updated GHA workflows and app-frontend dockerfile

Signed-off-by: wwanarif <[email protected]>

Author: wwanarif

.github/workflows/_build-image-to-registry.yml

@@ -0,0 +1,47 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Uses - Build Images to Registry
+permissions: read-all
+on:
+  workflow_call:
+    inputs:
+      node:
+        required: true
+        type: string
+      tag:
+        default: "latest"
+        required: false
+        type: string
+      test_e2e:
+        default: true
+        required: false
+        type: boolean
+
+jobs:
+  build-images:
+    runs-on: "docker-build-${{ inputs.node }}"
+    steps:
+      - name: Clean Up Working Directory
+        run: sudo rm -rf ${{github.workspace}}/*
+
+      - name: Get Checkout Ref
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ] || [ "${{ github.event_name }}" == "pull_request_target" ]; then
+          echo "CHECKOUT_REF=refs/pull/${{ github.event.number }}/merge" >> $GITHUB_ENV
+          else
+            echo "CHECKOUT_REF=${{ github.ref }}" >> $GITHUB_ENV
+          fi
+
+      - name: Checkout out Repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.CHECKOUT_REF }}
+          fetch-depth: 0
+
+      - name: Build Image and Push Image
+        run: |
+            whoami
+            echo ${OPEA_IMAGE_REPO}
+            cd ${{ github.workspace }}/setup-scripts/build-image-to-registry
+            ansible-playbook build-image-to-registry.yml -e "container_registry=${OPEA_IMAGE_REPO}opea" -e "container_tag=${{ inputs.tag }}"

.github/workflows/manual-docker-build.yml

@@ -0,0 +1,29 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Manual Build Images
+on:
+  workflow_dispatch:
+    inputs:
+      nodes:
+        default: "gaudi"
+        description: "Hardware to run test"
+        required: true
+        type: string
+      tag:
+        default: "latest"
+        description: "Tag to apply to images"
+        required: true
+        type: string
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-on-manual-dispatch
+  cancel-in-progress: true
+
+jobs:
+  image-build:
+    uses: ./.github/workflows/_build-image-to-registry.yml
+    with:
+      node: ${{ inputs.nodes }}
+      tag: ${{ inputs.tag }}
+    secrets: inherit

.github/workflows/manual-docker-scan.yml

@@ -0,0 +1,103 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Manual Image BoM and CVE Scan
+on:
+  workflow_dispatch:
+    inputs:
+      node:
+        default: "gaudi"
+        description: "Hardware to run scan"
+        required: true
+        type: string
+      tag:
+        # default: "latest"
+        default: "test1"
+        description: "Tag for images to scan"
+        required: true
+        type: string
+      sbom_scan:
+        default: true
+        description: 'Scan images for BoM'
+        required: false
+        type: boolean
+      trivy_scan:
+        default: true
+        description: 'Scan images for CVE'
+        required: false
+        type: boolean
+
+permissions: read-all
+jobs:
+  clean-workspace:
+    runs-on: "docker-build-${{ inputs.node }}"
+    steps:
+      - name: Clean up Working Directory
+        run: |
+          sudo rm -rf ${{github.workspace}}/* || true
+          # docker system prune -f
+
+  scan-docker:
+    needs: clean-workspace
+    runs-on: "docker-build-${{ inputs.node }}"
+    strategy:
+      matrix:
+        image: ["studio-frontend", "studio-backend", "app-frontend", "app-backend"]
+      fail-fast: false
+    steps:
+      - name: Pull Image
+        run: |
+          docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
+          echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
+  
+      - name: SBOM Scan Container
+        uses: anchore/[email protected]
+        if: ${{ inputs.sbom_scan }}
+        with:
+          image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
+          output-file: ${{ matrix.image }}-sbom-scan.txt
+          format: 'spdx-json'
+
+      - name: Security Scan Container
+        uses: aquasecurity/[email protected]
+        if: ${{ inputs.trivy_scan }}
+        with:
+          image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
+          output: ${{ matrix.image }}-trivy-scan.txt
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Cleanup
+        if: always()
+        run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} || true
+
+      - name: Collect Logs
+        if: always()
+        run: |
+          mkdir -p /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
+          mv ${{ matrix.image }}-*-scan.txt /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
+
+  upload-artifacts:
+    needs: scan-docker
+    runs-on: "docker-build-${{ inputs.node }}"
+    if: always()
+    steps:
+      - name: Upload SBOM Artifacts
+        uses: actions/[email protected]
+        with:
+          name: sbom-scan-${{ inputs.tag }}-${{ github.run_number }}
+          path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-sbom-scan.txt
+          overwrite: true
+
+      - name: Upload Trivy Artifacts
+        uses: actions/[email protected]
+        with:
+          name: trivy-scan-${{ inputs.tag }}-${{ github.run_number }}
+          path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-trivy-scan.txt
+          overwrite: true
+
+      - name: Remove Logs
+        run: rm -rf /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} && rm -rf /tmp/sbom-action-*

.github/workflows/pr-code-scan.yml

@@ -1,7 +1,7 @@
 # Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-name: Code Scan
+name: PR Code Scan
 
 on:
   pull_request:

.github/workflows/pr-e2e-test.yml

@@ -0,0 +1,24 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: PR E2E test
+
+on:
+  pull_request:
+    branches: ["main", "*rc"]
+    types: [opened, reopened, ready_for_review, synchronize] # added `ready_for_review` since draft is skipped
+    paths-ignore:
+      - "**.md"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pr-image-build:
+    uses: ./.github/workflows/_build-image-to-registry.yml
+    with:
+      node: gaudi
+      tag: ${{ github.event_name == 'workflow_dispatch' && 'latest' || github.event.pull_request.head.sha }}
+    secrets: inherit

.github/workflows/weekly-trellix-scan.yml

@@ -1,7 +1,7 @@
 # Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-name: Trellix Command Line Scanner
+name: Weekly Trellix Scan
 
 on:
   workflow_dispatch:

app-frontend/Dockerfile

@@ -7,7 +7,7 @@ FROM node:20.11.1 AS vite-app
 COPY react /usr/app/react
 WORKDIR /usr/app/react
 
-RUN npm install && npm run build
+RUN npm install --legacy-peer-deps && npm run build
 
 FROM nginx:alpine