This repository contains a set of centrally configured, consistent and reusable CI pipeline components.
This workflow ensures that code changes in /src are reflected in the /dist folder produced by ncc.
name: 'Dist Diff'
on:
pull_request:
types: [ opened, reopened, synchronize ]
jobs:
diff:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/actions-check-dist.yml@v2
This workflow builds and scans a docker image using Anchore, optionally, pushing to a repository with the SHA.
When the smoketest
label is applied, the image will be pushed to either Docker (default) or ECR.
ECR
- Requires secret value of
AWS_ACCESS_KEY_ID
- Requires secret value of
AWS_SECRET_ACCESS_KEY
Docker
- Requires secret value of
DOCKER_USER_NAME
orQUAY_ROBOT_USER_NAME
- Requires secret value of
DOCKER_PASSWORD
orQUAY_ROBOT_TOKEN
To push to ECR
, an addition input is required within the with: ecr: 'true'
.
name: "Anchore Scan"
on:
push:
branches: [ "main" ]
pull_request:
types: [ labeled, opened, reopened, synchronize ]
schedule:
- cron: '45 12 * * 1'
jobs:
scan:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/anchore.yml@v2
with:
image: 'quay.io/ukhomeofficedigital/hocs-outbound-proxy'
secrets: inherit
This workflow builds and scans a docker image using Anchore, optionally, pushing to a repository with the SHA.
When the smoketest
label is applied, the image will be pushed to either Docker (default) or ECR.
ECR
- Requires secret value of
AWS_ACCESS_KEY_ID
- Requires secret value of
AWS_SECRET_ACCESS_KEY
Docker
- Requires secret value of
DOCKER_USER_NAME
orQUAY_ROBOT_USER_NAME
- Requires secret value of
DOCKER_PASSWORD
orQUAY_ROBOT_TOKEN
To push to ECR
, an addition input is required within the with: ecr: 'true'
.
name: "Anchore Scan"
on:
push:
branches: [ "main" ]
pull_request:
types: [ labeled, opened, reopened, synchronize ]
schedule:
- cron: '45 12 * * 1'
jobs:
scan:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/anchore-gradle.yml@v2
with:
image: 'quay.io/ukhomeofficedigital/hocs-frontend'
secrets: inherit
This workflow builds and scans a docker image using Anchore, optionally, pushing to a repository with the SHA.
When the smoketest
label is applied, the image will be pushed to either Docker (default) or ECR.
ECR
- Requires secret value of
AWS_ACCESS_KEY_ID
- Requires secret value of
AWS_SECRET_ACCESS_KEY
Docker
- Requires secret value of
DOCKER_USER_NAME
orQUAY_ROBOT_USER_NAME
- Requires secret value of
DOCKER_PASSWORD
orQUAY_ROBOT_TOKEN
To push to ECR
, an addition input is required within the with: ecr: 'true'
.
name: "Anchore Scan"
on:
push:
branches: [ "main" ]
pull_request:
types: [ labeled, opened, reopened, synchronize ]
schedule:
- cron: '45 12 * * 1'
jobs:
scan:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/anchore-npm.yml@v2
with:
installCommand: 'ci --production=false --no-optional'
buildCommand: 'build-prod'
image: 'quay.io/ukhomeofficedigital/hocs-frontend'
secrets: inherit
This is a CodeQL static analysis action for jvm languages.
This build can use the caching gradle actions over generic job that uses the autobuild
step.
Typically, this is run on changes to source code only, ignoring test code.
name: 'CodeQL'
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '45 12 * * 1'
jobs:
analyze:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/codeql-analysis-gradle.yml@v2
This is a CodeQL static analysis action for javascript.
Because this is an interpreted language we don't need the autobuild
step.
Typically, this is run on on changes to source code only, ignoring test code.
name: 'CodeQL'
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '45 12 * * 1'
jobs:
analyze:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/codeql-analysis-npm.yml@v2
This is a CodeQL static analysis action for python.
Because this is an interpreted language we don't need the autobuild
step.
Typically, this is run on on changes to source code only, ignoring test code.
name: 'CodeQL'
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '45 12 * * 1'
jobs:
analyze:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/codeql-analysis-pip.yml@v2
This workflow ensures one minor
,major
,patch
, or skip-release
label is present on a PR.
name: 'SemVer label Checker'
on:
pull_request:
types: [ labeled, unlabeled, opened, reopened, synchronize ]
jobs:
check:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-check.yml@v2
This workflow tags the commit SHA with a SemVer value on PR merge.
- This will not trigger if a label is added to the PR with the value of
skip-release
. - This will increment the last SemVer tag by either
minor
,major
, orpatch
. - This will also walk a
major
version tag along with the SemVer value. e.g.v1
with tag1.2.3
.
name: 'SemVer Tag'
on:
pull_request:
types: [ closed ]
jobs:
check:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag.yml@v2
This workflow builds and publishes a docker image to either Docker (default) or ECR with a specified tag.
ECR
- Requires secret value of
AWS_ACCESS_KEY_ID
- Requires secret value of
AWS_SECRET_ACCESS_KEY
Docker
- Requires secret value of
DOCKER_USER_NAME
orQUAY_ROBOT_USER_NAME
- Requires secret value of
DOCKER_PASSWORD
orQUAY_ROBOT_TOKEN
To push to ECR
, an addition input is required within the with: ecr: 'true'
.
name: 'Build, Tag, and Push Docker Image'
on:
pull_request:
types: [ closed ]
jobs:
build:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/publish-docker.yml@v2
with:
image: 'quay.io/ukhomeofficedigital/hocs-toolbox'
tag: ${{ github.event.pull_request.head.sha }}
secrets: inherit
This workflow builds and publishes a docker image to either Docker (default) or ECR with an arbitrary value. This arbitrary version is a required input into the workflow
ECR
- Requires secret value of
AWS_ACCESS_KEY_ID
- Requires secret value of
AWS_SECRET_ACCESS_KEY
Docker
- Requires secret value of
DOCKER_USER_NAME
orQUAY_ROBOT_USER_NAME
- Requires secret value of
DOCKER_PASSWORD
orQUAY_ROBOT_TOKEN
To push to ECR
, an addition input is required within the with: ecr: 'true'
.
name: 'Build Docker and Tag Repository'
on:
pull_request:
types: [ closed ]
jobs:
build:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/tag-docker.yml@v2
with:
image: 'quay.io/ukhomeofficedigital/hocs-toolbox'
tag: ${{ github.sha }}
secrets: inherit
This workflow builds and publishes a docker image to either Docker (default) or ECR with a SemVer value.
ECR
- Requires secret value of
AWS_ACCESS_KEY_ID
- Requires secret value of
AWS_SECRET_ACCESS_KEY
Docker
- Requires secret value of
DOCKER_USER_NAME
orQUAY_ROBOT_USER_NAME
- Requires secret value of
DOCKER_PASSWORD
orQUAY_ROBOT_TOKEN
To push to ECR
, an addition input is required within the with: ecr: 'true'
.
name: 'SemVer Tag and Docker Build'
on:
pull_request:
types: [ closed ]
jobs:
build:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag-docker.yml@v2
with:
image: 'quay.io/ukhomeofficedigital/hocs-toolbox'
secrets: inherit
This workflow builds and publishes a docker image to either Docker (default) or ECR with a SemVer value.
ECR
- Requires secret value of
AWS_ACCESS_KEY_ID
- Requires secret value of
AWS_SECRET_ACCESS_KEY
Docker
- Requires secret value of
DOCKER_USER_NAME
orQUAY_ROBOT_USER_NAME
- Requires secret value of
DOCKER_PASSWORD
orQUAY_ROBOT_TOKEN
To push to ECR
, an addition input is required within the with: ecr: 'true'
.
name: 'SemVer Tag and Docker Build'
on:
pull_request:
types: [ closed ]
jobs:
build:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag-docker-gradle.yml@v2
with:
image: 'quay.io/ukhomeofficedigital/hocs-audit'
secrets: inherit
This workflow builds and publishes a docker image to either Docker (default) or ECR with a SemVer value.
ECR
- Requires secret value of
AWS_ACCESS_KEY_ID
- Requires secret value of
AWS_SECRET_ACCESS_KEY
Docker
- Requires secret value of
DOCKER_USER_NAME
orQUAY_ROBOT_USER_NAME
- Requires secret value of
DOCKER_PASSWORD
orQUAY_ROBOT_TOKEN
To push to ECR
, an addition input is required within the with: ecr: 'true'
.
name: 'SemVer Tag and Docker Build'
on:
pull_request:
types: [ closed ]
jobs:
build:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag-docker-npm.yml@v2
with:
installCommand: 'ci --production=false --no-optional'
buildCommand: 'build-prod'
image: 'quay.io/ukhomeofficedigital/hocs-frontend'
secrets: inherit
This workflow builds and publishes an npm package with a SemVer value.
name: 'SemVer Tag and npm Publish'
on:
pull_request:
types: [ closed ]
jobs:
build:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag-npm.yml@v2
with:
installCommand: 'ci --ignore-scripts'
secrets: inherit
This will run npm run lint
and npm test
on a repository after building it with npm ci
.
- It will run tests in parallel against 2 versions of node;
18
,19
. - Optionally this workflow will install dependencies required to run tests.
- Optionally this workflow will start components using docker-compose to run end-to-end tests against.
input | required | default | effective command |
---|---|---|---|
nodeVersionMatrix | false | [ "18.x", "19.x" ] | |
installCommand | false | 'ci' | npm --loglevel warn ci |
buildCommand | false | 'build' | npm run build |
lintCommand | false | 'lint' | npm run lint |
osDependencies | false | null | sudo apt-get install -y [packages] |
dockerComposeCommand | false | './ci/docker-compose.yml' | docker-compose -f ./ci/docker-compose.yml up -d [components] |
dockerComposeComponents | false | null | |
healthcheckScript | false | './ci/healthcheck.sh' | bash ./ci/healthcheck.sh |
name: 'Test'
on:
pull_request:
types: [ opened, reopened, synchronize ]
jobs:
test:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/test-npm.yml@v2
name: 'Test'
on:
pull_request:
types: [ opened, reopened, synchronize ]
jobs:
test:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/test-npm.yml@v2
with:
dependencyCommand: 'ci --production=false --no-optional'
buildCommand: 'build-prod'
osDependencies: 'libreoffice'
dockerComposeComponents: 'postgres'
Supports optional pythonVersionMatrix
input that allows the specificity of Python version. A default is defined in the workflow.
name: 'Test'
on:
pull_request:
types: [ opened, reopened, synchronize ]
jobs:
test:
uses: UKHomeOffice/sas-github-workflows/.github/workflows/test-python.yml@v2