Skip to content

Pipeline

Pipeline #5366

Workflow file for this run

name: Pipeline
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 18 * * *" # Every day at 8pm
# Allow to run this workflow manually
workflow_dispatch:
env:
RUN_ID: ${{ github.run_id }}
CONTAINER_REGISTRY: ghcr.io
CONTAINER_IMAGE_NAME: ${{ github.repository }}
CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha || github.sha }} # Use PR head SHA if available
GH_PACKAGES_REPOSITORY_USER: ${{ secrets.GH_PACKAGES_REPOSITORY_USER }} # Secrets must not start with "GITHUB_"..
GH_PACKAGES_REPOSITORY_TOKEN: ${{ secrets.GH_PACKAGES_REPOSITORY_TOKEN }}
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
REPORTS_REPOSITORY: digitalservicebund/ris-reports
jobs:
backend-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get Gradle version
working-directory: ./backend
run: |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: "17.0"
distribution: "temurin"
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7
with:
gradle-version: ${{ env.GRADLE_VERSION }}
arguments: build --profile -x integrationTest -x test
build-root-directory: ./backend
- name: Upload build performance report
uses: actions/upload-artifact@v3
with:
name: performance-report
path: backend/build/reports/profile/profile*.html
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Backend build :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
backend-unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get Gradle version
working-directory: ./backend
run: |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: "17.0"
distribution: "temurin"
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7
with:
gradle-version: ${{ env.GRADLE_VERSION}}
arguments: test -x integrationTest
build-root-directory: ./backend
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Backend unit tests :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
backend-integration-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get Gradle version
working-directory: ./backend
run: |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: "17.0"
distribution: "temurin"
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7
with:
gradle-version: ${{ env.GRADLE_VERSION }}
arguments: integrationTest -x test
build-root-directory: ./backend
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Backend integration tests :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
backend-build-image-and-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Get Gradle version
working-directory: ./backend
run: |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
- name: Validate gradle wrapper
uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: "17.0"
distribution: "temurin"
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7
with:
gradle-version: ${{ env.GRADLE_VERSION }}
arguments: bootBuildImage
build-root-directory: ./backend
- name: Run Trivy vulnerability scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
exit-code: "1" # Fail the build!
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "cosign-vuln"
output: "vuln-backend.json"
- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v3
with:
name: "vuln-backend.json"
path: "vuln-backend.json"
if-no-files-found: error
- name: Save image
run: |
mkdir /tmp/images
docker save -o /tmp/images/backend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
- uses: actions/cache@v3
with:
path: /tmp/images
key: docker-images-cache-${{ env.RUN_ID }}
restore-keys: docker-images-cache-${{ env.RUN_ID }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Build backend image :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
frontend-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version-file: ./frontend/.node-version
cache: npm
cache-dependency-path: ./frontend/package-lock.json
- name: Cache node_modules
uses: actions/cache@v3
id: node-modules-cache
with:
path: |
./frontend/node_modules
key: modules-${{ hashFiles('./frontend/package-lock.json') }}
- name: Install dependencies
if: steps.node-modules-cache.outputs.cache-hit != 'true'
run: |
npm ci
working-directory: ./frontend
- name: Run tests
run: |
npm test
working-directory: ./frontend
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Frontend tests :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
frontend-style:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version-file: ./frontend/.node-version
cache: npm
cache-dependency-path: ./frontend/package-lock.json
- name: Cache node_modules
uses: actions/cache@v3
id: node-modules-cache
with:
path: |
./frontend/node_modules
key: modules-${{ hashFiles('./frontend/package-lock.json') }}
- name: Install dependencies
if: steps.node-modules-cache.outputs.cache-hit != 'true'
run: |
npm ci
working-directory: ./frontend
- name: Check style
run: npm run style:check
working-directory: ./frontend
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Frontend style :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
audit-licenses-backend:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: "17.0"
distribution: "temurin"
cache: gradle
- name: Grant execute permission for gradlew
working-directory: ./backend
run: chmod +x gradlew
- name: Run license scanner
working-directory: ./backend
run: ./gradlew checkLicense
- name: Upload licence report
uses: actions/upload-artifact@v3
with:
name: licence-reports
retention-days: 3
path: backend/build/reports/dependency-license/backend-licence-report.csv
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "License audit backend :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
audit-licenses-frontend:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version-file: ./frontend/.node-version
cache: npm
cache-dependency-path: ./frontend/package-lock.json
- name: Install dependencies
run: npm ci
working-directory: ./frontend
- name: Run license scanner
run: npm run audit:licences
working-directory: ./frontend
- name: Upload licence report
uses: actions/upload-artifact@v3
with:
name: licence-reports
retention-days: 3
path: frontend/frontend-licence-report.csv
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "License audit frontend :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
frontend-build-image-and-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Build frontend image
run: docker build --file frontend/Dockerfile.prod --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} ./frontend
- name: Run Trivy vulnerability image scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
exit-code: "1" # Fail the build!
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy image scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
category: trivy-image-scan
- name: Run Trivy vulnerability file scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
with:
scan-type: "fs"
scan-ref: "./frontend"
skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
exit-code: "1" # Fail the build!
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy file scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
category: trivy-fs-scan
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
format: "cosign-vuln"
output: "vuln-frontend.json"
- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v3
with:
name: "vuln-frontend.json"
path: "vuln-frontend.json"
if-no-files-found: error
- name: Save image
run: |
mkdir /tmp/images
docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- uses: actions/cache@v3
with:
path: /tmp/images
key: docker-frontend-images-cache-${{ env.RUN_ID }}
restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Vulnerability scan frontend :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
analyze-backend:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Validate gradle wrapper
uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: "17.0"
distribution: "temurin"
- name: Cache SonarQube packages
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
- name: Scan with SonarQube
uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7
with:
gradle-version: ${{ env.GRADLE_VERSION }}
arguments: sonar --info
build-root-directory: ./backend
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Check SonarQube Quality Gate
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496
with:
scanMetadataReportFile: backend/build/sonar/report-task.txt
timeout-minutes: 3 # Force to fail step after specific time
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Analyze backend :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
analyze-frontend:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Install SonarScanner
uses: digitalservicebund/github-actions/setup-sonarscanner@7dc5748165cf877ff44898c4314e1f4085754a66
- name: Scan with SonarQube
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
npm install
npm run coverage
sonar-scanner
working-directory: ./frontend
- name: Check SonarQube Quality Gate
uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496
with:
scanMetadataReportFile: frontend/.scannerwork/report-task.txt
timeout-minutes: 3
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Analyze frontend :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
push-backend-image-to-registry:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- backend-build
- backend-unit-tests
- backend-integration-tests
- backend-build-image-and-scan
- audit-licenses-backend
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
outputs:
version: ${{ steps.set-version.outputs.version }}
steps:
- uses: actions/cache@v3
with:
path: /tmp/images
key: docker-images-cache-${{ env.RUN_ID }}
restore-keys: docker-images-cache-${{ env.RUN_ID }}
- name: load image
shell: bash
run: docker load -i /tmp/images/backend-image.tar
- name: Log into container registry
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish backend container image
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@9c520b997e685cb69e1ac226f7dce8114e8f36df
with:
cosign-release: "v1.13.1"
- name: Sign the published Docker image
env:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Download cosign vulnerability scan record
uses: actions/download-artifact@v3
with:
name: "vuln-backend.json"
- name: Attest vulnerability scan
run: cosign attest --yes --replace --predicate vuln-backend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
env:
COSIGN_EXPERIMENTAL: "true"
- id: set-version
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Build/push backend image :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
push-frontend-image-to-registry:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- frontend-tests
- frontend-style
- frontend-build-image-and-scan
- audit-licenses-frontend
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
outputs:
version: ${{ steps.set-version.outputs.version }}
steps:
- uses: actions/cache@v3
with:
path: /tmp/images
key: docker-frontend-images-cache-${{ env.RUN_ID }}
restore-keys: docker-images-cache-${{ env.RUN_ID }}
- name: load image
shell: bash
run: docker load -i /tmp/images/frontend-image.tar
- name: Log into container registry
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish backend container image
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@9c520b997e685cb69e1ac226f7dce8114e8f36df
with:
cosign-release: "v1.13.1"
- name: Sign the published Docker image
env:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Download cosign vulnerability scan record
uses: actions/download-artifact@v3
with:
name: "vuln-frontend.json"
- name: Attest vulnerability scan
run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
env:
COSIGN_EXPERIMENTAL: "true"
- id: set-version
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Build/push images :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
deploy-staging:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
concurrency: deploy-staging
environment: staging
needs:
- push-frontend-image-to-registry
- push-backend-image-to-registry
permissions:
id-token: write # Enable OIDC for gitsign
steps:
- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3
- name: Deploy new images
uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858
with:
environment: staging
version: ${{ needs.push-backend-image-to-registry.outputs.version }}
deploying_repo: ris-backend-service,ris-backend-service/frontend
infra_repo: neuris-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ris-staging
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
- name: Track deploy
uses: digitalservicebund/github-actions/track-deployment@b51920b9fdeeb0c8721c210853aee955bd7cefc0
with:
project: RIS
environment: staging
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Deploy staging :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
prep-playwright-tests:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version-file: ./frontend/.node-version
cache: npm
cache-dependency-path: ./frontend/package-lock.json
- name: Get Playwright version
working-directory: ./frontend
run: echo "PLAYWRIGHT_VERSION=$(jq -r '.packages["node_modules/@playwright/test"].version' package-lock.json)" >> $GITHUB_ENV
- name: Cache browser binaries
id: cache-browser-binaries
uses: actions/cache@v3
with:
path: ~/.cache/ms-playwright
key: ${{ runner.os }}-playwright-${{ env.PLAYWRIGHT_VERSION }}
- name: Install browsers
if: steps.cache-browser-binaries.outputs.cache-hit != 'true'
run: |
npx --yes playwright install --with-deps chromium firefox
working-directory: ./frontend
e2e-tests:
if: ${{ github.ref == 'refs/heads/main' }}
needs: [deploy-staging, prep-playwright-tests]
strategy:
fail-fast: false
matrix:
subproject: [caselaw, norms, shared]
browser: [chromium, firefox]
mode: [e2e]
include:
- mode: a11y
browser: a11y
uses: ./.github/workflows/_playwright-test.yml
with:
subproject: ${{ matrix.subproject}}
browser: ${{ matrix.browser }}
mode: ${{ matrix.mode }}
secrets: inherit
check-latest-deploy-tag:
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- e2e-tests
runs-on: ubuntu-latest
outputs:
should_deploy: ${{ steps.compare-tags.outputs.should_deploy }}
environment: production
steps:
- name: Checkout infra repository
uses: actions/checkout@v4
with:
repository: digitalservicebund/neuris-infra
ssh-key: ${{ secrets.DEPLOY_KEY }}
path: infra
- name: Checkout main repository
uses: actions/checkout@v4
with:
fetch-depth: 0
path: main
- name: compare image tags
id: compare-tags
run: |
set -x
CURRENT_TAG=${{ env.CONTAINER_IMAGE_VERSION }}
DEPLOYED_TAG=$(yq '.images[0] | .newTag' infra/manifests/overlays/production/kustomization.yaml)
cd main
if git merge-base --is-ancestor $CURRENT_TAG $DEPLOYED_TAG; then
echo "should_deploy=false" >> "$GITHUB_OUTPUT"
else
echo "should_deploy=true" >> "$GITHUB_OUTPUT"
fi
deploy-production:
runs-on: ubuntu-latest
if: |
github.ref == 'refs/heads/main' &&
needs.check-latest-deploy-tag.outputs.should_deploy == 'true'
concurrency: deploy-production
environment: production
needs:
- push-frontend-image-to-registry
- push-backend-image-to-registry
- e2e-tests
- check-latest-deploy-tag
permissions:
id-token: write # Enable OIDC for gitsign
steps:
- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3
- name: Deploy new images
uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858
with:
environment: production
version: ${{ needs.push-backend-image-to-registry.outputs.version }}
deploying_repo: ris-backend-service,ris-backend-service/frontend
infra_repo: neuris-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ris-production
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
- name: Track deploy
uses: digitalservicebund/github-actions/track-deployment@b51920b9fdeeb0c8721c210853aee955bd7cefc0
with:
project: RIS
environment: production
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Deploy production :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
deployment-time-check:
runs-on: ubuntu-latest
outputs:
between-8-and-20: ${{ steps.check-time.outputs.between-8-and-20 }}
steps:
- id: check-time
run: |
current_hour=$(TZ="Europe/Berlin" date +'%H')
if [ "$current_hour" -ge 8 ] && [ "$current_hour" -lt 20 ]; then
echo "between-8-and-20=true" >> "$GITHUB_OUTPUT"
else
echo "between-8-and-20=false" >> "$GITHUB_OUTPUT"
fi
deploy-uat:
runs-on: ubuntu-latest
if: |
github.ref == 'refs/heads/main' &&
needs.deployment-time-check.outputs.between-8-and-20 == 'false'
concurrency: deploy-uat
environment: uat
needs:
- push-frontend-image-to-registry
- push-backend-image-to-registry
- e2e-tests
- deployment-time-check
- deploy-production
permissions:
id-token: write # Enable OIDC for gitsign
steps:
- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3
- name: Deploy new images
uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858
with:
environment: uat
version: ${{ needs.push-backend-image-to-registry.outputs.version }}
deploying_repo: ris-backend-service,ris-backend-service/frontend
infra_repo: neuris-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ris-uat
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Deploy uat :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
build-github-pages:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- e2e-tests
permissions:
pages: write
id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/checkout@v4
- name: Download licence reports
uses: actions/download-artifact@v3
with:
name: licence-reports
path: _site
- name: Download build performance report
uses: actions/download-artifact@v3
with:
name: performance-report
path: _site
- run: mv _site/profile*.html _site/profile-report.html
- name: Upload GitHub licence page
uses: actions/upload-pages-artifact@v2.0.0
with:
path: _site
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v2.0.0
env:
GITHUB_TOKEN: ${{ github.token }}
generate-entity-relationship-diagram:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
env:
POSTGRES_DB: ris-erd
POSTGRES_PASSWORD: postgres
POSTGRES_USER: postgres
services:
postgres:
image: postgres:14-alpine
env:
POSTGRES_DB: ris-erd
POSTGRES_PASSWORD: postgres
POSTGRES_USER: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
--name postgres
ports:
- 5432:5432
steps:
- uses: actions/checkout@v4
- name: Install uuid-ossp extension
run: docker exec postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";'
- name: Get Gradle version
working-directory: ./backend
run: |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
- name: Set up JDK
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
with:
java-version: "17.0"
distribution: "temurin"
cache: gradle
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7
with:
gradle-version: ${{ env.GRADLE_VERSION }}
arguments: migrateDatabaseForERD
build-root-directory: ./backend
env:
DB_URL: jdbc:postgresql://localhost:5432/${{ env.POSTGRES_DB }}
DB_USER: ${{ env.POSTGRES_USER }}
DB_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
- name: Generate mermaid ER-diagram
uses: digitalservicebund/github-actions/entity-relationship-diagram@b0e67dbb3637296eeb2ae0c9110cd42d4d8de6fb
with:
configFile: ./backend/mermerd.config.yaml
connectionString: postgresql://${{ env.POSTGRES_USER }}:${{ env.POSTGRES_PASSWORD }}@localhost:5432/${{ env.POSTGRES_DB }}
outputFile: latest.mmd
flags: --debug
version: 0.9.0
- name: Upload mermaid ER-diagram
uses: actions/upload-artifact@v3
with:
name: erdiagram
retention-days: 3
path: latest.mmd
generate-backend-code-documentation:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: "17.0"
distribution: "temurin"
cache: gradle
- name: Grant execute permission for gradlew
working-directory: ./backend
run: chmod +x gradlew
- name: Run Javadoc
working-directory: ./backend
run: ./gradlew javadoc
- name: Run Dokka
working-directory: ./backend
run: ./gradlew dokkaHtml
- name: Upload documentation
uses: actions/upload-artifact@v3
with:
name: backend-code-documentation
retention-days: 3
path: |
backend/build/dokka/html/
backend/build/docs/javadoc/
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "License audit backend :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
push-reports:
runs-on: ubuntu-latest
needs:
- generate-entity-relationship-diagram
- backend-build
- audit-licenses-backend
- audit-licenses-frontend
- e2e-tests
- generate-backend-code-documentation
if: ${{ github.ref == 'refs/heads/main' }}
steps:
# Setup
- uses: actions/checkout@v4
with:
repository: ${{ env.REPORTS_REPOSITORY }}
ssh-key: ${{ secrets.REPORTS_DEPLOY_KEY }}
- name: Setup git config
run: |
git config user.name "${{ github.repository }}"
# This email identifies the commit as GitHub Actions - see https://github.com/orgs/community/discussions/26560
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
# ER-diagram
- name: ER-diagram - Download artifact
uses: actions/download-artifact@v3
with:
name: erdiagram
path: tmp/erdiagram-reports/
- name: ER-diagram - git add report
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
with:
filePath: tmp/erdiagram-reports/latest.mmd
destinationDir: entity-relationship-diagrams/ris-backend-service
# Licence reports
- name: Licence reports - Download
uses: actions/download-artifact@v3
with:
name: licence-reports
path: tmp/licence-reports/
- name: Frontend licence report - git add report
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
with:
filePath: tmp/licence-reports/frontend-licence-report.csv
destinationDir: licence-reports/frontend/ris-backend-service
- name: Backend licence report - git add report
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
with:
filePath: tmp/licence-reports/backend-licence-report.csv
destinationDir: licence-reports/backend/ris-backend-service
# Performance report
- name: Performance reports - Download
uses: actions/download-artifact@v3
with:
name: performance-report
path: tmp/performance-reports/
- run: mv tmp/performance-reports/profile*.html tmp/performance-reports/profile-report.html
- name: Performance report - git add report
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
with:
filePath: tmp/performance-reports/profile-report.html
destinationDir: performance-reports/ris-backend-service
# Backend code documentation
- name: Backend Code Documentation - Download
uses: actions/download-artifact@v3
with:
name: backend-code-documentation
path: tmp/backend-code-documentation/
- name: Java - git add report
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
with:
filePath: tmp/backend-code-documentation/docs/javadoc
destinationDir: backend-code-documentation/java
reportIsDirectory: true
- name: Kotlin - git add report
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
with:
filePath: tmp/backend-code-documentation/dokka/html
destinationDir: backend-code-documentation/kotlin
reportIsDirectory: true
# Push reports
- name: Push reports
# we use `toJSON(...)` below to escape double quotation marks
run: |
git diff-index --cached --quiet HEAD ||
git commit \
-m ${{ toJSON(github.event.head_commit.message) }} \
-m "From commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" &&
git push origin main &&
echo "Pushed reports to ${{ github.server_url }}/${{ env.REPORTS_REPOSITORY }}" >> $GITHUB_STEP_SUMMARY