Update frontend #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Frontend CI/CD - Development | |
| on: | |
| push: | |
| branches: [ "dev" ] | |
| paths: | |
| - 'frontend/**' | |
| - 'helm/frontend/**' | |
| pull_request: | |
| branches: [ "dev" ] | |
| paths: | |
| - 'frontend/**' | |
| - 'helm/frontend/**' | |
| env: | |
| AWS_REGION: ap-southeast-1 | |
| SECRETS_MANAGER_SECRET_NAME: devsecops/tokens | |
| ENVIRONMENT: dev | |
| jobs: | |
| GitLeaks: | |
| runs-on: ubuntu-latest | |
| name: Check for leaked secrets | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: GitLeaks Scan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| Build: | |
| runs-on: ubuntu-latest | |
| needs: GitLeaks | |
| name: Unit Test and Build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20.x' | |
| cache: npm | |
| cache-dependency-path: frontend/package-lock.json | |
| - name: Install dependencies | |
| run: | | |
| cd frontend | |
| npm install | |
| - name: Test and coverage | |
| run: | | |
| cd frontend | |
| npm run test || true | |
| helm-validate: | |
| runs-on: ubuntu-latest | |
| needs: Build | |
| name: Validate Helm Chart | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: '3.12.0' | |
| - name: Lint Helm Chart | |
| run: | | |
| helm lint helm/frontend | |
| - name: Template Helm Chart (Dev) | |
| run: | | |
| helm template whattoeat-frontend helm/frontend \ | |
| --values helm/frontend/values-dev.yaml \ | |
| --set image.tag=dev-test-tag | |
| SAST: | |
| runs-on: ubuntu-latest | |
| needs: helm-validate | |
| name: SAST - SonarCloud | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Get secrets from AWS Secrets Manager | |
| uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
| with: | |
| secret-ids: | | |
| ${{ env.SECRETS_MANAGER_SECRET_NAME }} | |
| parse-json-secrets: true | |
| - name: SonarCloud Scan | |
| uses: sonarsource/sonarcloud-github-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ env.DEVSECOPS_TOKENS_SONAR_TOKEN }} | |
| with: | |
| args: > | |
| -Dsonar.organization=giabao-22520120 | |
| -Dsonar.projectKey=giabao-22520120_devsecops | |
| SCA: | |
| runs-on: ubuntu-latest | |
| needs: SAST | |
| name: SCA Scans | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Get secrets from AWS Secrets Manager | |
| uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
| with: | |
| secret-ids: | | |
| ${{ env.SECRETS_MANAGER_SECRET_NAME }} | |
| parse-json-secrets: true | |
| - name: Run Snyk | |
| uses: snyk/actions/node@master | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ env.DEVSECOPS_TOKENS_SNYK_TOKEN }} | |
| with: | |
| command: test | |
| args: --file=frontend/package.json | |
| - name: OWASP Dependency Check | |
| uses: dependency-check/Dependency-Check_Action@main | |
| continue-on-error: true # Don't block dev workflow | |
| with: | |
| project: 'Frontend-Dev' | |
| path: 'frontend' | |
| format: 'HTML' | |
| out: 'reports' | |
| DAST: | |
| runs-on: ubuntu-latest | |
| needs: SCA | |
| name: DAST - ZAP | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: main | |
| - name: ZAP Scan | |
| uses: zaproxy/action-baseline@v0.11.0 | |
| continue-on-error: true | |
| with: | |
| target: 'https://example.com/' | |
| allow_issue_writing: false | |
| fail_action: false | |
| artifact_name: 'zap-scan-report' | |
| docker: | |
| runs-on: ubuntu-latest | |
| needs: DAST | |
| name: Build and push Docker image | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Get Docker Hub secrets from AWS Secrets Manager | |
| uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
| with: | |
| secret-ids: | | |
| ${{ env.SECRETS_MANAGER_SECRET_NAME }} | |
| parse-json-secrets: true | |
| - name: Set version | |
| id: vars | |
| run: | | |
| echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| echo "dev_tag=dev-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: false | |
| load: true | |
| build-args: | | |
| API_URL=https://vvbcaer9bc.execute-api.ap-southeast-1.amazonaws.com/default | |
| tags: | | |
| baotg0502/devsecops:${{ steps.vars.outputs.dev_tag }} | |
| baotg0502/devsecops:dev-latest | |
| context: ./frontend | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'baotg0502/devsecops:${{ steps.vars.outputs.dev_tag }}' | |
| format: 'table' | |
| exit-code: '0' # Don't fail on dev branch | |
| severity: 'CRITICAL,HIGH' | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ env.DEVSECOPS_TOKENS_DOCKERHUB_USERNAME }} | |
| password: ${{ env.DEVSECOPS_TOKENS_DOCKERHUB_TOKEN }} | |
| - name: Push Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: true | |
| build-args: | | |
| API_URL=https://vvbcaer9bc.execute-api.ap-southeast-1.amazonaws.com/default | |
| tags: | | |
| baotg0502/devsecops:${{ steps.vars.outputs.dev_tag }} | |
| baotg0502/devsecops:dev-latest | |
| context: ./frontend | |
| update-helm-values: | |
| runs-on: ubuntu-latest | |
| needs: docker | |
| name: Update Dev Helm Values | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set version | |
| id: vars | |
| run: echo "dev_tag=dev-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| - name: Update Helm values for dev environment | |
| run: | | |
| NEW_TAG="${{ steps.vars.outputs.dev_tag }}" | |
| VALUES_FILE="helm/frontend/values-dev.yaml" | |
| # Update the image tag in dev values file | |
| sed -i "s|tag: \".*\"|tag: \"${NEW_TAG}\"|g" $VALUES_FILE | |
| echo "Updated $VALUES_FILE with new image tag: $NEW_TAG" | |
| cat $VALUES_FILE | |
| - name: Commit and push changes | |
| run: | | |
| NEW_TAG="${{ steps.vars.outputs.dev_tag }}" | |
| git config --global user.name "GitHub Actions [Dev]" | |
| git config --global user.email "github-actions-dev@github.com" | |
| git add helm/frontend/values-dev.yaml | |
| git commit -m "π Update dev frontend image to ${NEW_TAG} [skip ci]" || exit 0 | |
| git push | |
| notify-deployment: | |
| runs-on: ubuntu-latest | |
| needs: update-helm-values | |
| name: Notify Dev Deployment | |
| steps: | |
| - name: Development Deployment Notification | |
| run: | | |
| echo "π Development deployment initiated!" | |
| echo "π Environment: Development" | |
| echo "π ArgoCD will auto-sync the changes" | |
| echo "π Monitor at: https://argocd.your-domain.com" | |
| echo "π± Application: whattoeat-frontend-dev" |