feat: adding github actions

vadim-unit · vadim-unit · commit ca0c31ee4195 · 2024-10-17T14:30:16.000+03:00
diff --git a/.github/workflows/CI-appsec-blackduck-master.yml b/.github/workflows/CI-appsec-blackduck-master.yml
@@ -0,0 +1,75 @@
+name: CI-AppSec [Master]
+on:
+  schedule:
+    #At 13:00 on every day-of-week from Sunday through Thursday.
+    - cron: '0 13 * * SUN-THU'
+  workflow_dispatch:
+  #The workflow will only run when a push that includes a change to the package.json file is made in the main branch.
+  push:
+    branches:
+      - main
+    paths:
+      - 'package.json'
+
+jobs:
+  blackduck-scan:
+    runs-on: [ ubuntu-latest ]
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v3
+
+
+      - name: Black Duck Full Scan
+        uses: synopsys-sig/synopsys-action@v1.6.0
+
+        ### Use below configuration to set specific detect environment variables
+        env:
+          DETECT_PROJECT_NAME: ${{ github.event.repository.name }}
+          DETECT_PROJECT_VERSION_NAME: main
+        with:
+          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackduck_scan_full: true
+  
+          ### Accepts Multiple Values
+          blackduck_scan_failure_severities: 'BLOCKER,CRITICAL'
+  
+          ### Uncomment below configuration to enable automatic fix pull request creation if vulnerabilities are reported
+          blackduck_fixpr_enabled: true
+          blackduck_fixpr_maxCount: 5
+          blackduck_fixpr_filter_severities: 'CRITICAL,HIGH'
+          blackduck_fixpr_useUpgradeGuidance: 'SHORT_TERM,LONG_TERM'
+          github_token: ${{ secrets.GITHUB_TOKEN }} # Mandatory when blackduck_fixpr_enabled is set to 'true'
+  
+          ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded
+          # include_diagnostics: true
+
+      - name: If failed - Configure 1Password Service Account For Slack Webhook URL Secret
+        uses: 1password/load-secrets-action/configure@v1
+        if: ${{ failure() }}
+        with:
+            service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: If failed - Load Slack Webhook URL Secret
+        uses: 1password/load-secrets-action@v1
+        if: ${{ failure() }}
+        with:
+            export-env: true
+        env:
+            SLACK_WEBHOOK_URL: op://Security/slack-appsec-blackduck-alerts/webhook-url
+      - name: If failed - Report failure to Slack 
+        #Slack channel: appsec-blackduck-alerts
+        uses: ravsamhq/notify-slack-action@v2   
+        if: ${{ failure() }}
+        with:
+           status: ${{ job.status }}
+           token: ${{ secrets.GITHUB_TOKEN }}
+           notification_title: "{workflow} has {status_message}"
+           message_format: "{emoji} *{workflow}* {status_message} in <{run_url}|{repo}>"
+           footer: "Linked Run <{run_url}|{repo}>"
+           notify_when: "failure"
+           mention_users: "U040AD4BT42"
+           mention_users_when: "failure,warnings"
+           mention_groups: "!channel"
+        env:
+           SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}
+
diff --git a/.github/workflows/CI-appsec-blackduck-pr.yml b/.github/workflows/CI-appsec-blackduck-pr.yml
@@ -0,0 +1,62 @@
+name: CI-AppSec [PR]
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  blackduck-scan:
+    runs-on: [ ubuntu-latest ]
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v3
+
+      - name: Black Duck PR Scan
+        uses: synopsys-sig/synopsys-action@v1.6.0
+  
+        ### Use below configuration to set specific detect environment variables
+        env:
+          DETECT_PROJECT_NAME: ${{ github.event.repository.name }}
+          DETECT_PROJECT_VERSION_NAME: main
+        with:
+          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackduck_scan_full: false
+  
+          ### Below configuration is used to enable automatic pull request comment based on Black Duck scan result
+          blackduck_prComment_enabled: true
+          github_token: ${{ secrets.GITHUB_TOKEN }} 
+          # Mandatory when blackduck_automation_prcomment is set to 'true'
+
+          ### Uncomment below configuration if Synopsys Bridge diagnostic files needs to be uploaded
+          # include_diagnostics: true
+
+      - name: If failed - Configure 1Password Service Account For Slack Webhook URL Secret
+        uses: 1password/load-secrets-action/configure@v1
+        if: ${{ failure() }}
+        with:
+            service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: If failed - Load Slack Webhook URL Secret
+        uses: 1password/load-secrets-action@v1
+        if: ${{ failure() }}
+        with:
+            export-env: true
+        env:
+            SLACK_WEBHOOK_URL: op://Security/slack-appsec-blackduck-alerts/webhook-url
+      - name: If failed - Report failure to Slack 
+        #Slack channel: appsec-blackduck-alerts
+        uses: ravsamhq/notify-slack-action@v2   
+        if: ${{ failure() }}
+        with:
+           status: ${{ job.status }}
+           token: ${{ secrets.GITHUB_TOKEN }}
+           notification_title: "{workflow} has {status_message}"
+           message_format: "{emoji} *{workflow}* {status_message} in <{run_url}|{repo}>"
+           footer: "Linked Run <{run_url}|{repo}>"
+           notify_when: "failure"
+           mention_users: "U040AD4BT42"
+           mention_users_when: "failure,warnings"
+           mention_groups: "!channel"
+        env:
+           SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}
+
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -0,0 +1,19 @@
+name: CI
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v1
+        with:
+          node-version: 16.x
+      - run: npm ci
+      - run: npm run build
+      - run: |
+          touch .env
+          echo UNIT_TOKEN=${{ secrets.UNIT_TOKEN }} >> .env
+          echo UNIT_API_URL=${{ secrets.UNIT_API_URL }} >> .env
+          echo TEST_COUNTERPARTY_PLAID_TOKEN=${{ secrets.TEST_COUNTERPARTY_PLAID_TOKEN }} >> .env
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -0,0 +1,33 @@
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  publish:
+    if: github.repository_owner == 'unit-finance'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-node@v1
+        with:
+          node-version: 16
+      - run: npm install
+      - run: npm run build
+      - name: Publish to NPM
+        id: publish
+        uses: JS-DevTools/npm-publish@v1
+        with:
+          token: ${{ secrets.NPM_TOKEN }}
+      - name: Create Tag & Release
+        if: steps.publish.outputs.type != 'none'
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ steps.publish.outputs.version }}
+          release_name: Release ${{ steps.publish.outputs.version }}
+          body: ${{ steps.publish.outputs.version }}
+          draft: false
+          prerelease: false
