Update scan_security-hub-jira-integration.yml #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| push: | |
| branches: | |
| - "*" | |
| - "dependabot/**" | |
| - "!skipci*" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref_name }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: read | |
| jobs: | |
| unit-tests: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: 'Setup jq' | |
| uses: dcarbone/[email protected] | |
| with: | |
| version: '${{ inputs.version }}' | |
| force: '${{ inputs.force }}' | |
| - name: 'Check jq' | |
| # language=sh | |
| run: | | |
| which jq | |
| jq --version | |
| - name: set variable values | |
| run: ./.github/build-vars.sh set_values | |
| env: | |
| CODE_CLIMATE_ID: ${{ secrets.CODE_CLIMATE_ID }} | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version-file: ".nvmrc" | |
| - uses: actions/cache@v3 | |
| with: | |
| path: | | |
| **/node_modules | |
| ~/.cache/Cypress | |
| key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock', 'plugins/**') }} | |
| - name: set path | |
| run: | | |
| echo "PATH=$(pwd)/node_modules/.bin/:$PATH" >> $GITHUB_ENV | |
| - name: run unit tests | |
| run: ./scripts/test-unit.sh | |
| - name: publish test coverage to code climate | |
| if: env.CODE_CLIMATE_ID != '' | |
| uses: paambaati/codeclimate-action@v5 | |
| env: | |
| CC_TEST_REPORTER_ID: ${{ secrets.CODE_CLIMATE_ID }} | |
| with: | |
| coverageLocations: | | |
| ${{github.workspace}}/services/app-api/coverage/lcov.info:lcov | |
| ${{github.workspace}}/services/ui-src/coverage/lcov.info:lcov | |
| - name: Store unit test results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: unit_test_results | |
| path: ${{github.workspace}}/services/ui-src/coverage/lcov.info | |
| deploy: | |
| needs: unit-tests | |
| runs-on: ubuntu-latest | |
| env: | |
| SLS_DEPRECATION_DISABLE: "*" # Turn off deprecation warnings in the pipeline | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: set branch_name # Some integrations (Dependabot & Snyk) build very long branch names. This is a switch to make long branch names shorter. | |
| run: | | |
| BRANCH_NAME=$(./.github/setBranchName.sh ${{ github.ref_name }}) | |
| echo "branch_name=${BRANCH_NAME}" >> $GITHUB_ENV | |
| - name: Validate branch name | |
| run: ./.github/branch-name-validation.sh $STAGE_PREFIX$branch_name | |
| - name: set branch specific variable names | |
| run: ./.github/build-vars.sh set_names | |
| - name: set variable values | |
| run: ./.github/build-vars.sh set_values | |
| env: | |
| AWS_DEFAULT_REGION: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }} | |
| AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
| STAGE_PREFIX: ${{ secrets.STAGE_PREFIX }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| CODE_CLIMATE_ID: ${{ secrets.CODE_CLIMATE_ID }} | |
| - name: Configure AWS credentials for GitHub Actions | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ env.AWS_OIDC_ROLE_TO_ASSUME }} | |
| aws-region: ${{ env.AWS_DEFAULT_REGION }} | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version-file: ".nvmrc" | |
| - uses: actions/cache@v3 | |
| with: | |
| path: | | |
| **/node_modules | |
| ~/.cache/Cypress | |
| key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock', 'plugins/**') }} | |
| - name: set path | |
| run: | | |
| echo "PATH=$(pwd)/node_modules/.bin/:$PATH" >> $GITHUB_ENV | |
| - name: deploy | |
| run: | | |
| # When deploying multiple copies of this quickstart to the same AWS Account (not ideal), a prefix helps prevent stepping on each other. | |
| # This can optionally be set as an GitHub Actions Secret | |
| ./scripts/deploy.sh $STAGE_PREFIX$branch_name | |
| - id: endpoint | |
| run: | | |
| APPLICATION_ENDPOINT=$(./output.sh ui ApplicationEndpointUrl $STAGE_PREFIX$branch_name) | |
| echo "application_endpoint=$APPLICATION_ENDPOINT" >> $GITHUB_OUTPUT | |
| echo "## Application Endpoint" >> $GITHUB_STEP_SUMMARY | |
| echo "<$APPLICATION_ENDPOINT>" >> $GITHUB_STEP_SUMMARY | |
| working-directory: services | |
| - name: Slack Notification | |
| uses: rtCamp/action-slack-notify@v2 | |
| if: env.SLACK_WEBHOOK_URL != '' && contains(fromJson('["main", "val", "production"]'), env.branch_name) && failure () | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| SLACK_USERNAME: Destroy Alerts | |
| SLACK_ICON_EMOJI: ":bell:" | |
| SLACK_COLOR: ${{job.status}} | |
| SLACK_FOOTER: "" | |
| MSG_MINIMAL: actions url,commit,ref | |
| outputs: | |
| application_endpoint: ${{ steps.endpoint.outputs.application_endpoint}} | |
| BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION: ${{ steps.set_names.outputs.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION }} | |
| BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME: ${{ steps.set_names.outputs.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME }} | |
| # ipset_name: ${{ steps.fetch-ip-set-info.outputs.IPSET_NAME }} | |
| # ipset_id: ${{ steps.fetch-ip-set-info.outputs.IPSET_ID }} | |
| e2e-test: | |
| name: E2E Integration Tests | |
| needs: deploy | |
| if: ${{ github.ref_name != 'production' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: set branch_name | |
| run: | | |
| BRANCH_NAME=$(./.github/setBranchName.sh ${{ github.ref_name }}) | |
| echo "branch_name=${BRANCH_NAME}" >> $GITHUB_ENV | |
| - name: set branch specific variable names | |
| id: set_names | |
| run: ./.github/build-vars.sh set_names | |
| - name: set variable values | |
| id: set_values | |
| run: ./.github/build-vars.sh set_values | |
| env: | |
| AWS_DEFAULT_REGION: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }} | |
| AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
| STAGE_PREFIX: ${{ secrets.STAGE_PREFIX }} | |
| - name: Configure AWS credentials for GitHub Actions | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
| aws-region: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }} | |
| - name: output account id | |
| id: output_account_id | |
| run: | | |
| #!/bin/bash | |
| AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) | |
| echo "Current Account ID: ${AWS_ACCOUNT_ID}" | |
| - name: Get Github Actions CIDR Blocks | |
| id: get-gha-cidrs | |
| shell: bash | |
| run: | | |
| #! /bin/bash | |
| GHA_RESP=$(curl --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' https://api.github.com/meta) | |
| echo "Response for GHA runner CIDR blocks: $GHA_RESP" | |
| IPV4_CIDR_ARR=($(echo $GHA_RESP | jq -r '.actions | .[]' | grep -v ':')) | |
| GHA_CIDRS_IPV4=$(echo $(IFS=" "; echo ${IPV4_CIDR_ARR[*]})) | |
| echo "GHA_CIDRS_IPV4=$GHA_CIDRS_IPV4" >> $GITHUB_OUTPUT | |
| - name: Generate IP Set Name | |
| id: gen-ip-set-name | |
| run: | | |
| #!/bin/bash | |
| STAGE_GH_IPSET_NAME=$STAGE_PREFIX$branch_name-gh-ipset | |
| echo "Github IP Set name: $STAGE_GH_IPSET_NAME" | |
| echo "STAGE_GH_IPSET_NAME=$STAGE_GH_IPSET_NAME" >> $GITHUB_OUTPUT | |
| - name: Fetch AWS IP set Metadata | |
| id: fetch-ip-set-info | |
| run: | | |
| #!/bin/bash | |
| # Fetch AWS IP set ARNs using AWS CLI and store them in a variable | |
| AWS_IP_SET_INFO=$(aws wafv2 list-ip-sets --scope=CLOUDFRONT) | |
| echo "Outputting AWS IP Set Info: ${AWS_IP_SET_INFO}" | |
| # Store the IP set ARNs in an output variable using GITHUB_OUTPUT | |
| IPSET_NAME=${{ steps.gen-ip-set-name.outputs.STAGE_GH_IPSET_NAME }} | |
| IPSET=$(jq '.IPSets | map(select(.Name == "'${IPSET_NAME}'")) | .[]' <<< ${AWS_IP_SET_INFO}) | |
| [ -z "$IPSET" ] && echo "IP Set with name ${IPSET_NAME} was not located. Exiting..." && exit 1 | |
| echo "IP Set metadata: ${IPSET}" | |
| #Get Values from the IP SET | |
| IPSET_ID=$(jq -r '.Id' <<< ${IPSET}) | |
| echo "IPSET_ARN=$IPSET_ARN" >> $GITHUB_OUTPUT | |
| echo "IPSET_NAME=$IPSET_NAME" >> $GITHUB_OUTPUT | |
| echo "IPSET_ID=$IPSET_ID" >> $GITHUB_OUTPUT | |
| - name: Update IP Set | |
| id: update-ip-set | |
| run: ./.github/waf-controller.sh set ${{ steps.fetch-ip-set-info.outputs.IPSET_NAME }} ${{ steps.fetch-ip-set-info.outputs.IPSET_ID }} ${{ steps.get-gha-cidrs.outputs.GHA_CIDRS_IPV4 }} | |
| env: | |
| AWS_RETRY_MODE: adaptive | |
| AWS_MAX_ATTEMPTS: 10 | |
| - name: Run Cypress Tests | |
| uses: cypress-io/github-action@v5 | |
| with: | |
| working-directory: tests/cypress | |
| spec: | | |
| tests/e2e/*.spec.js | |
| tests/e2e/**/*.feature | |
| browser: chrome | |
| config: baseUrl=${{ needs.deploy.outputs.application_endpoint }} | |
| wait-on: ${{ needs.deploy.outputs.application_endpoint }} | |
| env: true | |
| env: | |
| CYPRESS_STATE_USER_EMAIL: ${{ secrets.CYPRESS_STATE_USER_EMAIL }} | |
| CYPRESS_STATE_USER_PASSWORD: ${{ secrets.CYPRESS_STATE_USER_PASSWORD }} | |
| CYPRESS_ADMIN_USER_EMAIL: ${{ secrets.CYPRESS_ADMIN_USER_EMAIL }} | |
| CYPRESS_ADMIN_USER_PASSWORD: ${{ secrets.CYPRESS_ADMIN_USER_PASSWORD }} | |
| - name: Upload screenshots | |
| uses: actions/upload-artifact@v3 | |
| if: failure() | |
| with: | |
| name: cypress-screenshots | |
| path: | | |
| tests/cypress/screenshots/ | |
| tests/cypress/videos/ | |
| outputs: | |
| ipset_name: ${{ steps.fetch-ip-set-info.outputs.IPSET_NAME }} | |
| ipset_id: ${{ steps.fetch-ip-set-info.outputs.IPSET_ID }} | |
| a11y-tests: | |
| name: E2E A11y Tests | |
| needs: deploy | |
| if: ${{ github.ref_name != 'production' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Check Project A11y | |
| uses: cypress-io/github-action@v5 | |
| with: | |
| working-directory: tests/cypress | |
| spec: tests/accessibility/*.feature | |
| browser: chrome | |
| config: baseUrl=${{ needs.deploy.outputs.application_endpoint }} | |
| wait-on: ${{ needs.deploy.outputs.application_endpoint }} | |
| env: true | |
| env: | |
| CYPRESS_STATE_USER_EMAIL: ${{ secrets.CYPRESS_STATE_USER_EMAIL }} | |
| CYPRESS_STATE_USER_PASSWORD: ${{ secrets.CYPRESS_STATE_USER_PASSWORD }} | |
| CYPRESS_ADMIN_USER_EMAIL: ${{ secrets.CYPRESS_ADMIN_USER_EMAIL }} | |
| CYPRESS_ADMIN_USER_PASSWORD: ${{ secrets.CYPRESS_ADMIN_USER_PASSWORD }} | |
| RUN_PA11Y: true | |
| - name: Upload screenshots | |
| uses: actions/upload-artifact@v3 | |
| if: failure() | |
| with: | |
| name: cypress-screenshots | |
| path: | | |
| tests/cypress/screenshots/ | |
| tests/cypress/videos/ | |
| cleanup: | |
| name: Delist GHA Runner CIDR Blocks | |
| if: ${{ github.ref != 'refs/heads/production' }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - deploy | |
| - a11y-tests | |
| - e2e-test | |
| env: | |
| SLS_DEPRECATION_DISABLE: "*" # Turn off deprecation warnings in the pipeline | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Configure AWS credentials for GitHub Actions | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
| aws-region: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }} | |
| - name: cleanup-ip-list | |
| id: reset-ip-set | |
| run: ./.github/waf-controller.sh set ${{ needs.e2e-test.outputs.ipset_name }} ${{ needs.e2e-test.outputs.ipset_id }} '[]' | |
| env: | |
| AWS_RETRY_MODE: adaptive | |
| AWS_MAX_ATTEMPTS: 10 |