Skip to content

Fix Sonar workflow: Update IAM role and build DB from source cdc-sandbox/db #2979

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
EmmanuelNwa247 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Fix Sonar workflow: Update IAM role and build DB from source cdc-sandbox/db #2979

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
232 changes: 119 additions & 113 deletions .github/workflows/sonar.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,113 +1,119 @@
# This workflow is used to perform static code analysis on a gradle build

name: "Sonar Scanner"

on:
workflow_call:
secrets:
CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID:
description: "Secret named CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID where ECR resides."
required: true
PASSED_GITHUB_TOKEN:
description: "Secret named GITHUB_TOKEN that references the github token for this repository."
required: true
SONAR_TOKEN:
description: "Secret named SONAR_TOKEN that references the sonar token secret corresponding to the project in sonarcloud."
required: true
DATABASE_USER:
description: "Secret named DATABASE_USER that references the test database container default username"
required: true
DATABASE_PASSWORD:
description: "Secret named DATABASE_PASSWORD that references the test database container default password"
required: true
TOKEN_SECRET:
description: "Secret named TOKEN_SECRET that references a default JWT token key"
required: true
PARAMETER_SECRET:
description: "Secret named PARAMETER_SECRET that references a default key for encrypting search parameters"
required: true
pull_request:
paths:
- "apps/**"
- "!apps/modernization-ui/**"
- "libs/**"
- "build.gradle"
- "settings.gradle"
- "gradle/**"
- ".github/workflows/sonar.yaml"
env:
deployment_env: dev
accountid: ${{secrets.CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID}}
passed_github_token: ${{secrets.PASSED_GITHUB_TOKEN}}
sonar_token: ${{secrets.SONAR_TOKEN}}
test_database_user: ${{secrets.DATABASE_USER}}
test_database_password: ${{secrets.DATABASE_PASSWORD}}
token_secret: ${{secrets.TOKEN_SECRET}}
parameter_secret: ${{secrets.PARAMETER_SECRET}}

jobs:
pipeline:
name: Build and analyze
runs-on: ubuntu-latest

permissions:
id-token: write
contents: read

steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

- name: Set up JDK 21
uses: actions/setup-java@v4
with:
distribution: "temurin"
java-version: "21"

- name: Cache Gradle packages
uses: actions/cache@v4
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle

- name: Configure Environment Variables
run: |
github_repo_name="$(echo $GITHUB_REPOSITORY | cut -d'/' -f2)"
echo "github_repo_name=$github_repo_name" >> $GITHUB_ENV

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: "arn:aws:iam::${{ env.accountid }}:role/cdc-github-${{ env.github_repo_name }}-${{ env.deployment_env }}-role"
aws-region: us-east-1

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1

- name: Login to ECR docker registry
uses: docker/login-action@v2
with:
registry: ${{ env.accountid }}.dkr.ecr.us-east-1.amazonaws.com

- name: Build and analyze
working-directory: ./
env:
GITHUB_TOKEN: ${{ env.passed_github_token }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ env.sonar_token }}
DATABASE_USER: ${{env.test_database_user}}
DATABASE_PASSWORD: ${{ env.test_database_password }}
TOKEN_SECRET: ${{ env.token_secret }}
PARAMETER_SECRET: ${{ env.parameter_secret }}
run: ./gradlew clean build codeCoverageReport sonar -Dtesting.database.image=${{ env.accountid }}.dkr.ecr.us-east-1.amazonaws.com/cdc-nbs-modernization/modernization-test-db:6.0.17.1

- name: Zip test report
run: zip -r test-report.zip ./build/reports/*

- name: Publish Testing Reports
uses: actions/upload-artifact@v4
with:
name: testing
path: ./test-report.zip
# This workflow is used to perform static code analysis on a gradle build

name: "Sonar Scanner"

on:
workflow_call:
secrets:
NBS_ACCOUNTID:
description: "Secret named NBS_ACCOUNTID where ECR resides."
required: true
PASSED_GITHUB_TOKEN:
description: "Secret named GITHUB_TOKEN that references the github token for this repository."
required: true
SONAR_TOKEN:
description: "Secret named SONAR_TOKEN that references the sonar token secret corresponding to the project in sonarcloud."
required: true
DATABASE_USER:
description: "Secret named DATABASE_USER that references the test database container default username"
required: true
DATABASE_PASSWORD:
description: "Secret named DATABASE_PASSWORD that references the test database container default password"
required: true
TOKEN_SECRET:
description: "Secret named TOKEN_SECRET that references a default JWT token key"
required: true
PARAMETER_SECRET:
description: "Secret named PARAMETER_SECRET that references a default key for encrypting search parameters"
required: true
pull_request:
paths:
- "apps/**"
- "!apps/modernization-ui/**"
- "libs/**"
- "build.gradle"
- "settings.gradle"
- "gradle/**"
- ".github/workflows/sonar.yaml"
env:
deployment_env: dev
accountid: ${{secrets.NBS_ACCOUNTID}}
passed_github_token: ${{secrets.PASSED_GITHUB_TOKEN}}
sonar_token: ${{secrets.SONAR_TOKEN}}
test_database_user: ${{secrets.DATABASE_USER}}
test_database_password: ${{secrets.DATABASE_PASSWORD}}
token_secret: ${{secrets.TOKEN_SECRET}}
parameter_secret: ${{secrets.PARAMETER_SECRET}}

jobs:
pipeline:
name: Build and analyze
runs-on: ubuntu-latest

permissions:
id-token: write
contents: read

steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

- name: Set up JDK 21
uses: actions/setup-java@v4
with:
distribution: "temurin"
java-version: "21"

- name: Cache Gradle packages
uses: actions/cache@v4
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle

- name: Configure Environment Variables
run: |
github_repo_name="$(echo $GITHUB_REPOSITORY | cut -d'/' -f2)"
echo "github_repo_name=$github_repo_name" >> $GITHUB_ENV

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: "arn:aws:iam::${{ env.accountid }}:role/github-actions-nbs-deployment-role"
aws-region: us-east-2

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1

- name: Login to ECR docker registry
uses: docker/login-action@v2
with:
registry: ${{ env.accountid }}.dkr.ecr.us-east-2.amazonaws.com

- name: Build Test Database Container
working-directory: ./cdc-sandbox/db
run: |
docker build -t modernization-test-db:local .
echo "Built test database container from cdc-sandbox/db"

- name: Build and analyze
working-directory: ./
env:
GITHUB_TOKEN: ${{ env.passed_github_token }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ env.sonar_token }}
DATABASE_USER: ${{env.test_database_user}}
DATABASE_PASSWORD: ${{ env.test_database_password }}
TOKEN_SECRET: ${{ env.token_secret }}
PARAMETER_SECRET: ${{ env.parameter_secret }}
run: ./gradlew clean build codeCoverageReport sonar -Dtesting.database.image=modernization-test-db:local

- name: Zip test report
run: zip -r test-report.zip ./build/reports/*

- name: Publish Testing Reports
uses: actions/upload-artifact@v4
with:
name: testing
path: ./test-report.zip
Loading