Fix CodeQL Alerts #397
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| build: | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.21.x" | |
| cache: false | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Cache dependencies | |
| id: cache-dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| - name: Install dependencies | |
| if: steps.cache-dependencies.outputs.cache-hit != 'true' | |
| run: go get | |
| - name: Build | |
| run: CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo | |
| lint: | |
| permissions: | |
| contents: read | |
| actions: write | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.21' | |
| cache: false | |
| - name: Go linting | |
| uses: golangci/golangci-lint-action@v4 | |
| with: | |
| version: v1.57 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: ".nvmrc" | |
| cache: "npm" | |
| - name: Install npm deps | |
| run: npm install | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: 1.8.2 | |
| virtualenvs-create: true | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: 'poetry' | |
| - name: Install virtual environment | |
| run: | | |
| sudo apt-get install libsnappy-dev | |
| poetry install | |
| - name: Templates linting | |
| run: make lint-templates | |
| - name: Static linting | |
| run: make lint-static | |
| docker-push: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - id: auth | |
| name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| token_format: 'access_token' | |
| workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ secrets.SERVICE_ACCOUNT }} | |
| - name: Tag | |
| run: | | |
| CLEAN_TAG=$(echo "${{ github.event.pull_request.head.ref }}" | tr / -) | |
| echo "TAG=$CLEAN_TAG" >> $GITHUB_ENV | |
| - name: Build | |
| run: > | |
| docker build -t onsdigital/eq-questionnaire-launcher:$TAG | |
| -t ${{ secrets.GAR_LOCATION }}/${{ secrets.GAR_PROJECT_ID }}/docker-images/eq-questionnaire-launcher:$TAG . | |
| - name: Push to Docker Hub | |
| run: | | |
| echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin | |
| echo "Pushing with tag [$TAG]" | |
| docker push onsdigital/eq-questionnaire-launcher:$TAG | |
| - name: Push to GAR | |
| run: | | |
| gcloud auth configure-docker ${{ secrets.GAR_LOCATION }} | |
| echo "Pushing to GAR with tag $TAG" | |
| docker push ${{ secrets.GAR_LOCATION }}/${{ secrets.GAR_PROJECT_ID }}/docker-images/eq-questionnaire-launcher:$TAG |