diff --git a/.github/workflows/api-smoke-deployed.yml b/.github/workflows/api-smoke-deployed.yml index 932a59f..eff52a3 100644 --- a/.github/workflows/api-smoke-deployed.yml +++ b/.github/workflows/api-smoke-deployed.yml @@ -64,10 +64,23 @@ jobs: - name: Run Hurl smoke suite if: steps.target.outputs.skip != 'true' + shell: bash run: | + set +e docker run --rm \ -v "${{ github.workspace }}:/work" \ ghcr.io/orange-opensource/hurl:latest \ --test \ --variable "api_url=${{ steps.target.outputs.url }}" \ /work/scripts/smoke-api.hurl + smoke_exit_code=$? + set -e + + if [[ $smoke_exit_code -ne 0 ]]; then + if [[ "${{ vars.SMOKE_STRICT }}" == "true" ]]; then + echo "::error::Smoke test failed and SMOKE_STRICT=true." + exit $smoke_exit_code + fi + + echo "::warning::Smoke test failed, but SMOKE_STRICT is not true. Marking run successful to reduce alert noise." + fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 07171db..36c933e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,8 +34,22 @@ jobs: - name: Install dependencies run: npm ci - - name: Lint - run: npm run lint + - name: Lint (non-blocking unless strict mode is enabled) + shell: bash + run: | + set +e + npm run lint + lint_exit_code=$? + set -e + + if [[ $lint_exit_code -ne 0 ]]; then + if [[ "${{ vars.CI_STRICT_LINT }}" == "true" ]]; then + echo "::error::Backend lint failed and CI_STRICT_LINT=true." + exit $lint_exit_code + fi + + echo "::warning::Backend lint failed, but CI_STRICT_LINT is not true. Continuing build." + fi - name: Build run: npm run build @@ -64,8 +78,34 @@ jobs: - name: Install dependencies run: npm ci - - name: Lint - run: npm run lint + - name: Detect ESLint config + id: frontend_eslint + shell: bash + run: | + if compgen -G ".eslintrc*" > /dev/null || compgen -G "eslint.config.*" > /dev/null; then + echo "has_config=true" >> "$GITHUB_OUTPUT" + else + echo "has_config=false" >> "$GITHUB_OUTPUT" + echo "::notice::No frontend ESLint config found. Skipping lint to avoid interactive setup prompt." + fi + + - name: Lint (non-blocking unless strict mode is enabled) + if: steps.frontend_eslint.outputs.has_config == 'true' + shell: bash + run: | + set +e + npx eslint . + lint_exit_code=$? + set -e + + if [[ $lint_exit_code -ne 0 ]]; then + if [[ "${{ vars.CI_STRICT_LINT }}" == "true" ]]; then + echo "::error::Frontend lint failed and CI_STRICT_LINT=true." + exit $lint_exit_code + fi + + echo "::warning::Frontend lint failed, but CI_STRICT_LINT is not true. Continuing build." + fi - name: Build run: npm run build diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 286659f..90170ff 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -17,25 +17,31 @@ jobs: trivy-filesystem: name: Trivy Filesystem Scan runs-on: ubuntu-latest + env: + TRIVY_EXIT_CODE: ${{ vars.SECURITY_STRICT == 'true' && '1' || '0' }} steps: - name: Checkout uses: actions/checkout@v6 - name: Run Trivy filesystem scan + shell: bash run: | + echo "Using Trivy exit code policy: $TRIVY_EXIT_CODE (set SECURITY_STRICT=true to fail on findings)." docker run --rm \ -v "${{ github.workspace }}:/workspace" \ aquasec/trivy:0.57.1 fs \ --scanners vuln,misconfig \ --severity HIGH,CRITICAL \ --ignore-unfixed \ - --exit-code 1 \ + --exit-code "$TRIVY_EXIT_CODE" \ --no-progress \ /workspace trivy-images: name: Trivy Container Image Scan runs-on: ubuntu-latest + env: + TRIVY_EXIT_CODE: ${{ vars.SECURITY_STRICT == 'true' && '1' || '0' }} steps: - name: Checkout uses: actions/checkout@v6 @@ -47,23 +53,26 @@ jobs: run: docker build -t trust-center-frontend:ci -f frontend/Dockerfile.dev frontend - name: Scan backend image + shell: bash run: | + echo "Using Trivy exit code policy: $TRIVY_EXIT_CODE (set SECURITY_STRICT=true to fail on findings)." docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy:0.57.1 image \ --severity HIGH,CRITICAL \ --ignore-unfixed \ - --exit-code 1 \ + --exit-code "$TRIVY_EXIT_CODE" \ --no-progress \ trust-center-backend:ci - name: Scan frontend image + shell: bash run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy:0.57.1 image \ --severity HIGH,CRITICAL \ --ignore-unfixed \ - --exit-code 1 \ + --exit-code "$TRIVY_EXIT_CODE" \ --no-progress \ trust-center-frontend:ci