TehRiehlDeal
350e65cbea
frontend-ci / typecheck (push) Successful in 14s
frontend-ci / lint (push) Successful in 14s
frontend-ci / secrets-scan (push) Successful in 4s
frontend-ci / sast (push) Successful in 6s
frontend-ci / fs-scan (push) Failing after 38s
frontend-ci / build (push) Has been cancelled
frontend-ci / image-scan (push) Has been cancelled
frontend-ci / push (push) Has been cancelled
gitleaks/gitleaks-action@v2 has a license-key check that fails on some Gitea runners. Switch to downloading and running the gitleaks binary directly — same scan, no action wrapper, no license dependency.
135 lines
3.6 KiB
YAML
135 lines
3.6 KiB
YAML
name: frontend-ci
|
|
|
|
on:
|
|
push:
|
|
branches: ["**"]
|
|
tags: ["v*"]
|
|
pull_request:
|
|
|
|
env:
|
|
IMAGE: ${{ secrets.HARBOR_HOST }}/movieloop/frontend
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: npm
|
|
cache-dependency-path: package-lock.json
|
|
- run: npm ci
|
|
- run: npx eslint .
|
|
|
|
typecheck:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: npm
|
|
- run: npm ci
|
|
- run: npx tsc -b
|
|
|
|
secrets-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Install and run gitleaks
|
|
run: |
|
|
GL_VERSION=8.18.4
|
|
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \
|
|
| tar xz -C /tmp gitleaks
|
|
/tmp/gitleaks detect --redact --no-banner --verbose --source .
|
|
|
|
sast:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: returntocorp/semgrep-action@v1
|
|
with:
|
|
config: "p/auto"
|
|
|
|
fs-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: fs
|
|
severity: "HIGH,CRITICAL"
|
|
exit-code: "1"
|
|
ignore-unfixed: "true"
|
|
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
needs: [lint, typecheck]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: docker/setup-buildx-action@v3
|
|
- uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
target: production
|
|
tags: movieloop-frontend:ci-${{ github.sha }}
|
|
load: true
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
image-scan:
|
|
runs-on: ubuntu-latest
|
|
needs: [build]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: docker/setup-buildx-action@v3
|
|
- uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
target: production
|
|
tags: movieloop-frontend:ci-${{ github.sha }}
|
|
load: true
|
|
cache-from: type=gha
|
|
- uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: movieloop-frontend:ci-${{ github.sha }}
|
|
severity: "HIGH,CRITICAL"
|
|
exit-code: "1"
|
|
ignore-unfixed: "true"
|
|
|
|
push:
|
|
runs-on: ubuntu-latest
|
|
needs: [build, image-scan, secrets-scan, sast, fs-scan]
|
|
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: docker/setup-buildx-action@v3
|
|
- uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ secrets.HARBOR_HOST }}
|
|
username: ${{ secrets.MOVIELOOP_USERNAME }}
|
|
password: ${{ secrets.MOVIELOOP_PASSWORD }}
|
|
- uses: docker/metadata-action@v5
|
|
id: meta
|
|
with:
|
|
images: ${{ env.IMAGE }}
|
|
tags: |
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
type=sha,format=long
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
- uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
target: production
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
cache-from: type=gha
|