Update chainguard-dev/actions digest to 141bf22 #15777
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pipeline | |
on: | |
push: | |
branches: [ main ] | |
paths-ignore: | |
- '**/*.md' | |
pull_request: | |
branches: [ main ] | |
schedule: | |
- cron: "0 18 * * *" # Every day at 8pm | |
# Allow to run this workflow manually | |
workflow_dispatch: | |
env: | |
RUN_ID: ${{ github.run_id }} | |
CONTAINER_REGISTRY: ghcr.io | |
CONTAINER_IMAGE_NAME: ${{ github.repository }} | |
CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha || github.sha }} # Use PR head SHA if available | |
GH_PACKAGES_REPOSITORY_USER: ${{ secrets.GH_PACKAGES_REPOSITORY_USER }} # Secrets must not start with "GITHUB_". | |
GH_PACKAGES_REPOSITORY_TOKEN: ${{ secrets.GH_PACKAGES_REPOSITORY_TOKEN }} | |
SENTRY_DSN: ${{ secrets.SENTRY_DSN }} | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
REPORTS_REPOSITORY: digitalservicebund/ris-reports | |
jobs: | |
backend-build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b | |
with: | |
java-version: "21.0" | |
distribution: "temurin" | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
- name: Run backend tests | |
working-directory: ./backend | |
run: ./gradlew build --profile -x integrationTest -x test | |
- name: Upload build performance report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: performance-report | |
path: backend/build/reports/profile/profile*.html | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
backend-checks: | |
uses: ./.github/workflows/backend-checks.yml | |
secrets: inherit | |
backend-build-image-and-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b | |
with: | |
java-version: "21.0" | |
distribution: "temurin" | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
- name: Build backend image | |
working-directory: ./backend | |
run: ./gradlew bootBuildImage | |
- name: Run Trivy vulnerability image scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 | |
env: | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
github-pat: ${{ secrets.GITHUB_TOKEN }} | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
# Todo: Remove this step | |
- name: Upload Trivy scan results | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "trivy-results-backend.sarif" | |
path: "trivy-results.sarif" | |
if-no-files-found: error | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
- name: Generate cosign vulnerability scan record | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 | |
env: | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "cosign-vuln" | |
output: "vuln-backend.json" | |
- name: Upload cosign vulnerability scan record | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "vuln-backend.json" | |
path: "vuln-backend.json" | |
if-no-files-found: error | |
- name: Save image | |
run: | | |
mkdir /tmp/images | |
docker save -o /tmp/images/backend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- uses: actions/cache@v4 | |
with: | |
path: /tmp/images | |
key: docker-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-images-cache-${{ env.RUN_ID }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
frontend-checks: | |
uses: ./.github/workflows/frontend-checks.yml | |
secrets: inherit | |
audit-licenses-backend: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK | |
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b | |
with: | |
java-version: "21.0" | |
distribution: "temurin" | |
cache: gradle | |
- name: Grant execute permission for gradlew | |
working-directory: ./backend | |
run: chmod +x gradlew | |
- name: Run license scanner | |
working-directory: ./backend | |
run: ./gradlew checkLicense | |
- name: Upload licence report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: licence-reports-backend | |
retention-days: 3 | |
path: backend/build/reports/dependency-license/backend-licence-report.csv | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
audit-licenses-frontend: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ./frontend/package.json | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Install dependencies | |
run: npm ci | |
working-directory: ./frontend | |
- name: Run license scanner | |
run: npm run audit:licences | |
working-directory: ./frontend | |
- name: Upload licence report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: licence-reports-frontend | |
retention-days: 3 | |
path: frontend/frontend-licence-report.csv | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
frontend-build-image-and-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build frontend image | |
run: docker build --file frontend/Dockerfile.prod --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} ./frontend | |
- name: Run Trivy vulnerability image scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 | |
env: | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
- name: Run Trivy vulnerability file scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 | |
env: | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
with: | |
scan-type: "fs" | |
scan-ref: "./frontend" | |
skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283 | |
format: "sarif" | |
output: "trivy-results.sarif" | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
- name: Upload Trivy file scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
category: trivy-fs-scan | |
- name: Generate cosign vulnerability scan record | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 | |
env: | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "cosign-vuln" | |
output: "vuln-frontend.json" | |
- name: Upload cosign vulnerability scan record | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "vuln-frontend.json" | |
path: "vuln-frontend.json" | |
if-no-files-found: error | |
- name: Save image | |
run: | | |
mkdir /tmp/images | |
docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
- uses: actions/cache@v4 | |
with: | |
path: /tmp/images | |
key: docker-frontend-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
push-backend-image-to-registry: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} | |
needs: | |
- backend-build | |
- backend-checks | |
- backend-build-image-and-scan | |
- audit-licenses-backend | |
permissions: | |
contents: read | |
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. | |
packages: write | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/cache@v4 | |
with: | |
path: /tmp/images | |
key: docker-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-images-cache-${{ env.RUN_ID }} | |
- name: load image | |
shell: bash | |
run: docker load -i /tmp/images/backend-image.tar | |
- name: Log into container registry | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0 | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish backend container image | |
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Install cosign | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59 | |
- name: Sign the published Docker image | |
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- id: set-version | |
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT" | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
push-frontend-image-to-registry: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} | |
needs: | |
- frontend-checks | |
- frontend-build-image-and-scan | |
- audit-licenses-frontend | |
permissions: | |
contents: read | |
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. | |
packages: write | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/cache@v4 | |
with: | |
path: /tmp/images | |
key: docker-frontend-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-images-cache-${{ env.RUN_ID }} | |
- name: load image | |
shell: bash | |
run: docker load -i /tmp/images/frontend-image.tar | |
- name: Log into container registry | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0 | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish backend container image | |
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Install cosign | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59 | |
- name: Sign the published Docker image | |
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
- id: set-version | |
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT" | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
deploy-staging: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
concurrency: | |
group: deploy-staging | |
cancel-in-progress: true | |
environment: staging | |
needs: | |
- push-frontend-image-to-registry | |
- push-backend-image-to-registry | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@141bf225e9c19c34304ee9d06e9be9c44a6d8765 | |
- name: Deploy new images | |
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 | |
with: | |
environment: staging | |
version: ${{ needs.push-backend-image-to-registry.outputs.version }} | |
deploying_repo: ris-backend-service,ris-backend-service/frontend | |
infra_repo: neuris-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-staging | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
argocd_sync_timeout: 300 | |
- name: Track deploy | |
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0 | |
with: | |
project: RIS | |
environment: staging | |
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
prep-playwright-tests: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ./frontend/package.json | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Get Playwright version | |
working-directory: ./frontend | |
run: echo "PLAYWRIGHT_VERSION=$(jq -r '.packages["node_modules/@playwright/test"].version' package-lock.json)" >> $GITHUB_ENV | |
- name: Cache browser binaries | |
id: cache-browser-binaries | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cache/ms-playwright | |
key: ${{ runner.os }}-playwright-${{ env.PLAYWRIGHT_VERSION }} | |
- name: Install browsers | |
if: steps.cache-browser-binaries.outputs.cache-hit != 'true' | |
run: | | |
npx --yes playwright install --with-deps chromium firefox | |
working-directory: ./frontend | |
e2e-tests: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
concurrency: | |
group: deploy-staging | |
cancel-in-progress: true | |
needs: [ deploy-staging, prep-playwright-tests ] | |
# We do not include the matrix directly, so that the concurrency group does not apply to each matrix job individually | |
uses: ./.github/workflows/e2e_matrix.yml | |
secrets: inherit | |
query-performance-tests: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
concurrency: | |
group: deploy-staging | |
cancel-in-progress: true | |
needs: [ e2e-tests, prep-playwright-tests ] | |
uses: ./.github/workflows/_playwright-test.yml | |
with: | |
subproject: "all" | |
browser: "queries" # uses the 'queries' project | |
mode: "queries" | |
runs: 1 | |
workers: 1 | |
secrets: inherit | |
generate-test-reports: | |
if: ${{ !cancelled() && github.ref == 'refs/heads/main' }} | |
needs: [ e2e-tests ] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ./frontend/package.json | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Cache node_modules | |
uses: actions/cache@v4 | |
id: node-modules-cache | |
with: | |
path: | | |
./frontend/node_modules | |
key: modules-${{ hashFiles('./frontend/package-lock.json') }} | |
- name: Install dependencies | |
if: steps.node-modules-cache.outputs.cache-hit != 'true' | |
run: | | |
npm ci | |
working-directory: ./frontend | |
- name: Download blob reports from artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: ./frontend/all-blob-reports | |
pattern: test-results-blob-* | |
- name: Prepare test reports for merge | |
working-directory: ./frontend/all-blob-reports | |
run: | | |
for DIR in test-results-blob-*; do | |
unzip -o "$DIR/test-report.zip" -d "$DIR" | |
rm "$DIR/test-report.zip" | |
ZIP_FILE="../$(basename "$DIR").zip" | |
(cd "$DIR" && zip -r "$ZIP_FILE" ./*.jsonl) | |
rm -rf "$DIR" | |
done | |
shell: bash | |
- name: Merge into html report | |
run: npx playwright merge-reports --reporter html ./all-blob-reports | |
working-directory: ./frontend | |
- name: Upload html report to artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: html-test-report | |
path: ./frontend/playwright-report | |
check-latest-deploy-tag: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: | |
- e2e-tests | |
runs-on: ubuntu-latest | |
outputs: | |
should_deploy: ${{ steps.compare-tags.outputs.should_deploy }} | |
environment: production | |
steps: | |
- name: Checkout infra repository | |
uses: actions/checkout@v4 | |
with: | |
repository: digitalservicebund/neuris-infra | |
ssh-key: ${{ secrets.DEPLOY_KEY }} | |
path: infra | |
- name: Checkout main repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
path: main | |
- name: compare image tags | |
id: compare-tags | |
run: | | |
set -x | |
CURRENT_TAG=${{ env.CONTAINER_IMAGE_VERSION }} | |
DEPLOYED_TAG=$(yq '.images[0] | .newTag' infra/manifests/overlays/production/kustomization.yaml) | |
cd main | |
if git merge-base --is-ancestor $CURRENT_TAG $DEPLOYED_TAG; then | |
echo "should_deploy=false" >> "$GITHUB_OUTPUT" | |
else | |
echo "should_deploy=true" >> "$GITHUB_OUTPUT" | |
fi | |
deploy-production: | |
runs-on: ubuntu-latest | |
if: | | |
github.ref == 'refs/heads/main' && | |
needs.check-latest-deploy-tag.outputs.should_deploy == 'true' | |
concurrency: deploy-production | |
environment: production | |
needs: | |
- push-frontend-image-to-registry | |
- push-backend-image-to-registry | |
- e2e-tests | |
- check-latest-deploy-tag | |
- backend-checks | |
- frontend-checks | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@141bf225e9c19c34304ee9d06e9be9c44a6d8765 | |
- name: Deploy new images | |
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 | |
with: | |
environment: production | |
version: ${{ needs.push-backend-image-to-registry.outputs.version }} | |
deploying_repo: ris-backend-service,ris-backend-service/frontend | |
infra_repo: neuris-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-production | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
argocd_sync_timeout: 300 | |
- name: Track deploy | |
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0 | |
with: | |
project: RIS | |
environment: production | |
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
deploy-uat: | |
runs-on: ubuntu-latest | |
if: | | |
github.ref == 'refs/heads/main' | |
concurrency: deploy-uat | |
environment: uat | |
needs: | |
- push-frontend-image-to-registry | |
- push-backend-image-to-registry | |
- e2e-tests | |
- deploy-production | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@141bf225e9c19c34304ee9d06e9be9c44a6d8765 | |
- name: Deploy new images | |
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 | |
with: | |
environment: uat | |
version: ${{ needs.push-backend-image-to-registry.outputs.version }} | |
deploying_repo: ris-backend-service,ris-backend-service/frontend | |
infra_repo: neuris-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-uat | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
argocd_sync_timeout: 300 | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
generate-entity-relationship-diagram: | |
runs-on: ubuntu-latest | |
if: ${{ false && github.ref == 'refs/heads/main' }} | |
env: | |
POSTGRES_DB: ris-erd | |
POSTGRES_PASSWORD: postgres | |
POSTGRES_USER: postgres | |
services: | |
postgres: | |
image: postgres:14-alpine | |
env: | |
POSTGRES_DB: ris-erd | |
POSTGRES_PASSWORD: postgres | |
POSTGRES_USER: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
--name postgres | |
ports: | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install uuid-ossp extension | |
run: docker exec postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";' | |
- name: Apply incremental migration structure | |
run: docker exec -i postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} < ./backend/src/test/resources/db/create_migration_scheme_and_extensions.sql | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b | |
with: | |
java-version: "21.0" | |
distribution: "temurin" | |
cache: gradle | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
- name: Migrate database for Entity–relationship model | |
working-directory: ./backend | |
run: ./gradlew migrateDatabaseForERD | |
env: | |
DB_URL: jdbc:postgresql://localhost:5432/${{ env.POSTGRES_DB }} | |
DB_USER: ${{ env.POSTGRES_USER }} | |
DB_PASSWORD: ${{ env.POSTGRES_PASSWORD }} | |
- name: Generate mermaid ER-diagram | |
uses: digitalservicebund/export-entity-relationship-diagram@c022c18a7a9e4fce71cece7ff907a952ba5c11c8 | |
with: | |
configFile: ./backend/mermerd.config.yaml | |
connectionString: postgresql://${{ env.POSTGRES_USER }}:${{ env.POSTGRES_PASSWORD }}@localhost:5432/${{ env.POSTGRES_DB }} | |
outputFile: latest.mmd | |
flags: --debug | |
version: 0.9.0 | |
- name: Upload mermaid ER-diagram | |
uses: actions/upload-artifact@v4 | |
with: | |
name: erdiagram | |
retention-days: 3 | |
path: latest.mmd | |
generate-backend-code-documentation: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK | |
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b | |
with: | |
java-version: "21.0" | |
distribution: "temurin" | |
cache: gradle | |
- name: Grant execute permission for gradlew | |
working-directory: ./backend | |
run: chmod +x gradlew | |
- name: Run Javadoc | |
working-directory: ./backend | |
run: ./gradlew javadoc | |
- name: Upload documentation | |
uses: actions/upload-artifact@v4 | |
with: | |
name: backend-code-documentation | |
retention-days: 3 | |
path: backend/build/docs/javadoc/ | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
push-reports: | |
runs-on: ubuntu-latest | |
needs: | |
# - generate-entity-relationship-diagram | |
- backend-build | |
- audit-licenses-backend | |
- audit-licenses-frontend | |
- e2e-tests | |
- generate-backend-code-documentation | |
- generate-test-reports | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
# Setup | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ env.REPORTS_REPOSITORY }} | |
ssh-key: ${{ secrets.REPORTS_DEPLOY_KEY }} | |
- name: Setup git config | |
run: | | |
git config user.name "${{ github.repository }}" | |
# This email identifies the commit as GitHub Actions - see https://github.com/orgs/community/discussions/26560 | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
# ER-diagram | |
# - name: ER-diagram - Download artifact | |
# uses: actions/download-artifact@v4 | |
# with: | |
# name: erdiagram | |
# path: tmp/erdiagram-reports/ | |
# - name: ER-diagram - git add report | |
# uses: digitalservicebund/add-ris-report@32770d369cf00a8154bb6a17005d11cf781bfba3 | |
# with: | |
# filePath: tmp/erdiagram-reports/latest.mmd | |
# destinationDir: entity-relationship-diagrams/ris-backend-service | |
# Licence reports | |
- name: Licence reports - Download | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: licence-reports-* | |
path: tmp/licence-reports/ | |
merge-multiple: true | |
- name: Frontend licence report - git add report | |
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e | |
with: | |
filePath: tmp/licence-reports/frontend-licence-report.csv | |
destinationDir: licence-reports/frontend/ris-backend-service | |
- name: Backend licence report - git add report | |
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e | |
with: | |
filePath: tmp/licence-reports/backend-licence-report.csv | |
destinationDir: licence-reports/backend/ris-backend-service | |
# Performance report | |
- name: Performance reports - Download | |
uses: actions/download-artifact@v4 | |
with: | |
name: performance-report | |
path: tmp/performance-reports/ | |
- run: mv tmp/performance-reports/profile*.html tmp/performance-reports/profile-report.html | |
- name: Performance report - git add report | |
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e | |
with: | |
filePath: tmp/performance-reports/profile-report.html | |
destinationDir: performance-reports/ris-backend-service | |
# Backend code documentation | |
- name: Backend Code Documentation - Download | |
uses: actions/download-artifact@v4 | |
with: | |
name: backend-code-documentation | |
path: tmp/backend-code-documentation/ | |
- name: Java - git add report | |
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e | |
with: | |
filePath: tmp/backend-code-documentation | |
destinationDir: backend-code-documentation/java | |
reportIsDirectory: true | |
# e2e test report | |
- name: E2E test reports - Download | |
uses: actions/download-artifact@v4 | |
with: | |
name: html-test-report | |
path: tmp/html-test-report/ | |
- name: E2E test reports - git add report | |
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e | |
with: | |
filePath: tmp/html-test-report/ | |
destinationDir: test-reports/ris-backend-service | |
reportIsDirectory: true | |
# Push reports | |
- name: Push reports | |
# we use `toJSON(...)` below to escape double quotation marks | |
run: | | |
git diff-index --cached --quiet HEAD || | |
git commit \ | |
-m ${{ toJSON(github.event.head_commit.message) }} \ | |
-m "From commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" && | |
git push origin main && | |
echo "Pushed reports to ${{ github.server_url }}/${{ env.REPORTS_REPOSITORY }}" >> $GITHUB_STEP_SUMMARY |