.github/workflows/super-devsecops.yml

name: Super DevSecOps Pipeline

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]

permissions:
  contents: read

jobs:
  code_quality:
    name: Eslint
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit
      - name: Checkout code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Run ESLint
        run: |
          yarn install
          npx eslint .
        continue-on-error: true
  build:
    name: Build
    runs-on: ubuntu-latest
    needs: code_quality
    strategy:
      matrix:
        node-version: [16.x, 18.x, 20.x]
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit
      - name: Checkout Repository to Runner Context
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Use Node version ${{ matrix.node-version }}
        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
        with:
          node-version: ${{ matrix.node-version }}
          cache: "yarn"
      - name: Install Dependencies
        run: |
          yarn install
  test:
    name: Unit Tests
    runs-on: ubuntu-latest
    needs: build
    strategy:
      matrix:
        node-version: [16.x, 18.x, 20.x]
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - name: Checkout Repository to Runner Context
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Use Node version ${{ matrix.node-version }}
        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
        with:
          node-version: ${{ matrix.node-version }}
          cache: "yarn"
      - name: Test with Jest
        run: |
          yarn install
          yarn test
  sast_codeql:
    name: SAST with CodeQL
    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
    needs: test
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: ["javascript-typescript"]
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit
      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Initialize CodeQL
        uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
        with:
          languages: ${{ matrix.language }}
      - name: Autobuild
        uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
        with:
          category: "/language:${{matrix.language}}"
  sast_sonar:
    name: SAST with SonarCloud
    permissions:
      pull-requests: read # allows SonarCloud to decorate PRs with analysis results
    runs-on: ubuntu-latest
    needs: test
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit
      - name: Analyze with SonarCloud
        uses: SonarSource/sonarcloud-github-action@44eed6088a971ec48af9300c3701483b8815f622
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: -Dsonar.projectKey=stormsinbrewing_savvy-devsecops
            -Dsonar.organization=stormsinbrewing
  security_scorecard:
    name: OpenSSF Security Scorecards
    runs-on: ubuntu-latest
    permissions:
      # Don't make global permission: https://github.com/ossf/scorecard-action#workflow-restrictions
      security-events: write # Needed to upload the results to code-scanning dashboard.
      id-token: write # Needed to publish results and get a badge (see publish_results below).
    needs: test
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit
      - name: "Checkout code"
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          persist-credentials: false
      - name: "Run analysis"
        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          publish_results: true
      - name: "Upload artifact"
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
        with:
          sarif_file: results.sarif
  build-and-push-image:
    name: BnP GHCR
    permissions:
      contents: write
      packages: write
    runs-on: ubuntu-latest
    needs: sast_codeql
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit
      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Log in to the Container registry
        uses: docker/login-action@83a00bc1ab5ded6580f31df1c49e6aaa932d840d
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: BnP Docker Image
        run: |
          docker build -t ghcr.io/stormsinbrewing/savvy-devsecops .
          docker push ghcr.io/stormsinbrewing/savvy-devsecops