ci: pin GitHub Actions to commit SHAs #231
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "ndc-nodejs-lambda connector" | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - test-ci/** | |
| push: | |
| branches: | |
| - 'main' | |
| - test-ci/** | |
| tags: | |
| - v** | |
| env: | |
| DOCKER_REGISTRY: ghcr.io | |
| DOCKER_IMAGE_NAME: hasura/ndc-nodejs-lambda | |
| jobs: | |
| build-npm: | |
| name: Build ndc-lambda-sdk npm package | |
| defaults: | |
| run: | |
| working-directory: ./ndc-lambda-sdk | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version-file: .nvmrc | |
| registry-url: https://registry.npmjs.org | |
| cache: npm | |
| cache-dependency-path: ./ndc-lambda-sdk/package-lock.json | |
| - run: npm ci | |
| - run: npm run build | |
| - run: npm test | |
| publish-npm: | |
| name: Publish ndc-lambda-sdk to npm | |
| defaults: | |
| run: | |
| working-directory: ./ndc-lambda-sdk | |
| needs: build-npm | |
| runs-on: ubuntu-latest | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version-file: .nvmrc | |
| registry-url: https://registry.npmjs.org | |
| cache: npm | |
| cache-dependency-path: ./ndc-lambda-sdk/package-lock.json | |
| - run: | | |
| PACKAGE_VERSION=`npm version | sed -rn "2 s/.*: '([^']*)'.*/\1/g; 2 p"` | |
| TAG=`echo "$GITHUB_REF"| sed -r "s#.*/##g"` | |
| echo '$TAG' = "$TAG" | |
| echo '$GITHUB_REF' = "$GITHUB_REF" | |
| echo '$PACKAGE_VERSION' = "$PACKAGE_VERSION" | |
| if [ "$TAG" = "v$PACKAGE_VERSION" ] | |
| then | |
| echo "Success! Versions match." | |
| else | |
| echo "Package version (v$PACKAGE_VERSION) must match tag (GITHUB_REF: $GITHUB_REF) in order to publish" 1>&2 | |
| exit 1 | |
| fi | |
| - run: npm ci | |
| - run: npm run build | |
| - run: npm publish --access public | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| docker: | |
| name: Build base docker image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: Set up containerd | |
| uses: crazy-max/ghaction-setup-containerd@b1962824078138dddccdf925db7402a9428c4aca # v3 | |
| - name: Fix containerd socket permissions | |
| run: | | |
| sudo chgrp docker /run/containerd/containerd.sock | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: ${{ env.DOCKER_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: docker-metadata | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| with: | |
| images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }} | |
| - name: Get npm package version | |
| id: get-npm-package-version | |
| run: | | |
| PACKAGE_VERSION=`npm version | sed -rn "2 s/.*: '([^']*)'.*/\1/g; 2 p"` | |
| echo "package_version=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT | |
| shell: bash | |
| working-directory: ./ndc-lambda-sdk | |
| - name: Build docker image | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: . | |
| build-args: | | |
| CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }} | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.docker-metadata.outputs.tags }} | |
| labels: ${{ steps.docker-metadata.outputs.labels }} | |
| - name: Build docker image for scanning | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: . | |
| build-args: | | |
| CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }} | |
| load: true | |
| tags: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan | |
| - name: Run Trivy vulnerability scanner (json output) | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan | |
| format: json | |
| output: trivy-results.json | |
| scanners: vuln | |
| - name: Upload Trivy scan results to Security Agent | |
| if: always() | |
| uses: hasura/security-agent-tools/upload-file@f16c24be07f6cc89535b6fcdab29e15b1ee799b0 # v1 | |
| with: | |
| file_path: trivy-results.json | |
| security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} | |
| tags: | | |
| service=ndc-nodejs-lambda | |
| source_code_path=. | |
| docker_file_path=Dockerfile | |
| scanner=trivy | |
| image_name=${{ steps.docker-metadata.outputs.tags }} | |
| product_domain=hasura-ddn-data-plane | |
| team=engine | |
| - name: Fail build on High/Critical Vulnerabilities | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| skip-setup-trivy: true | |
| image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan | |
| format: table | |
| severity: CRITICAL,HIGH | |
| scanners: vuln | |
| ignore-unfixed: true | |
| exit-code: 1 | |
| - name: Push docker image | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| with: | |
| context: . | |
| build-args: | | |
| CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }} | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.docker-metadata.outputs.tags }} | |
| labels: ${{ steps.docker-metadata.outputs.labels }} | |
| push: true | |
| release-connector: | |
| name: Release connector | |
| defaults: | |
| run: | |
| working-directory: ./connector-definition | |
| runs-on: ubuntu-latest | |
| needs: | |
| - publish-npm | |
| - docker | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version-file: .nvmrc | |
| registry-url: https://registry.npmjs.org | |
| cache: npm | |
| cache-dependency-path: ./ndc-lambda-sdk/package-lock.json | |
| - name: Build connector definition | |
| run: make build | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: connector-definition.tgz | |
| path: ./connector-definition/dist/connector-definition.tgz | |
| compression-level: 0 # Already compressed | |
| - name: Get version from tag | |
| id: get-version | |
| run: | | |
| echo "tagged_version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT | |
| shell: bash | |
| - uses: mindsers/changelog-reader-action@97a0b06549019bb99a571f1664272db18031acff # v2 | |
| id: changelog-reader | |
| with: | |
| version: ${{ steps.get-version.outputs.tagged_version }} | |
| path: ./CHANGELOG.md | |
| - uses: softprops/action-gh-release@b21b43df682dab285bf5146c1955e7f3560805f8 # v1 | |
| with: | |
| draft: false | |
| tag_name: v${{ steps.get-version.outputs.tagged_version }} | |
| body: ${{ steps.changelog-reader.outputs.changes }} | |
| files: | | |
| ./connector-definition/dist/connector-definition.tgz | |
| fail_on_unmatched_files: true |