DRAFT [ci] chore: use nx to build sources before docker images #878
Conversation
hervyt
force-pushed
the
tech/nx-improvments
branch
4 times, most recently
from
9090fef to
9dd8d83
Compare
Kroustille
force-pushed
the
tech/nx-improvments
branch
6 times, most recently
from
224ac6f to
fb5579d
Compare
Codecov Report✅ All modified and coverable lines are covered by tests.
Additional details and impacted files@@ Coverage Diff @@
## development #878 +/- ##
===============================================
- Coverage 20.41% 2.30% -18.11%
===============================================
Files 487 315 -172
Lines 27958 17321 -10637
Branches 1026 348 -678
===============================================
- Hits 5708 400 -5308
+ Misses 22023 16707 -5316
+ Partials 227 214 -13 see 172 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
Summary
Insights
Suites19 passed, 0 failed, and 0 other
🎉 No failed tests in this run. | 🍂 No flaky tests in this run. Github Test Reporter by CTRF 💚 🔄 This comment has been updated |
Kroustille
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/dockerbuild-ci.yml
Outdated
| runs-on: ubuntu-latest | ||
| outputs: | ||
| has-api-changes: ${{ steps.check-changes.outputs.api }} | ||
| has-front-changes: ${{ steps.check-changes.outputs.front }} | ||
| has-e2e-changes: ${{ steps.check-changes.outputs.e2e }} | ||
| base-sha: ${{ steps.setSHAs.outputs.base }} | ||
| head-sha: ${{ steps.setSHAs.outputs.head }} | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Derive appropriate SHAs for base and head | ||
| id: setSHAs | ||
| uses: nrwl/nx-set-shas@v4 | ||
| with: | ||
| main-branch-name: 'development' | ||
| - run: corepack enable && corepack prepare [email protected] | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 23 | ||
| cache: 'yarn' | ||
| - run: yarn install --immutable | ||
| - name: Check what changed | ||
| id: check-changes | ||
| run: | | ||
| AFFECTED=$(npx nx show projects --affected --base=${{ steps.setSHAs.outputs.base }} --head=${{ steps.setSHAs.outputs.head }}) | ||
| echo "Affected projects:" | ||
| echo "$AFFECTED" | ||
| if echo "$AFFECTED" | grep -q "portal-api"; then | ||
| echo "api=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "api=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| if echo "$AFFECTED" | grep -q "portal-front"; then | ||
| echo "front=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "front=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| if echo "$AFFECTED" | grep -q "portal-e2e-tests"; then | ||
| echo "e2e=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "e2e=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| build-source: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the issue, explicitly declare a permissions block at the top/root of the workflow (i.e., right after the name: or on: block). If all jobs only need minimal access (most CI pipelines just need to read source files), set permissions to contents: read, which allows only read access to repository contents, following the principle of least privilege. If any jobs require additional permissions (for example, creating releases, updating pull requests, or opening issues), those job(s) should get appropriately scoped permissions, but only as required. For the code shown, there is no indication that any job needs write permissions, so we will add permissions: contents: read at the top, immediately after the name: Run XTM Hub CI/CD line.
No methods, definitions, or imports are necessary—all changes are confined to the workflow YAML.
| @@ -1,4 +1,6 @@ | ||
| name: Run XTM Hub CI/CD | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| push: |
hervyt
force-pushed
the
tech/nx-improvments
branch
5 times, most recently
from
18341f4 to
6f7d112
Compare
| runs-on: ubuntu-latest | ||
| outputs: | ||
| docker-tag: ${{ steps.generate-tag.outputs.tag }} | ||
| cache-tag: ${{ steps.generate-tag.outputs.cache-tag }} | ||
| steps: | ||
| - name: Generate unique tag for this run | ||
| id: generate-tag | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | ||
| TAG="pr-${{ github.event.number }}" | ||
| elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then | ||
| TAG="main" | ||
| elif [[ "${{ github.ref }}" == "refs/heads/development" ]]; then | ||
| TAG="development" | ||
| else | ||
| TAG="test-${{ github.sha }}" | ||
| fi | ||
| echo "tag=$TAG" >> $GITHUB_OUTPUT | ||
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | ||
| CACHE_TAG="pr-cache" | ||
| elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then | ||
| CACHE_TAG="main-cache" | ||
| elif [[ "${{ github.ref }}" == "refs/heads/development" ]]; then | ||
| CACHE_TAG="dev-cache" | ||
| else | ||
| CACHE_TAG="test-cache" | ||
| fi | ||
| echo "cache-tag=$CACHE_TAG" >> $GITHUB_OUTPUT | ||
| build-images-tests: | ||
| build-test-images: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
hervyt
force-pushed
the
tech/nx-improvments
branch
6 times, most recently
from
ff084a2 to
26a28bd
Compare
This reverts commit 2573322.
hervyt
force-pushed
the
tech/nx-improvments
branch
from
2573322 to
38d223a
Compare
| needs: build-test-images | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
| if: | | ||
| github.event_name == 'pull_request' && | ||
| contains(github.event.pull_request.labels.*.name, 'needs feature env') | ||
| steps: | ||
| - name: Install AWX cli | ||
| run: pip install awxkit | ||
|
|
||
| - name: Deploy | ||
| run: | | ||
| awx --conf.host https://awx.filigran.io \ | ||
| --conf.token ${{ secrets.AWX_TOKEN }} \ | ||
| -f human job_templates launch 'Deploy XTM Hub feature branch for testing' \ | ||
| --inventory eu-west-staging \ | ||
| --extra_vars "{\"env\":\"Development\",\"xtmhub_version\":\"pr-${{ github.event.number }}\",\"xtmhub_node_env\":\"development\"}" | ||
| delete-feature-branch: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
| if: github.event_name == 'pull_request' && github.event.action == 'closed' | ||
| steps: | ||
| - name: Install AWX cli | ||
| run: pip install awxkit | ||
|
|
||
| - name: Delete | ||
| run: | |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To address this security warning, an explicit permissions key must be added to limit the permissions of the GITHUB_TOKEN that workflows and jobs run with. The most robust approach is to declare the most restrictive permissions possible at the root of the workflow (permissions: {}), defaulting all jobs to "no permissions" with the token. Individual jobs that require more access can explicitly set a more permissive permissions block in their own configuration as needed (e.g., as already done for run-front-unit-tests).
This means adding the following YAML to the workflow after the name: field but before on::
permissions: {}This change ensures all jobs have no permissions by default unless overridden per-job—maximally limiting privilege and satisfying the CodeQL scanner.
| @@ -1,4 +1,5 @@ | ||
| name: Run XTM Hub CI/CD | ||
| permissions: {} | ||
| on: | ||
| workflow_dispatch: | ||
| push: |
jbanety
force-pushed
the
development
branch
from
df8be28 to
c3f064c
Compare
jbanety
force-pushed
the
development
branch
2 times, most recently
from
1abcd8f to
c5ee434
Compare
Context:
How to test:
What tests has been made:
Additional information:
Related #885