feat: pipelines with GitHub Actions

fcecagno · prlanzarin · commit 842b78ee4c9c · 2024-01-25T20:04:52.000-03:00
chore: remove unneeded bash installation from container feature: add pipeline to run the tests feature: add hadolint to build pipeline fix: copy configs for testing chore: split jobs chore: remove build cache chore: update build-push-action to v5 fix: unauthorized to push image fix: syntax feature: trivy pipeline fix: provide write access to trivy to upload the vulnerability report chore: add cache to build chore: update permissions and severity to trivy report fix: adjust cache chore: add trivy scanner to docker image as well fix: set trivy credentials fix: trivy format chore: activate cache chore: try to use github action cache for the image refactor: .dockerignore refactor: updates to build cache, image labels and tags, and conditions when the workflows run fix: make workflows reusable fix: yaml syntax fix: step name key chore: only build and push after hadolint and tests fix: add permission to write comments on issues/pr fix: adjust permissions chore: do not run workflows on release, only on tag fix: do not try to add comment to pr if not pr chore: add docs for the workflows refactor: change action to add pr comment which doesn't duplicate the same content Revert "refactor: change action to add pr comment which doesn't duplicate the same content" This reverts commit 4042453. chore: update comment message
diff --git a/.dockerignore b/.dockerignore
@@ -1,8 +1,17 @@
+.dockerignore
+.env
 .git/
-node_modules/
+.github/
+.gitignore
+.nvmrc
+*~
+*log.*
 *swn
 *swo
 *swp
-*~
-*log.*
-.env
+docker-compose.yaml
+Dockerfile
+example/
+extra/
+node_modules/
+test/
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,13 @@
+Add the following secrets to the GitHub repo:
+```
+REGISTRY_USERNAME
+REGISTRY_TOKEN
+```
+They are the credentials to be used to push the image to the docker images registry.
+
+Add the following variables to the GitHub repo:
+```
+REGISTRY_URI
+REGISTRY_ORGANIZATION
+```
+Considering the image `bigbluebutton/bbb-webhooks:v3.0.0`, the value for `REGISTRY_URI` would be `docker.io` (URI for DockerHub) and `REGISTRY_ORGANIZATION` would be `bigbluebutton`. The image name `bbb-webhooks` isn't configurable, and the tag will be the GitHub tag OR `pr-<pr number>`.
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -0,0 +1,100 @@
+name: Build and push image to registry
+on:
+  pull_request:
+    types:
+      - synchronize
+  push:
+    tags:
+      - '*'
+permissions:
+  contents: read
+jobs:
+  hadolint:
+    uses: ./.github/workflows/docker-lint.yml
+
+  tests:
+    uses: ./.github/workflows/docker-tests.yml
+
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      pull-requests: write
+    name: Build and push
+    runs-on: ubuntu-22.04
+    needs:
+      - hadolint
+      - tests
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.REGISTRY_URI }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - uses: rlespinasse/github-slug-action@v4
+
+      - name: Calculate tag
+        id: tag
+        run: |
+          if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
+            TAG="pr-${{ github.event.number }}"
+          else
+            TAG=${{ github.ref_name }}
+          fi
+          echo "IMAGE=${{ vars.REGISTRY_URI }}/${{ vars.REGISTRY_ORGANIZATION }}/bbb-webhooks:$TAG" >> $GITHUB_OUTPUT
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ steps.tag.outputs.IMAGE }}
+
+      - name: Build and push image
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ steps.tag.outputs.IMAGE }}
+          context: .
+          platforms: linux/amd64
+          cache-from: type=registry,ref=${{ steps.tag.outputs.IMAGE }}
+          cache-to: type=registry,ref=${{ steps.tag.outputs.IMAGE }},image-manifest=true,oci-mediatypes=true,mode=max
+          labels: |
+            ${{ steps.meta.outputs.labels }}
+
+      - name: Add comment to pr
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: "Updated Docker image pushed to `${{ steps.tag.outputs.IMAGE }}`"
+            })
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.tag.outputs.IMAGE }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          TRIVY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml
@@ -0,0 +1,19 @@
+name: Run hadolint
+on:
+  workflow_dispatch:
+  workflow_call:
+permissions:
+  contents: read
+jobs:
+  hadolint:
+    name: Run hadolint check
+    runs-on: ubuntu-22.04
+
+    steps:
+    - uses: actions/checkout@v3
+
+    # TODO add hadolint output as comment on PR
+    # https://github.com/hadolint/hadolint-action#output
+    - uses: hadolint/hadolint-action@v3.1.0
+      with:
+        dockerfile: Dockerfile
diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
@@ -0,0 +1,30 @@
+name: Run trivy on filesystem
+on:
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  trivy:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Run trivy check
+    runs-on: ubuntu-22.04
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        ignore-unfixed: true
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/docker-tests.yml b/.github/workflows/docker-tests.yml
@@ -0,0 +1,52 @@
+name: Run tests
+on:
+  workflow_dispatch:
+  workflow_call:
+permissions:
+  contents: read
+jobs:
+  tests:
+    name: Run tests
+    # https://docs.github.com/en/actions/using-containerized-services/creating-redis-service-containers#running-jobs-in-containers
+    # Containers must run in Linux based operating systems
+    runs-on: ubuntu-22.04
+    # Docker Hub image that `container-job` executes in
+    container: node:20-alpine
+
+    # Service containers to run with `container-job`
+    services:
+      # Label used to access the service container
+      redis:
+        # Docker Hub image
+        image: redis
+        # Set health checks to wait until redis has started
+        options: >-
+          --health-cmd "redis-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      # Downloads a copy of the code in your repository before running CI tests
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      # Performs a clean installation of all dependencies in the `package.json` file
+      # For more information, see https://docs.npmjs.com/cli/ci.html
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Copy config
+        run: cp config/default.example.yml config/default.yml
+
+      - name: Run tests
+        # Runs a script that creates a Redis client, populates
+        # the client with data, and retrieves data
+        run: npm run test
+        # Environment variable used by the `client.js` script to create a new Redis client.
+        env:
+          # The hostname used to communicate with the Redis service container
+          REDIS_HOST: redis
+          # The default Redis port
+          REDIS_PORT: 6379
+          XAPI_ENABLED: true
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,5 @@
 FROM node:20-alpine
 
-RUN apk add --no-cache bash
-
 WORKDIR /app
 
 COPY package.json package-lock.json ./
diff --git a/config/custom-environment-variables.yml b/config/custom-environment-variables.yml
@@ -57,3 +57,5 @@ modules:
       requestTimeout:
         __name: REQUEST_TIMEOUT
         __format: json
+  ../out/xapi/index.js:
+    enabled: XAPI_ENABLED
