.github/workflows/main.yml

name: ScaleUp Application CI workflow
on:
  push:
    branches:
      - '**' # Trigger on any branch push
jobs:
  set-env:
    name: Setup Environment
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20.15.0
      - uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 17
      - name: Install Node.js packages
        run: npm install
      - name: Cache Node Modules
        uses: actions/cache@v3
        with:
          path: node_modules
          key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-

  package:
    name: Package App
    runs-on: ubuntu-latest
    needs: set-env
    if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.pull_request.title, '[skip ci]') && !contains(github.event.pull_request.title, '[ci skip]')"
    timeout-minutes: 10
    env:
      NODE_VERSION: 20.15.0
      SPRING_OUTPUT_ANSI_ENABLED: DETECT
      SPRING_JPA_SHOW_SQL: false
      JHI_DISABLE_WEBPACK_LOGS: true
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20.15.0
      - uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 17
      - name: Package application
        run: npm run java:jar:prod
      - name: Upload Build Artifact
        uses: actions/upload-artifact@v4
        with:
          name: packaged-application
          path: |
            target/*.jar
            target/classes
          retention-days: 1 # Retain the build artifacts for 1 day

  # Push to Docker
  jib-build:
    name: containerize
    runs-on: ubuntu-latest
    needs: package
    env:
      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 17
      - name: Push to Docker registry w/o IT
        run: ./mvnw package -Pprod verify jib:build -Djib.to.image=shenanquek97/scaleup -Djib.to.auth.username=${DOCKER_USERNAME} -Djib.to.auth.password=${DOCKER_PASSWORD} -DskipTests
        if: github.ref != 'refs/heads/main' || github.ref != 'refs/heads/testing-uat'
      - name: Push to Docker registry w IT
        run: ./mvnw package -Pprod verify jib:build -Djib.to.image=shenanquek97/scaleup -Djib.to.auth.username=${DOCKER_USERNAME} -Djib.to.auth.password=${DOCKER_PASSWORD}
        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/testing-uat'

  backend-test:
    name: Backend Test Stage
    runs-on: ubuntu-latest
    needs: package
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 17
      - name: Run backend test
        run: |
          chmod +x mvnw
          npm run ci:backend:test
      - name: Upload Backend Test Report
        uses: actions/upload-artifact@v4
        with:
          name: backend-test-report
          path: target/surefire-reports/*.xml
          retention-days: 1

  frontend-test:
    name: Frontend Test Stage
    runs-on: ubuntu-latest
    needs: package
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20.15.0
      - name: Install Node.js Packages
        run: npm install
      - name: Run frontend test
        run: npm run ci:frontend:test
      - name: Upload Frontend Test Report
        uses: actions/upload-artifact@v4
        with:
          name: jest-test-reports
          path: ./target/test-results/TESTS-results-jest.xml # Adjusted to match your Jest output configuration
          retention-days: 1

  sonar:
    name: Sonar SAST Scan
    runs-on: ubuntu-latest
    needs: [backend-test, frontend-test]
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 1 # Shallow clones should be disabled for a better relevancy of analysis
      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          java-version: 17
          distribution: 'zulu' # Alternative distribution options are available.
      - name: Cache SonarCloud packages
        uses: actions/cache@v3
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Cache Maven packages
        uses: actions/cache@v3
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
          restore-keys: ${{ runner.os }}-m2
      - name: Build and analyze
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        if: github.ref != 'refs/heads/main'
        run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup
      - name: Build and analyze for main
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        if: github.ref == 'refs/heads/main'
        run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup #-Dsonar.qualitygate.wait=true
  snyk:
    name: Vulnerability Scanning with Synk
    needs: [backend-test, frontend-test]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/maven@master
        continue-on-error: true # To make sure that SARIF upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif
  #      - name: Upload result to GitHub Code Scanning
  #        uses: github/codeql-action/upload-sarif@v3
  #        with:
  #          sarif_file: snyk.sarif

  dast-scan:
    name: DAST OWASP ZAP Scans
    runs-on: ubuntu-latest
    needs: [backend-test, frontend-test]
    steps:
      - uses: actions/checkout@v4
      - name: Change script permission
        run: |
          chmod +x script/zap-script.sh
      - name: ZAP scan
        run: script/zap-script.sh
      - name: Archive production artifacts
        uses: actions/upload-artifact@v4
        with:
          name: zap report
          path: |
            ./zap_baseline_report.html
          retention-days: 1

  deploy-to-sit:
    name: Deploy to SIT
    needs: jib-build
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/testing-sit' # Only apply changes on sit branch
    env:
      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
    steps:
      - name: Deploy to EC2
        uses: appleboy/ssh-action@master
        with:
          host: ec2-52-77-34-58.ap-southeast-1.compute.amazonaws.com # Change this to SIT host
          username: ubuntu
          key: ${{ secrets.EC2_PRIVATE_KEY }}
          port: 22
          script: |
            sudo docker pull ${{ secrets.DOCKER_USERNAME }}/scaleup:latest
            if [ "$(sudo docker ps -q -f name=scaleUp)" ]; then
                sudo docker stop scaleUp
                sudo docker rm scaleUp
            elif [ "$(sudo docker ps -a -q -f name=scaleUp)" ]; then
                sudo docker rm scaleUp
            fi
            sudo docker run -d -p 8080:8080 --name scaleUp  ${{ secrets.DOCKER_USERNAME }}/scaleup:latest

  deploy-to-main:
    name: Deploy to Production
    needs: [jib-build, dast-scan, snyk, sonar]
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' # Only apply changes on main branch
    env:
      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
    steps:
      - name: Deploy to EC2
        uses: appleboy/ssh-action@master
        with:
          host: ec2-54-255-11-22.ap-southeast-1.compute.amazonaws.com # Change to Prod host
          username: ubuntu
          key: ${{ secrets.EC2_PRIVATE_KEY_PROD }}
          port: 22
          script: |
            sudo docker pull ${{ secrets.DOCKER_USERNAME }}/scaleup:latest
            if [ "$(sudo docker ps -q -f name=scaleUp)" ]; then
                sudo docker stop scaleUp
                sudo docker rm scaleUp
            elif [ "$(sudo docker ps -a -q -f name=scaleUp)" ]; then
                sudo docker rm scaleUp
            fi
            sudo docker run -d -p 8080:8080 --name scaleUp  ${{ secrets.DOCKER_USERNAME }}/scaleup:latest