initial commit

Author: moss2k13

.github/workflows/pr_opened.yml

@@ -0,0 +1,119 @@
+name: build test scan docker images
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+      - 'master'
+    paths:
+      - app/**
+
+env:
+  DOCKERFILE_PATH: app
+  DOCKERFILE_TAG: ${{ github.event.pull_request.head.sha }}
+  REGISTRY_PATH: gcr.io/getindata-images-public/app
+  REGISTRY_TYPE: "gcr.io" # If not set then will default to Docker Hub
+  REGISTRY_USERNAME: _json_key
+
+jobs:
+  buildtestscan:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 100
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2.2.1
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3.2.0
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ env.DOCKERFILE_TAG }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Login to registry "${{ env.REGISTRY_TYPE }}"
+        uses: docker/login-action@v2.1.0
+        with:
+          registry: ${{ env.REGISTRY_TYPE }}
+          username: ${{ env.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v3.2.0
+        with:
+          context: "${{ env.DOCKERFILE_PATH }}"
+          push: true
+          tags: "${{ env.REGISTRY_PATH }}:${{ env.DOCKERFILE_TAG }}"
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@v12.1347.0
+        with:
+          quiet: true # optional: display only failed checks
+          soft_fail: true # optional: do not return an error code if there are failed checks
+          framework: dockerfile
+          output_format: github_failed_only
+          log_level: WARNING # optional: set log level. Default WARNING
+          dockerfile_path: "${{ env.DOCKERFILE_PATH }}/Dockerfile" # path to the Dockerfile
+
+      - name: Show Checkov results
+        uses: actions-ecosystem/action-create-comment@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          body: |
+            ## Checkov
+            ${{ env.CHECKOV_RESULTS }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.8.0
+        env:
+          TRIVY_USERNAME: ${{ env.REGISTRY_USERNAME }}
+          TRIVY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        with:
+          image-ref: "${{ env.REGISTRY_PATH }}:${{ env.DOCKERFILE_TAG }}"
+          format: 'json'
+          exit-code: '0'
+          output: results_trivy.json
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'CRITICAL'
+
+      - name: Parse Trivy results
+        run: |
+            echo "| PkgName | InstalledVersion | Severity | Title | CVE URL |
+            | ------ | ------ | ------ | ------ | ------ |" > results_trivy.md
+            cat results_trivy.json | jq -r '.Results[].Vulnerabilities[] | [.PkgName, .InstalledVersion, .Severity, .Title, .PrimaryURL]| @tsv' |
+                      awk '
+                      BEGIN{ FS = "\t" }  # Set field separator to tab
+                      {
+                        # Step 2: Replace all tab characters with pipe characters
+                        gsub("\t", " | ", $0)
+
+                        # Step 3: Print fields with Markdown table formatting
+                        printf "| %s |\n", $0
+                      }' >> results_trivy.md
+
+      - name: Export Trivy results
+        run: |
+          echo 'TRIVY_RESULTS<<EOF' >> $GITHUB_ENV
+          cat results_trivy.md >> $GITHUB_ENV
+          echo 'EOF' >> $GITHUB_ENV
+
+      - name: Show Trivy results
+        uses: actions-ecosystem/action-create-comment@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          body: |
+            ## Trivy
+            ${{ env.TRIVY_RESULTS }}
+
+      - name: Move cache
+        if: always() # always run even if the previous step fails
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

.github/workflows/pr_title.yml

@@ -0,0 +1,56 @@
+name: validate PR title
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  lint_pr:
+    name: Validate PR title
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        id: lint_pr_title
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            feat
+            fix
+            perf
+            docs
+            style
+            refactor
+            test
+            ci
+            chore
+            build
+          requireScope: false
+          subjectPattern: ^(?![A-Z]).+$
+          subjectPatternError: |
+            The description "{subject}" found in the pull request title "{title}"
+            didn't match the configured pattern. Please ensure that the description
+            doesn't start with an uppercase character.
+          wip: true
+
+      - uses: marocchino/sticky-pull-request-comment@v2.3.1
+        if: always() && (steps.lint_pr_title.outputs.error_message != null)
+        with:
+          header: pr-title-lint-error
+          message: |
+            Our pull requests titles follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/#summary)
+
+            Details:
+            
+            ```
+            ${{ steps.lint_pr_title.outputs.error_message }}
+            ```
+
+      - uses: marocchino/sticky-pull-request-comment@v2.3.1
+        if: ${{ steps.lint_pr_title.outputs.error_message == null }}
+        with:   
+          header: pr-title-lint-error
+          delete: true

.github/workflows/release.yml

@@ -0,0 +1,95 @@
+name: create new release with changelog
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+      - 'master'
+    types: [closed]
+    paths:
+      - app/**
+
+env:
+  DOCKERFILE_PATH: app
+  DOCKERFILE_TAG: ${{ github.event.pull_request.head.sha }}
+  REGISTRY_PATH: gcr.io/getindata-images-public/app
+  REGISTRY_TYPE: "gcr.io" # If not set then will default to Docker Hub
+  REGISTRY_USERNAME: _json_key
+
+jobs:
+  release:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 100
+
+      - name: Check release label
+        id: release-label
+        uses: actions-ecosystem/action-release-label@v1.2.0
+        if: ${{ github.event.pull_request.merged == true }}
+
+      - name: Get latest tag
+        id: get-latest-tag
+        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
+        if: ${{ steps.release-label.outputs.level != null }}
+
+      - name: Bump semantic version
+        id: bump-semver
+        uses: actions-ecosystem/action-bump-semver@v1
+        if: ${{ steps.release-label.outputs.level != null }}
+        with:
+          current_version: ${{ steps.get-latest-tag.outputs.tag }}
+          level: ${{ steps.release-label.outputs.level }}
+
+      - name: Tag release
+        id: tag-relese
+        uses: actions-ecosystem/action-push-tag@v1
+        if: ${{ steps.release-label.outputs.level != null }}
+        with:
+          tag: ${{ steps.bump-semver.outputs.new_version }}
+          message: "${{ steps.bump-semver.outputs.new_version }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}"
+
+      - name: Login to registry ${{ env.REGISTRY_TYPE }}
+        uses: docker/login-action@v2.1.0
+        if: ${{ steps.release-label.outputs.level != null }}
+        with:
+          registry: ${{ env.REGISTRY_TYPE }}
+          username: ${{ env.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Tag final docker image
+        if: ${{ steps.release-label.outputs.level != null }}
+        run: |
+          docker pull ${{ env.REGISTRY_PATH }}:${{ github.event.pull_request.head.sha }}
+          docker tag ${{ env.REGISTRY_PATH }}:${{ github.event.pull_request.head.sha }} ${{ env.REGISTRY_PATH }}:${{ steps.bump-semver.outputs.new_version }}
+          docker push ${{ env.REGISTRY_PATH }}:${{ steps.bump-semver.outputs.new_version }}
+
+      - name: Generate new release with changelog
+        id: release-with-changelog
+        uses: fregante/release-with-changelog@v3.6.0
+        if: ${{ steps.bump-semver.outputs.new_version != null }}
+        with:
+          token: "${{ secrets.GITHUB_TOKEN }}"
+          exclude: '^chore|^docs|^ci|^build|^refactor|^style|^v?\d+\.\d+\.\d+'
+          tag: "${{ steps.bump-semver.outputs.new_version }}"
+          title: "Version ${{ steps.bump-semver.outputs.new_version }}"
+          commit-template: "- {title} ← {hash}"
+          skip-on-empty: true
+          template: |
+            ### Changelog
+
+            {commits}
+
+            {range}
+
+            The new image is available at ${{ env.REGISTRY_PATH }}:${{ steps.bump-semver.outputs.new_version }} :tada:
+
+      - name: Comment PR
+        id: add-comment
+        uses: actions-ecosystem/action-create-comment@v1
+        if: ${{ steps.bump-semver.outputs.new_version != null }}
+        with:
+          github_token: "${{ secrets.GITHUB_TOKEN }}"
+          body: |
+            The new version [${{ steps.bump-semver.outputs.new_version }}](https://github.com/${{ github.repository }}/releases/tag/${{ steps.bump-semver.outputs.new_version }}) has been released :tada:

.gitignore

@@ -0,0 +1 @@
+### Examples: https://github.com/github/gitignore