/codeql-analysis.yml | 31 +++ .github/workflows/main.yml | 166 ++++++++++++++ CI-CD_DOCUMENTATION.md | 319 ++++++++++++++++++++++++++ 4 files changed, 531 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/main.yml create mode 100644 CI-CD_DOCUMENTATION.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..fa38860e --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + # default location of `.github/workflows` + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "nuget" + # location of package manifests + directory: "/" + schedule: + interval: "daily" + +# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation) \ No newline at end of file diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..cc536528 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,31 @@ +name: CodeQL Analysis + +on: + push: + pull_request: + schedule: + - cron: '0 8 * * *' + +jobs: + analyze: + name: codeql-analysis + runs-on: windows-latest + + steps: + - name: Checkout repository + id: checkout_repo + uses: actions/checkout@v2 + + - name: Initialize CodeQL + id: init_codeql + uses: github/codeql-action/init@v1 + with: + queries: security-and-quality + + - name: Build project + + - name: Perform CodeQL Analysis + id: analyze_codeql + uses: github/codeql-action/analyze@v1 + +# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation) \ No newline at end of file diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..d00c6b7d --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,166 @@ +name: PROJECT_NAME CI/CD Pipeline + +# There's is specific logic connected to the trigger events by exclusion: +# (github.event_name != 'pull_request') +# When adding new events, make sure they conform to the logic +# or if needed, make appropriate changes to keep the logic consistent +on: [push, pull_request, workflow_dispatch] + +jobs: + ci: + runs-on: windows-latest + outputs: + new_version: ${{ steps.tag_generator.outputs.new_version }} + steps: + - name: Checkout repository + id: checkout_repo + uses: actions/checkout@v2 + with: + fetch-depth: 50 + + - if: github.event_name != 'pull_request' + name: Install latest Java LTS + id: install_latest_java_lts + uses: actions/setup-java@v1 + with: + # Java 11 is the current long-term support version of JSE + # and is the officially suggested version by SonarCloud for GitHub Actions + java-version: 1.11 + + - if: github.event_name != 'pull_request' + name: Activate TestSpace tool + id: testspace_tool + uses: testspace-com/setup-testspace@v1 + with: + domain: ${{ github.repository_owner }} + token: ${{ secrets.TESTSPACE_TOKEN }} + + # (github.event_name == 'push') is used for steps specifically involved in the Release Sequence + - if: github.event_name == 'push' && github.ref == 'refs/heads/master' + name: Bump release version and create release tag + id: tag_generator + uses: mathieudutour/github-tag-action@v5 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + default_bump: false + + - if: github.event_name != 'pull_request' + name: Cache SonarCloud packages + id: cache_sonar_packages + uses: actions/cache@v2 + with: + path: ~\sonar\cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + + - if: github.event_name != 'pull_request' + name: Cache SonarCloud scanner + id: cache_sonar_scanner + uses: actions/cache@v2 + with: + path: .\.sonar\scanner + key: ${{ runner.os }}-sonar-scanner + restore-keys: ${{ runner.os }}-sonar-scanner + + - if: github.event_name != 'pull_request' && steps.cache_sonar_scanner.outputs.cache-hit != 'true' + name: Install SonarCloud scanner + id: install_sonar_scanner + shell: powershell + run: | + New-Item -Path .\.sonar\scanner -ItemType Directory + dotnet tool update dotnet-sonarscanner --tool-path .\.sonar\scanner + + - if: github.event_name != 'pull_request' + name: Lowercase string generator + id: lowercase_string_gen + shell: powershell + run: | + $LOWERCASE_OWNER = "${{ github.repository_owner }}".ToLower() + echo "::set-output name=owner_name::$LOWERCASE_OWNER" + + - if: github.event_name != 'pull_request' + name: Initialize SonarCloud scanner + id: init_sonar_scanner + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + shell: powershell + run: .\.sonar\scanner\dotnet-sonarscanner begin /k:"${{ github.repository_owner }}_${{ github.event.repository.name }}" /o:"${{ steps.lowercase_string_gen.outputs.owner_name }}" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" + + - name: Build project + + - if: github.event_name == 'push' && github.ref == 'refs/heads/master' + name: Upload artifact + id: up_package_artifacts + uses: actions/upload-artifact@v2 + with: + name: Artifact + path: artifact/ + + - if: github.event_name != 'pull_request' && always() + name: Push result to Testspace server + id: push_to_testspace + shell: powershell + run: | + testspace "__test/results.xml{TestsFolder/}" + + - if: github.event_name != 'pull_request' + name: Send SonarCloud results + id: send_sonar_results + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + shell: powershell + run: .\.sonar\scanner\dotnet-sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}" + + cd: + # "This job will execute when the workflow is triggered on a 'push event', the target branch is 'master' and the commit is intended to be a release." + if: github.event_name == 'push' && github.ref == 'refs/heads/master' && needs.ci.outputs.new_version != '' + needs: ci + runs-on: windows-latest + env: + NEW_VERSION: ${{ needs.ci.outputs.new_version }} + NEW_TAG: v${{ needs.ci.outputs.new_version }} + steps: + - name: Checkout repository + id: checkout_repo + uses: actions/checkout@v2 + + - name: Download and extract artifact + id: dl_artifact + uses: actions/download-artifact@v2 + with: + name: Artifact + path: artifact/ + + - name: Publish *.nupkg on NuGet + id: publish_nuget + uses: rohith/publish-nuget@v2 + continue-on-error: true + with: + PROJECT_FILE_PATH: 'project.csproj' + TAG_COMMIT: true + NUGET_KEY: ${{secrets.NUGET_TOKEN}} + PACKAGE_NAME: Project.${{ env.NEW_VERSION }}.nupkg + + - name: Create and publish release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ env.NEW_TAG }} + release_name: Release ${{ env.NEW_TAG }} + + - name: Upload release asset + id: upload_release_asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: artifact/ + asset_name: artifact.zip + asset_content_type: application/zip + +# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation) \ No newline at end of file diff --git a/CI-CD_DOCUMENTATION.md b/CI-CD_DOCUMENTATION.md new file mode 100644 index 00000000..93dc6d7b --- /dev/null +++ b/CI-CD_DOCUMENTATION.md @@ -0,0 +1,319 @@ +# !_PROJECT_NAME_! CI/CD documentation + +* after merging the PR, the first run of the main workflow will not complete successfully, because it requires specific setup explained in this documentation + +## *. Set up TestSpace + +The TestSpace tool is used to display the unit test results, that are generated by the internal testing sequence of the project. + +1. Go to https://www.testspace.com/ + +2. Click on the "Start for free" button + +3. Click on the "Get started" button, under the "Open" plan box + +4. Go to the bottom of the page, under "Pricing and setup" choose the "Free" option on the left and click on "Install it for free" button on the right +* the "Free" option is for personal accounts +* the "Open" option is for organization accounts + +5. Click on the "Complete order and begin installation" button + +6. Select which repositories to work with this TestSpace installation +* select "Only select repositories" for better overall control +* from the dropdown, select the repositories you would like to see on the TestSpace dashboard + +7. Enter your password, if prompt + +8. You are going to be re-directed to the TestSpace dashboard + +9. At the top right corner, click on your account name and choose **Edit** from the dropdown menu + +10. Copy the value from the input field under the **Access Token** label + +11. Go to GitHub and enter your repo + +12. In the **Settings** tab, go to **Secrets**, add a new secret with the name **TESTSPACE_TOKEN** and paste the value you copied in step 10 + +- the TestSpace token is optional for public repos, but we've made it part of the implementation, to give the owner of the repo additional security + +13. Go back to your TestSpace dashboard + +14. On the righthand side at the top, click on "+ New Project" button + +15. Select the GitHub repo you would like to display and click "OK" + +16. Click on the name of the project + +17. As soon as a workflow is ran successfully for the connected GitHub project, you would be able to see the results listed here +* "space" refers to a GitHub repo branch (master, feature/new-feature etc.) and each branch is displayed as a separate entity + +
+ +## *. Set up SonarCloud + +SonarCloud is a cloud-based code quality and security service. + +1. Go to https://sonarcloud.io/ + +2. Click the "Log in" button and create a new account or connect with GitHub account (recommended). + +3. At the top right corner click the "+" sign. + +4. From the dropdown select "Create new Organization". + +5. Click the button "Choose an organization on GitHub". + +6. Select an account for your organization setup. + +7. On **Repository Access** select "Only select repositories" and select the project and click the "Save" button. + +8. On the "Create organization page" don't change your **Key** and click "Continue". + +9. Select the Free plan then click the "Create Organization" button to finalize the creation of your Organization. + +10. From the dropdown select "Analyze new project". + +11. Select the project and click "Set Up" button at the top right corner. + +12. Under the "Choose another analysis method" sign click the "With GitHub Actions" sign. + +13. Copy the Name of the token and the Value and use them on step "16". + +14. To Create a secret on GitHub click the fast forward button **Settings>Secrets** . + +15. Then click "New Repository secret" + +16. Enter the "Name" and the "Value" and click **Add Secret**. + +17. No further steps are required for this setup. + +18. Run manually your workflow one time to deliver the code to SonarCloud. + +19. In order to set a "Quality gate" follow the next steps. + +19. After the run go to the Project page. + +20. Click on the button "Set new code definition" and select "Previous version". + +21. Manually run the workflow and there you have set a Quality gate. + +
+ +## *. Set up NuGet + +NuGet is a package manager and is responsible for downloading, installing, updating, and configuring software in your system. From the term software we don't mean end users software like Microsoft Word or Notepad 2, etc. but pieces of software, which you want to use in the project, assembly references. + +1. Go to https://www.nuget.org/ . + +2. Log in or create your account. + +3. From the dropdown in the right top corner (with your account name on it) choose **API Keys**. + +4. Create a new token by clicking the "+ Create" button. + +5. Set the **Key name** to "NUGET TOKEN" so it's compatible with your workflow. + +6. On **Package Owner** choose your username from the dropdown. + +7. To select which packages to associate with a key, use a glob pattern, select individual packages, or both. + +8. Set your package name in the **Glob Pattern** field. + +9. Now you have to set the token as a **secret** in GitHub in order to make it work. + +### Creating encrypted secrets for a repository + +1. On GitHub, navigate to the main page of the repository. + +2. Under your repository name, click Settings. + +3. Repository settings button. + +4. In the left sidebar, click Secrets. + +5. Click New repository secret. + +6. Type the name "NUGET_TOKEN" as a name of your secret. + +7. Enter the value for your secret. + +8. Click Add secret. + **You are all set up** + +
+ +## *. Run workflow manually + +Once you've set up all the steps above correctly, you should be able to successfully complete a manual execution of the main workflow "!_PROJECT_NAME_! CI/CD Pipeline". + + 1. Go to GitHub project -> "Actions" tab + + 2. From the "Workflows" list on the left, click on "!_PROJECT_NAME_! CI/CD Pipeline" + + 3. On the right, next to the "This workflow has a workflow_dispatch event trigger" label, click on the "Run workflow" dropdown, make sure the **default branch** is selected (if not manually changed, should be main or master) in the "Use workflow from" dropdown and click the "Run workflow" button + +![Actions_workflow_dispatch](/Docs/CI-CD_DOCUMENTATION/Actions_workflow_dispatch.png) + + 4. Once the workflow run has completed successfully, move on to the next step of the documentation + +
+ +## *. Create a TestSpace badge + +Create a TestSpace badge in your README.md to quickly reference your internal test results + +**NOTE: this step is available only after the manually executed workflow run has completed successfully** + +1. Go to https://www.testspace.com/ + +2. Click "Sign in" at the right corner + +3. In the "Project Listing", find the project and click on the "master" space + +4. Click on the badge, that is above the data table + +5. Click "Embed link" + +6. From the dropdown select "Markdown" + +7. Copy the contents below + +8. Go to the GitHub repo of the project + +9. Open the README.md + +10. Paste the Markdown code at your preferred place + +
+ +## *. CodeQL + +CodeQL is GitHub's own industry-leading semantic code analysis engine. CodeQL requires no setup, because it comes fully pre-configured by us. + +To activate it and see its results, only a push commit or a merge of a PR to the default branch of your repository, is required. + +We've also configured CodeQL to run on schedule, so every day at 8:00AM UTC, it automatically tests the code. + +- you can see the results here at **Security** tab -> **Code scanning alerts** -> **CodeQL**: + +![CodeQL_results](/ScreenShots/CI-CD_DOCUMENTATION/CodeQL_results.png) + +- on the page of each result, you can see an explanation of what the problem is and also one or more solutions: + +![CodeQL_alert_page](/ScreenShots/CI-CD_DOCUMENTATION/CodeQL_alert_page.png) + +
+ +## *. Set up Dependabot + +Dependabot is a GitHub native security tool that goes through the dependencies in the project and creates alerts, and PRs with updates when a new and/or non-vulnerable version is found. + +- for PRs with version updates, this pipeline comes pre-configured for all current dependency sources in the project, so at "Insights" tab -> "Dependency graph" -> "Dependabot", you should be able to see all tracked sources of dependencies, when they have been checked last and view a full log of the last check + +![Dependabot_tab](/Docs/CI-CD_DOCUMENTATION/Dependabot_tab.png) + +![Dependabot_log_page](/Docs/CI-CD_DOCUMENTATION/Dependabot_log_page.png) + +### Set up security alerts and updates +##### - GitHub, through Dependabot, also natively offers a security check for vulnerable dependencies + +1. Go to "Settings" tab of your repo + +2. Go to "Security&Analysis" section + +3. Click "Enable" for both "Dependabot alerts" and "Dependabot security updates" + +- By enabling "Dependabot alerts", you would be notified for any vulnerable dependencies in the project. At "Security" tab -> "Dependabot alerts", you can manage all alerts. By clicking on an alert, you would be able to see a detailed explanation of the vulnerability and a viable solution. + +![Dependabot_alerts_page](/Docs/CI-CD_DOCUMENTATION/Dependabot_alerts_page.png) + +![Dependabot_alert_page](/Docs/CI-CD_DOCUMENTATION/Dependabot_alert_page.png) + +- By enabling "Dependabot security updates", you authorize Dependabot to create PRs specifically for **security updates** + +![Dependabot_PRs](/Docs/CI-CD_DOCUMENTATION/Dependabot_PRs.png) + +### Set up Dependency graph +##### - The "Dependency graph" option should be enabled by default for all public repos, but in case it isn't: + +1. Go to "Settings" tab of your repo + +2. Go to "Security&Analysis" section + +3. Click "Enable" for the "Dependency graph" option + +- this option enables the "Insights" tab -> "Dependency graph" section -> "Dependencies" tab, in which all the dependencies for the project are listed, under the different manifests they are included in + +![Dependabot_dependency_graph](/Docs/CI-CD_DOCUMENTATION/Dependabot_dependency_graph.png) + +
+ +## *. How to create a release + +The "Release sequence" encompasses creating a release in your GitHub repo and adding the necessary files to it. + +Files added are: +- Source code (zip) +- Source code (tar.gz) + +Note: **not every commit to your master branch creates a release** + +Follow these instructions for any commit (push or PR merge) to your master branch, you would like to create a release. + +Whenever you would like to trigger the "Create release" sequence, you would need one of three keywords at the start of your commit title. Each of the three keywords corresponds to a number in your release version i.e. v1.2.3. The release versioning uses the ["Conventional Commits" specification](https://www.conventionalcommits.org/en/v1.0.0/): + +* "fix: ..." - this keyword corresponds to the last number v1.2.**3**, also known as PATCH; +* "feat: ..." - this keyword corresponds to the middle number v1.**2**.3, also known as MINOR; +* "perf: ..." - this keyword corresponds to the first number v**1**.2.3, also known as MAJOR. In addition, to trigger a MAJOR release, you would need to write "BREAKING CHANGE: ..." in the description of the commit, with an empty line above it to indicate it is in the