From ff90a45360aebea1ca76c21f236413105a830a85 Mon Sep 17 00:00:00 2001 From: Jeremy Bernard Date: Tue, 5 May 2026 14:02:10 +0200 Subject: [PATCH 1/4] ci: migrate to GitHub actions workflows --- .github/workflows/conventional-commits.yaml | 16 +++++ .github/workflows/docker-build.yaml | 78 +++++++++++++++++++++ .github/workflows/release-please.yaml | 18 +++++ .release-please-manifest.json | 1 + Jenkinsfile | 13 ---- release-please-config.json | 10 +++ 6 files changed, 123 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/conventional-commits.yaml create mode 100644 .github/workflows/docker-build.yaml create mode 100644 .github/workflows/release-please.yaml create mode 100644 .release-please-manifest.json delete mode 100644 Jenkinsfile create mode 100644 release-please-config.json diff --git a/.github/workflows/conventional-commits.yaml b/.github/workflows/conventional-commits.yaml new file mode 100644 index 0000000..cb75bfd --- /dev/null +++ b/.github/workflows/conventional-commits.yaml @@ -0,0 +1,16 @@ +name: Conventional Commit as PR title + +on: + pull_request_target: + types: + - opened + - edited + - reopened + +jobs: + lint-pr-title: + # Prevent execution on forks + if: github.repository_owner == 'iExecBlockchainComputing' + permissions: + pull-requests: read + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/conventional-commits.yml@conventional-commits-v1.1.0 diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml new file mode 100644 index 0000000..93d34ab --- /dev/null +++ b/.github/workflows/docker-build.yaml @@ -0,0 +1,78 @@ +name: Build and Push OCI Image + +on: + pull_request: + push: + branches: [main] + tags: + - 'v*.*.*' + # can only be executed by people with write access on repository + workflow_dispatch: + +jobs: + prepare: + name: Determine image tag + runs-on: ubuntu-latest + # Prevent execution on forks + if: github.repository_owner == 'iExecBlockchainComputing' + outputs: + image_tag: ${{ steps.determine-tag.outputs.image_tag }} + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Determine Docker tag based on Git ref + id: determine-tag + run: | + if [ "${{ github.ref_type }}" = "tag" ] ; then + # Since this workflow only triggers on tags matching 'v*.*.*' we know we're always dealing with a version tag + TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main') + + if [ -z "$TAG_ON_MAIN" ] ; then + echo "Error: Tag ${{ github.ref_name }} is not on main branch" + echo "Tags must be created on main branch to generate X.Y.Z image tags" + exit 1 + fi + + GITHUB_REF_NAME="${{ github.ref_name }}" + echo "Processing tag on main branch: ${{ github.ref_name }}" + echo "image_tag=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_OUTPUT + else + if [ "${{ github.event_name }}" = "pull_request" ] ; then + SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-8) + else + SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8) + fi + + if [ "${{ github.ref_name }}" = "main" ] ; then + echo "Processing main branch" + echo "image_tag=dev-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT + else + # This covers other branches + echo "Processing feat/fix branch ${{ github.head_ref }}" + echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT + fi + fi + + build-oci-image: + name: Build OCI image + needs: prepare + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v3.3.0 + with: + image-name: docker-regis.iex.ec/nodesj-hello-world + image-tag: ${{ needs.prepare.outputs.image_tag }} + dockerfile: cloud-computing/Dockerfile + context: cloud-computing + registry: docker-regis.iex.ec + push: true + security-scan: true + security-report: "sarif" + hadolint: true + platform: linux/amd64 + secrets: + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN_PULL_ONLY }} + username: ${{ secrets.NEXUS_USERNAME }} + password: ${{ secrets.NEXUS_PASSWORD }} diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml new file mode 100644 index 0000000..7a5fb14 --- /dev/null +++ b/.github/workflows/release-please.yaml @@ -0,0 +1,18 @@ +name: Release Please + +on: + push: + branches: + - main + +permissions: + contents: write + issues: write + pull-requests: write + +jobs: + release-please: + # Prevent execution on forks + if: github.repository_owner == 'iExecBlockchainComputing' + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/release-please.yml@release-please-v2.0.0 + secrets: inherit diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..0622f4a --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1 @@ +{".":"8.0.4"} diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 9484abe..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,13 +0,0 @@ -@Library('global-jenkins-library@2.3.1') _ - -buildInfo = getBuildInfo() - -baseDir = 'cloud-computing' - -buildSimpleDocker_v3( - buildInfo: buildInfo, - dockerfileDir: baseDir, - buildContext: baseDir, - dockerImageRepositoryName: 'nodejs-hello-world', - visibility: 'iex.ec' -) diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..0950af1 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,10 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "draft-pull-request": true, + "include-component-in-tag": false, + "include-v-in-tag": true, + "release-type": "simple", + "packages": { + ".": {} + } +} From 9cc6c7b77cead9bcf38afe50e97053de1745e378 Mon Sep 17 00:00:00 2001 From: Jeremy Bernard Date: Tue, 5 May 2026 14:45:11 +0200 Subject: [PATCH 2/4] ci: publish Trivy security report in comment --- .github/workflows/docker-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml index 93d34ab..a64f589 100644 --- a/.github/workflows/docker-build.yaml +++ b/.github/workflows/docker-build.yaml @@ -68,7 +68,7 @@ jobs: registry: docker-regis.iex.ec push: true security-scan: true - security-report: "sarif" + security-report: "comment" hadolint: true platform: linux/amd64 secrets: From 43ba4ad9f1fb560e15ef20dc2f51fee72bcbf0ed Mon Sep 17 00:00:00 2001 From: Jeremy Bernard Date: Tue, 5 May 2026 15:07:20 +0200 Subject: [PATCH 3/4] chore: upgrade node and alpine versions --- cloud-computing/Dockerfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/cloud-computing/Dockerfile b/cloud-computing/Dockerfile index dc2fd2a..df7d188 100644 --- a/cloud-computing/Dockerfile +++ b/cloud-computing/Dockerfile @@ -1,8 +1,9 @@ -FROM node:14-alpine3.10 +FROM node:24-alpine3.23 -### install your dependencies -RUN mkdir /app && cd /app && npm install figlet@1.x +WORKDIR /app -COPY ./src /app +RUN npm install figlet@1.x + +COPY ./src . ENTRYPOINT [ "node", "/app/app.js"] From 09dff3e83cb692a317a497e6eaeb11e2f458aa69 Mon Sep 17 00:00:00 2001 From: Jeremy Bernard Date: Tue, 5 May 2026 15:49:41 +0200 Subject: [PATCH 4/4] fix: disable security scan temporarily --- .github/workflows/docker-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml index a64f589..b6714d9 100644 --- a/.github/workflows/docker-build.yaml +++ b/.github/workflows/docker-build.yaml @@ -67,7 +67,7 @@ jobs: context: cloud-computing registry: docker-regis.iex.ec push: true - security-scan: true + security-scan: false security-report: "comment" hadolint: true platform: linux/amd64