mojaloop/build is a CircleCI orb for node.js build jobs in Mojaloop CI/CD pipelines
To use the mojaloop/build orb in your CircleCI configuration, turn on
Enable dynamic config using setup workflows in the Advanced Settings of your
project settings CircleCI. Then include the following in your .circleci/config.yml:
version: 2.1
setup: true
orbs:
build: mojaloop/build@1.1.10
workflows:
setup:
jobs:
- build/workflow:
context: org-global
filters:
tags:
only: /v\d+(\.\d+){2}(-[a-zA-Z-][0-9a-zA-Z-]*\.\d+)?/
# optionally supply the resource_class for the jobs
# pr_title_check_resource_class: medium
# setup_resource_class: medium
# test_dependencies_resource_class: medium
# test_deprecations_resource_class: medium
# test_lint_resource_class: medium
# test_unit_resource_class: medium
# test_coverage_resource_class: medium
# vulnerability_check_resource_class: medium
# license_audit_resource_class: medium
# build_local_resource_class: medium
# test_integration_resource_class: medium
# test_functional_resource_class: medium
# license_scan_resource_class: medium
# grype_scan_resource_class: medium
# release_resource_class: medium
# github_release_resource_class: medium
# publish_docker_resource_class: medium
# publish_npm_resource_class: medium
# publish_docker_snapshot_resource_class: medium
# publish_npm_snapshot_resource_class: medium
# publish_npm_prerelease_resource_class: medium
# publish_docker_prerelease_resource_class: mediumThe repo using the orb must declare a .grype.yaml file in the root of the repo.
Source code scan is the default for all repos. No scan-type field is needed — just omit it.
To opt into Docker image scanning instead, set scan-type: image in .grype.yaml. Image scanning requires a custom workflow override to ensure the Build job completes before Grype scan (since Grype runs in parallel with Build by default).
To disable scanning entirely, set disabled: true.
# No scan-type needed — source scan is the default for all repos
# Set to true to disable Grype scanning completely
disabled: false
ignore:
# Ignore cross-spawn vulnerabilities by CVE ID due to false positive
- vulnerability: "GHSA-3xgq-45jj-v275"
package:
name: "cross-spawn"
quiet: false
check-for-app-update: falseThe orb supports merging additional workflows and jobs into the standard build pipeline. This feature allows you to extend the CI/CD pipeline with custom jobs while maintaining the benefits of the standard workflow.
To use this feature, create a .circleci/additional-workflows.yaml file in your repository root. The orb will automatically detect this file and merge it with the standard workflow configuration.
Create .circleci/additional-workflows.yaml:
jobs:
custom-build:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: Custom build step
command: |
echo "Running custom build logic"
# Add your custom commands here
workflows:
build_and_test:
jobs:
- custom-build:
name: Custom Build Job
context: org-global
filters:
tags:
only: /v\d+(\.\d+){2}/
requires:
- Lint
- Unit tests- The orb first generates the standard
build_and_testworkflow - If
.circleci/additional-workflows.yamlexists, it merges the additional configuration - Jobs from the additional file are added to the existing workflow
- Workflow definitions are merged, allowing you to extend the standard pipeline
This feature is particularly useful for:
- Building additional Docker images
- Adding custom deployment steps
- Running specialized tests or scans
- Integrating with external services
- The additional workflows file must be valid YAML
- Job names should be unique to avoid conflicts
- You can reference standard jobs in
requiressections (e.g.,Lint,Unit tests,Integration tests, etc.) - The merge process uses deep merge, so nested configurations are properly combined
- If a
Dockerfileis present in the root of the repository, it will be used to build and publish an image. - If a
package.jsonis present in the root of the repository and it does not have private=true, the package will be published to npm for the applicable branches and tags. - The following scripts are expected in the
package.jsonfile:lintdep:checkaudit:checktest:xunittest:integrationtest:functionaltest:coverage-check
The orb will trigger a publish when one of the following conditions is met:
- A release tag (e.g.
v#.#.#) is pushed to the repository. - A snapshot tag (e.g.
v#.#.#-snapshot.#,v#.#.#-hotfix.#, ,v#.#.#-perf.#) is pushed to the repository. - A commit to a pre-release branch (e.g.
major/*,minor/*,patch/*) passed the tests.
CircleCI Orb Registry Page - The official registry page of this orb for all versions, executors, commands, and jobs described.
CircleCI Orb Docs - Docs for using, creating, and publishing CircleCI Orbs.
We welcome issues to and pull requests against this repository!
- Merge pull requests with desired changes to the main branch.
- For the best experience, squash-and-merge and use Conventional Commit Messages.
- Find the current version of the orb.
- You can run
circleci orb info mojaloop/build | grep "Latest"to see the current version.
- You can run
- Create a new Release
on GitHub.
- Click "Choose a tag" and create a new semantically versioned tag. (ex: v1.0.0)
- We will have an opportunity to change this before we publish if needed after the next step.
- Click "+ Auto-generate release notes".
- This will create a summary of all of the merged pull requests since the previous release.
- If you have used Conventional Commit Messages it will be easy to determine what types of changes were made, allowing you to ensure the correct version tag is being published.
- Now ensure the version tag selected is semantically accurate based on the changes included.
- Click "Publish Release".
- This will push a new tag and trigger your publishing pipeline on CircleCI.