feat: story/GD-40 template fill lambda ci

.eslintrc.yml

@@ -0,0 +1,14 @@
+env:
+  browser: true
+  es2021: true
+extends:
+  - eslint:recommended
+  - plugin:@typescript-eslint/recommended
+overrides: []
+parser: '@typescript-eslint/parser'
+parserOptions:
+  ecmaVersion: latest
+  sourceType: module
+plugins:
+  - '@typescript-eslint'
+rules: {}

.github/workflows/build.yml

@@ -0,0 +1,230 @@
+name: Build
+
+on:
+  push:
+    branches: [ "main", release/*, story/*, task/* ]
+    paths:
+      - 'src/**'
+      - 'events/**'
+      - 'tests/**'
+      - 'package.json'
+      - '.github/workflows/**'
+  pull_request:
+    #    branches: [ "main" ]
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'src/**'
+      - 'events/**'
+      - 'tests/**'
+      - 'package.json'
+  workflow_dispatch:
+
+env:
+  API_DOCKER_REGISTRY: ghcr.io
+  API_DOCKER_IMAGE_NAME: ${{ github.repository_owner }}/docs-func-aws-template-list-v1
+
+permissions:
+  pull-requests: read # allows SonarCloud to decorate PRs with analysis results
+
+jobs:
+  build_job:
+    name: Build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v3
+
+      - name: Install node v18
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+
+      - name: Cache node modules
+        id: cache-npm
+        uses: actions/cache@v3
+        env:
+          cache-name: cache-node-modules
+        with:
+          path: |
+            '**/node_modules'
+          key: ${{ runner.os }}-yarn-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-${{ env.cache-name }}-
+            ${{ runner.os }}-yarn-
+            ${{ runner.os }}-
+
+      - name: Yarn install
+        run: yarn install
+
+      - name: Yarn build
+        run: yarn build
+
+  test_job:
+    name: Run tests
+    needs: build_job
+    runs-on: ubuntu-latest
+    environment: ci
+
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v3
+
+      - name: Cache node modules
+        id: cache-npm
+        uses: actions/cache@v3
+        env:
+          cache-name: cache-node-modules
+        with:
+          path: |
+            '**/node_modules'
+          key: ${{ runner.os }}-yarn-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-${{ env.cache-name }}-
+            ${{ runner.os }}-yarn-
+            ${{ runner.os }}-
+
+      - name: Yarn install
+        run: yarn install
+
+      - name: Build project
+        run: yarn build
+
+      - name: Run tests
+        env:
+          REPOSITORY_TEMPLATE_PROVIDER_AWS_S3_BUCKETNAME: ${{ secrets.TEST_AWS_BUCKETNAME }}
+          REPOSITORY_TEMPLATE_PROVIDER_AWS_S3_REGION: ${{ secrets.TEST_AWS_REGION }}
+          REPOSITORY_TEMPLATE_PROVIDER_AWS_S3_PREFIX: ${{ secrets.TEST_AWS_BUCKET_PREFIX }}
+
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: yarn test
+
+  analyze_job:
+    name: Code analysis
+    needs:
+      - build_job
+      - test_job
+    runs-on: ubuntu-latest
+    environment: ci
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+
+      - name: Cache node modules
+        id: cache-npm
+        uses: actions/cache@v3
+        env:
+          cache-name: cache-node-modules
+        with:
+          path: |
+            '**/node_modules'
+          key: ${{ runner.os }}-yarn-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-${{ env.cache-name }}-
+            ${{ runner.os }}-yarn-
+            ${{ runner.os }}-
+
+      - name: Yarn install
+        run: yarn install
+
+      - name: Build project
+        run: yarn build
+
+      - name: Run tests
+        env:
+          REPOSITORY_TEMPLATE_PROVIDER_AWS_S3_BUCKETNAME: ${{ secrets.TEST_AWS_BUCKETNAME }}
+          REPOSITORY_TEMPLATE_PROVIDER_AWS_S3_REGION: ${{ secrets.TEST_AWS_REGION }}
+          REPOSITORY_TEMPLATE_PROVIDER_AWS_S3_PREFIX: ${{ secrets.TEST_AWS_BUCKET_PREFIX }}
+
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: yarn test -- --coverage
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets. SONAR_TOKEN }}
+
+  docker_build_job:
+    name: Containerize
+    needs:
+      - analyze_job
+#    if: github.ref == 'refs/heads/main'
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by gitHub/codeql-action/upload-sarif to get the Action run status
+      packages: write
+    runs-on: ubuntu-latest
+    environment: ci
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+
+      - name: Cache node modules
+        id: cache-npm
+        uses: actions/cache@v3
+        env:
+          cache-name: cache-node-modules
+        with:
+          path: |
+            '**/node_modules'
+          key: ${{ runner.os }}-yarn-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-${{ env.cache-name }}-
+            ${{ runner.os }}-yarn-
+            ${{ runner.os }}-
+
+      - name: Yarn install
+        run: yarn install
+
+      - name: Build project
+        run: yarn build
+
+#      - name: Set up QEMU
+#        uses: docker/setup-qemu-action@v2
+#
+#      - name: Set up Docker Buildx
+#        uses: docker/setup-buildx-action@v2
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.TEST_AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Build and push Docker image
+#        with:
+#          context: .
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: docs-func-template-list-v1
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
+          docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: '${{ steps.meta.outputs.tags }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+

.gitignore

@@ -83,12 +83,10 @@ dist
 # SAM directories
 .aws-sam
 aws-toolkit-ts-output
+aws-toolkit-tsconfig.json
 built
 gen
 
-.husky
-
-
 /src/.openapi-generator/
 /src/api/
 /src/model/

.husky/commit-msg

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx --no-install commitlint --edit ""

.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx --no-install lint-staged

.husky/pre-push

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx --no-install validate-branch-name

Dockerfile

@@ -1,8 +1,7 @@
 FROM public.ecr.aws/lambda/nodejs:18
+WORKDIR ${LAMBDA_TASK_ROOT}
 
-COPY app.ts package*.json ./
+COPY dist/* ./
 
-#RUN npm install
-RUN npm ci --production
+CMD ["index.handler"]
 
-CMD ["app.lambdaHandler"]