diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..2712b06 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,104 @@ +name: CI + +on: + push: + branches: [master] + pull_request: + +concurrency: + group: ${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + lint_typescript: + name: Lint and Typescript checks + uses: ./.github/workflows/lint-typescript.yml + secrets: inherit + + unit_tests: + name: Unit tests + uses: ./.github/workflows/unit.yml + secrets: inherit + + e2e_tests: + name: End-to-end tests + uses: ./.github/workflows/e2e.yml + secrets: inherit + + secrets_scan: + name: Secrets scan + uses: ./.github/workflows/secrets-scan.yml + secrets: inherit + + notify_slack_success: + name: Notify success status to Slack + runs-on: ubuntu-latest + if: success() && github.ref == 'refs/heads/master' && github.event_name == 'push' + needs: [lint_typescript, unit_tests, e2e_tests, secrets_scan] + permissions: + actions: read + contents: read + id-token: write + steps: + - name: GSM Secrets + id: secrets_manager + uses: toptal/actions/gsm-secrets@main + with: + workload_identity_provider: projects/858873486241/locations/global/workloadIdentityPools/gha-pool/providers/github-com + service_account: gha-keycodes@toptal-ci.iam.gserviceaccount.com + secrets_name: |- + SLACK_MARKETING_TOOLS_2_RELEASES_WEBHOOK:toptal-ci/SLACK_MARKETING_TOOLS_2_RELEASES_WEBHOOK + SLACK_TEST_PUB_BOT_WEBHOOK:toptal-ci/SLACK_TEST_PUB_BOT_WEBHOOK + + - name: Parse secrets + id: parse_secrets + uses: toptal/actions/expose-json-outputs@main + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - uses: toptal/slack-workflow-status@master + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + slack_webhook_url: ${{ steps.parse_secrets.outputs.SLACK_MARKETING_TOOLS_2_RELEASES_WEBHOOK }} + name: gha-bot + icon_url: https://avatars.slack-edge.com/2021-05-17/2068859221653_526c61e414df90dd67f7_192.png + include_jobs: on-failure + display_only_failed: true + include_commit_message: true + + notify_slack_failure: + name: Notify failure status to Slack + runs-on: ubuntu-latest + if: (failure() || cancelled()) && github.ref == 'refs/heads/master' && github.event_name == 'push' + needs: [lint_typescript, unit_tests, e2e_tests, secrets_scan] + permissions: + actions: read + contents: read + id-token: write + steps: + - name: GSM Secrets + id: secrets_manager + uses: toptal/actions/gsm-secrets@main + with: + workload_identity_provider: projects/858873486241/locations/global/workloadIdentityPools/gha-pool/providers/github-com + service_account: gha-keycodes@toptal-ci.iam.gserviceaccount.com + secrets_name: |- + SLACK_MARKETING_TOOLS_2_BULLHORN_WEBHOOK:toptal-ci/SLACK_MARKETING_TOOLS_2_BULLHORN_WEBHOOK + SLACK_TEST_PUB_BOT_WEBHOOK:toptal-ci/SLACK_TEST_PUB_BOT_WEBHOOK + + - name: Parse secrets + id: parse_secrets + uses: toptal/actions/expose-json-outputs@main + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - uses: toptal/slack-workflow-status@master + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + slack_webhook_url: ${{ steps.parse_secrets.outputs.SLACK_MARKETING_TOOLS_2_BULLHORN_WEBHOOK }} + name: gha-bot + icon_url: https://avatars.slack-edge.com/2021-05-17/2068859221653_526c61e414df90dd67f7_192.png + include_jobs: on-failure + display_only_failed: true + include_commit_message: true + diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 47acbc5..eedeb58 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up steps uses: ./.github/actions/setup-steps @@ -46,7 +46,7 @@ jobs: yarn nyc report --temp-dir test-coverage/temp --reporter html --report-dir test-coverage/coverage-report-all - name: Save combined coverage report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: coverage-report-all path: test-coverage/coverage-report-all diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 4f47922..0c2be08 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -3,7 +3,7 @@ name: End-to-end tests on: push: branches: [main] - pull_request: + workflow_call: jobs: e2e_tests: @@ -19,7 +19,7 @@ jobs: with: access_token: ${{ github.token }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up steps uses: ./.github/actions/setup-steps @@ -37,7 +37,7 @@ jobs: - name: Upload Playwright HTML report if: failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: playwright-e2e-tests-report path: reports/index.html @@ -45,14 +45,14 @@ jobs: - name: Upload Playwright failure screenshots if: failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: e2e-tests-failure-screenshots path: screenshots retention-days: 1 - name: Upload test coverage HTML report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: e2e-coverage-report path: test-coverage/e2e diff --git a/.github/workflows/lint-typescript.yml b/.github/workflows/lint-typescript.yml index f7cfdf4..d44dde4 100644 --- a/.github/workflows/lint-typescript.yml +++ b/.github/workflows/lint-typescript.yml @@ -3,7 +3,7 @@ name: Lint and Typescript on: push: branches: [main] - pull_request: + workflow_call: jobs: lint_typescript: @@ -16,7 +16,7 @@ jobs: with: access_token: ${{ github.token }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up steps uses: ./.github/actions/setup-steps diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml new file mode 100644 index 0000000..b42f5b0 --- /dev/null +++ b/.github/workflows/secrets-scan.yml @@ -0,0 +1,39 @@ +name: Secrets Scan + +on: + workflow_call: + +jobs: + specs: + name: Secrets scan + runs-on: squad-growth-ubuntu2204-x64-standard + permissions: write-all + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get the secrets from GSM + id: secrets_manager + uses: toptal/actions/gsm-secrets@v1.0.2 + with: + workload_identity_provider: projects/858873486241/locations/global/workloadIdentityPools/gha-pool/providers/github-com + service_account: gha-keycodes@toptal-ci.iam.gserviceaccount.com + secrets_name: |- + SLACK_BOT_TOKEN:toptal-ci/SLACK_BOT_TOKEN + + - name: Parse secrets + id: parse_secrets + uses: toptal/actions/expose-json-outputs@v1.0.2 + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Secrets Scan + uses: toptal/actions/secret-scanning-action@main + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + full-scan: true + slack-channel: -marketing-tools-2-releases + slack-token: ${{ steps.parse_secrets.outputs.SLACK_BOT_TOKEN }} + diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index 8409b80..f02b9b7 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -3,7 +3,7 @@ name: Unit tests on: push: branches: [main] - pull_request: + workflow_call: jobs: unit_tests: @@ -26,14 +26,14 @@ jobs: - name: Upload Jest HTML report if: failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: jest-unit-tests-report path: reports/jest-report-unit.html retention-days: 1 - name: Upload unit tests coverage report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: jest-unit-coverage-report path: test-coverage/unit