on_pr: 216 #819
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: on_pr | |
| run-name: "on_pr: ${{ github.event.pull_request.number }}" | |
| on: | |
| pull_request: | |
| permissions: | |
| actions: read # required by BitGo/build-system | |
| contents: read # required by BitGo/build-system | |
| id-token: write # required by BitGo/build-system | |
| pull-requests: write # required by Grype PR commenter | |
| packages: read # required for ArgoCD deploy | |
| jobs: | |
| build-and-test: | |
| name: Build & Test (CI) | |
| uses: ./.github/workflows/build-and-test.yaml | |
| secrets: | |
| fossa-api-key: ${{ secrets.FOSSA_API_KEY }} | |
| check-dependency-changes: | |
| name: Check for dependency changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| deps-changed: ${{ steps.filter.outputs.deps }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Check for dependency file changes | |
| id: filter | |
| uses: dorny/paths-filter@v3 | |
| with: | |
| filters: | | |
| deps: | |
| - 'package.json' | |
| - 'package-lock.json' | |
| - 'Dockerfile' | |
| trivy-scan: | |
| name: Security - Trivy Scan | |
| needs: check-dependency-changes | |
| if: needs.check-dependency-changes.outputs.deps-changed == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22.1.0' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'table' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| scanners: 'vuln' | |
| build-docker-image: | |
| name: Build the Docker Image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: false | |
| tags: | | |
| ghcr.io/bitgo/advanced-wallets:${{ github.sha }} | |
| build-args: | | |
| BUILD_VERSION=${{ github.sha }} | |
| BUILD_DATE=${{ github.event.repository.updated_at }} | |
| VCS_REF=${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |