feat: Add GitHub Code and Security Insights plugin #43
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | name: Commit Stage | |
| on: push | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: kadras-io/kadras-developer-portal | |
| VERSION: ${{ github.sha }} | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Check out source code | |
| uses: actions/checkout@v4 | |
| - name: Set up Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: 'yarn' | |
| - name: Install dependencies | |
| run: | | |
| yarn install --immutable | |
| - name: Validate configuration | |
| run: | | |
| yarn backstage-cli config:check --lax | |
| - name: Validate types and definitions | |
| run: | | |
| yarn tsc:full | |
| - name: Prettier | |
| run: | | |
| yarn prettier:check | |
| - name: Build | |
| run: | | |
| yarn build:all | |
| - name: Lint | |
| run: | | |
| yarn lint:all | |
| - name: Test | |
| run: | | |
| yarn test:all | |
| package: | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| needs: [ build ] | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: | |
| - linux/amd64 | |
| - linux/arm64 | |
| steps: | |
| - name: Check out source code | |
| uses: actions/checkout@v4 | |
| - name: Set up Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: 'yarn' | |
| - name: Install dependencies | |
| run: | | |
| yarn install --immutable | |
| - name: Generate type definitions | |
| run: | | |
| yarn tsc | |
| - name: Build application | |
| run: | | |
| yarn build:backend --config ../../app-config.yaml | |
| - name: Prepare OCI build | |
| run: | | |
| platform=${{ matrix.platform }} | |
| echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
| - name: Generate Docker meta information | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| labels: | | |
| org.opencontainers.image.licenses='Apache-2.0' | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} | |
| org.opencontainers.image.version=${{ env.VERSION }} | |
| org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: ${{ env.REGISTRY }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| id: build | |
| with: | |
| context: . | |
| file: packages/backend/Dockerfile | |
| platforms: ${{ matrix.platform }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: digests-backstage-${{ env.PLATFORM_PAIR }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| merge: | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| needs: [package] | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Download digests | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: /tmp/digests | |
| pattern: digests-backstage-* | |
| merge-multiple: true | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.6.0 | |
| - name: Generate Docker meta information | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| labels: | | |
| org.opencontainers.image.licenses='Apache-2.0' | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} | |
| org.opencontainers.image.version=${{ env.VERSION }} | |
| org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }} | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=sha,format=long | |
| - name: Login to container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: ${{ env.REGISTRY }} | |
| - name: Create manifest list and push | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) | |
| - name: Inspect image | |
| run: | | |
| docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} | |
| - name: Sign image | |
| run: | | |
| cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} |