Pipeline #5368
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pipeline | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
schedule: | |
- cron: "0 18 * * *" # Every day at 8pm | |
# Allow to run this workflow manually | |
workflow_dispatch: | |
env: | |
RUN_ID: ${{ github.run_id }} | |
CONTAINER_REGISTRY: ghcr.io | |
CONTAINER_IMAGE_NAME: ${{ github.repository }} | |
CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha || github.sha }} # Use PR head SHA if available | |
GH_PACKAGES_REPOSITORY_USER: ${{ secrets.GH_PACKAGES_REPOSITORY_USER }} # Secrets must not start with "GITHUB_".. | |
GH_PACKAGES_REPOSITORY_TOKEN: ${{ secrets.GH_PACKAGES_REPOSITORY_TOKEN }} | |
SENTRY_DSN: ${{ secrets.SENTRY_DSN }} | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
REPORTS_REPOSITORY: digitalservicebund/ris-reports | |
jobs: | |
backend-build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: build --profile -x integrationTest -x test | |
build-root-directory: ./backend | |
- name: Upload build performance report | |
uses: actions/upload-artifact@v3 | |
with: | |
name: performance-report | |
path: backend/build/reports/profile/profile*.html | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Backend build :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
backend-unit-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION}} | |
arguments: test -x integrationTest | |
build-root-directory: ./backend | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Backend unit tests :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
backend-integration-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: integrationTest -x test | |
build-root-directory: ./backend | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Backend integration tests :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
backend-build-image-and-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Validate gradle wrapper | |
uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: bootBuildImage | |
build-root-directory: ./backend | |
- name: Run Trivy vulnerability scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" | |
exit-code: "1" # Fail the build! | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
- name: Generate cosign vulnerability scan record | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "cosign-vuln" | |
output: "vuln-backend.json" | |
- name: Upload cosign vulnerability scan record | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "vuln-backend.json" | |
path: "vuln-backend.json" | |
if-no-files-found: error | |
- name: Save image | |
run: | | |
mkdir /tmp/images | |
docker save -o /tmp/images/backend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- uses: actions/cache@v3 | |
with: | |
path: /tmp/images | |
key: docker-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-images-cache-${{ env.RUN_ID }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Build backend image :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
frontend-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v3 | |
with: | |
node-version-file: ./frontend/.node-version | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Cache node_modules | |
uses: actions/cache@v3 | |
id: node-modules-cache | |
with: | |
path: | | |
./frontend/node_modules | |
key: modules-${{ hashFiles('./frontend/package-lock.json') }} | |
- name: Install dependencies | |
if: steps.node-modules-cache.outputs.cache-hit != 'true' | |
run: | | |
npm ci | |
working-directory: ./frontend | |
- name: Run tests | |
run: | | |
npm test | |
working-directory: ./frontend | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Frontend tests :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
frontend-style: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v3 | |
with: | |
node-version-file: ./frontend/.node-version | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Cache node_modules | |
uses: actions/cache@v3 | |
id: node-modules-cache | |
with: | |
path: | | |
./frontend/node_modules | |
key: modules-${{ hashFiles('./frontend/package-lock.json') }} | |
- name: Install dependencies | |
if: steps.node-modules-cache.outputs.cache-hit != 'true' | |
run: | | |
npm ci | |
working-directory: ./frontend | |
- name: Check style | |
run: npm run style:check | |
working-directory: ./frontend | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Frontend style :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
audit-licenses-backend: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
cache: gradle | |
- name: Grant execute permission for gradlew | |
working-directory: ./backend | |
run: chmod +x gradlew | |
- name: Run license scanner | |
working-directory: ./backend | |
run: ./gradlew checkLicense | |
- name: Upload licence report | |
uses: actions/upload-artifact@v3 | |
with: | |
name: licence-reports | |
retention-days: 3 | |
path: backend/build/reports/dependency-license/backend-licence-report.csv | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "License audit backend :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
audit-licenses-frontend: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v3 | |
with: | |
node-version-file: ./frontend/.node-version | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Install dependencies | |
run: npm ci | |
working-directory: ./frontend | |
- name: Run license scanner | |
run: npm run audit:licences | |
working-directory: ./frontend | |
- name: Upload licence report | |
uses: actions/upload-artifact@v3 | |
with: | |
name: licence-reports | |
retention-days: 3 | |
path: frontend/frontend-licence-report.csv | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "License audit frontend :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
frontend-build-image-and-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build frontend image | |
run: docker build --file frontend/Dockerfile.prod --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} ./frontend | |
- name: Run Trivy vulnerability image scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" | |
exit-code: "1" # Fail the build! | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
- name: Upload Trivy image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
category: trivy-image-scan | |
- name: Run Trivy vulnerability file scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 | |
with: | |
scan-type: "fs" | |
scan-ref: "./frontend" | |
skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283 | |
format: "sarif" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" | |
exit-code: "1" # Fail the build! | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
- name: Upload Trivy file scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
category: trivy-fs-scan | |
- name: Generate cosign vulnerability scan record | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "cosign-vuln" | |
output: "vuln-frontend.json" | |
- name: Upload cosign vulnerability scan record | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "vuln-frontend.json" | |
path: "vuln-frontend.json" | |
if-no-files-found: error | |
- name: Save image | |
run: | | |
mkdir /tmp/images | |
docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
- uses: actions/cache@v3 | |
with: | |
path: /tmp/images | |
key: docker-frontend-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Vulnerability scan frontend :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
analyze-backend: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: Validate gradle wrapper | |
uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- name: Cache SonarQube packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.sonar/cache | |
key: ${{ runner.os }}-sonar | |
- name: Scan with SonarQube | |
uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: sonar --info | |
build-root-directory: ./backend | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
- name: Check SonarQube Quality Gate | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 | |
with: | |
scanMetadataReportFile: backend/build/sonar/report-task.txt | |
timeout-minutes: 3 # Force to fail step after specific time | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Analyze backend :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
analyze-frontend: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: Install SonarScanner | |
uses: digitalservicebund/github-actions/setup-sonarscanner@7dc5748165cf877ff44898c4314e1f4085754a66 | |
- name: Scan with SonarQube | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
run: | | |
npm install | |
npm run coverage | |
sonar-scanner | |
working-directory: ./frontend | |
- name: Check SonarQube Quality Gate | |
uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 | |
with: | |
scanMetadataReportFile: frontend/.scannerwork/report-task.txt | |
timeout-minutes: 3 | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Analyze frontend :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
push-backend-image-to-registry: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} | |
needs: | |
- backend-build | |
- backend-unit-tests | |
- backend-integration-tests | |
- backend-build-image-and-scan | |
- audit-licenses-backend | |
permissions: | |
contents: read | |
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. | |
packages: write | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/cache@v3 | |
with: | |
path: /tmp/images | |
key: docker-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-images-cache-${{ env.RUN_ID }} | |
- name: load image | |
shell: bash | |
run: docker load -i /tmp/images/backend-image.tar | |
- name: Log into container registry | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish backend container image | |
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Install cosign | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sigstore/cosign-installer@9c520b997e685cb69e1ac226f7dce8114e8f36df | |
with: | |
cosign-release: "v1.13.1" | |
- name: Sign the published Docker image | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
# This step uses the identity token to provision an ephemeral certificate | |
# against the sigstore community Fulcio instance. | |
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Download cosign vulnerability scan record | |
uses: actions/download-artifact@v3 | |
with: | |
name: "vuln-backend.json" | |
- name: Attest vulnerability scan | |
run: cosign attest --yes --replace --predicate vuln-backend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
- id: set-version | |
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT" | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Build/push backend image :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
push-frontend-image-to-registry: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} | |
needs: | |
- frontend-tests | |
- frontend-style | |
- frontend-build-image-and-scan | |
- audit-licenses-frontend | |
permissions: | |
contents: read | |
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. | |
packages: write | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/cache@v3 | |
with: | |
path: /tmp/images | |
key: docker-frontend-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-images-cache-${{ env.RUN_ID }} | |
- name: load image | |
shell: bash | |
run: docker load -i /tmp/images/frontend-image.tar | |
- name: Log into container registry | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish backend container image | |
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Install cosign | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sigstore/cosign-installer@9c520b997e685cb69e1ac226f7dce8114e8f36df | |
with: | |
cosign-release: "v1.13.1" | |
- name: Sign the published Docker image | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
# This step uses the identity token to provision an ephemeral certificate | |
# against the sigstore community Fulcio instance. | |
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Download cosign vulnerability scan record | |
uses: actions/download-artifact@v3 | |
with: | |
name: "vuln-frontend.json" | |
- name: Attest vulnerability scan | |
run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
- id: set-version | |
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT" | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Build/push images :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
deploy-staging: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
concurrency: deploy-staging | |
environment: staging | |
needs: | |
- push-frontend-image-to-registry | |
- push-backend-image-to-registry | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3 | |
- name: Deploy new images | |
uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858 | |
with: | |
environment: staging | |
version: ${{ needs.push-backend-image-to-registry.outputs.version }} | |
deploying_repo: ris-backend-service,ris-backend-service/frontend | |
infra_repo: neuris-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-staging | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
- name: Track deploy | |
uses: digitalservicebund/github-actions/track-deployment@b51920b9fdeeb0c8721c210853aee955bd7cefc0 | |
with: | |
project: RIS | |
environment: staging | |
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Deploy staging :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
prep-playwright-tests: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v3 | |
with: | |
node-version-file: ./frontend/.node-version | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Get Playwright version | |
working-directory: ./frontend | |
run: echo "PLAYWRIGHT_VERSION=$(jq -r '.packages["node_modules/@playwright/test"].version' package-lock.json)" >> $GITHUB_ENV | |
- name: Cache browser binaries | |
id: cache-browser-binaries | |
uses: actions/cache@v3 | |
with: | |
path: ~/.cache/ms-playwright | |
key: ${{ runner.os }}-playwright-${{ env.PLAYWRIGHT_VERSION }} | |
- name: Install browsers | |
if: steps.cache-browser-binaries.outputs.cache-hit != 'true' | |
run: | | |
npx --yes playwright install --with-deps chromium firefox | |
working-directory: ./frontend | |
e2e-tests: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: [deploy-staging, prep-playwright-tests] | |
strategy: | |
fail-fast: false | |
matrix: | |
subproject: [caselaw, norms, shared] | |
browser: [chromium, firefox] | |
mode: [e2e] | |
include: | |
- mode: a11y | |
browser: a11y | |
uses: ./.github/workflows/_playwright-test.yml | |
with: | |
subproject: ${{ matrix.subproject}} | |
browser: ${{ matrix.browser }} | |
mode: ${{ matrix.mode }} | |
secrets: inherit | |
check-latest-deploy-tag: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: | |
- e2e-tests | |
runs-on: ubuntu-latest | |
outputs: | |
should_deploy: ${{ steps.compare-tags.outputs.should_deploy }} | |
environment: production | |
steps: | |
- name: Checkout infra repository | |
uses: actions/checkout@v4 | |
with: | |
repository: digitalservicebund/neuris-infra | |
ssh-key: ${{ secrets.DEPLOY_KEY }} | |
path: infra | |
- name: Checkout main repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
path: main | |
- name: compare image tags | |
id: compare-tags | |
run: | | |
set -x | |
CURRENT_TAG=${{ env.CONTAINER_IMAGE_VERSION }} | |
DEPLOYED_TAG=$(yq '.images[0] | .newTag' infra/manifests/overlays/production/kustomization.yaml) | |
cd main | |
if git merge-base --is-ancestor $CURRENT_TAG $DEPLOYED_TAG; then | |
echo "should_deploy=false" >> "$GITHUB_OUTPUT" | |
else | |
echo "should_deploy=true" >> "$GITHUB_OUTPUT" | |
fi | |
deploy-production: | |
runs-on: ubuntu-latest | |
if: | | |
github.ref == 'refs/heads/main' && | |
needs.check-latest-deploy-tag.outputs.should_deploy == 'true' | |
concurrency: deploy-production | |
environment: production | |
needs: | |
- push-frontend-image-to-registry | |
- push-backend-image-to-registry | |
- e2e-tests | |
- check-latest-deploy-tag | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3 | |
- name: Deploy new images | |
uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858 | |
with: | |
environment: production | |
version: ${{ needs.push-backend-image-to-registry.outputs.version }} | |
deploying_repo: ris-backend-service,ris-backend-service/frontend | |
infra_repo: neuris-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-production | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
- name: Track deploy | |
uses: digitalservicebund/github-actions/track-deployment@b51920b9fdeeb0c8721c210853aee955bd7cefc0 | |
with: | |
project: RIS | |
environment: production | |
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Deploy production :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
deployment-time-check: | |
runs-on: ubuntu-latest | |
outputs: | |
between-8-and-20: ${{ steps.check-time.outputs.between-8-and-20 }} | |
steps: | |
- id: check-time | |
run: | | |
current_hour=$(TZ="Europe/Berlin" date +'%H') | |
if [ "$current_hour" -ge 8 ] && [ "$current_hour" -lt 20 ]; then | |
echo "between-8-and-20=true" >> "$GITHUB_OUTPUT" | |
else | |
echo "between-8-and-20=false" >> "$GITHUB_OUTPUT" | |
fi | |
deploy-uat: | |
runs-on: ubuntu-latest | |
if: | | |
github.ref == 'refs/heads/main' && | |
needs.deployment-time-check.outputs.between-8-and-20 == 'false' | |
concurrency: deploy-uat | |
environment: uat | |
needs: | |
- push-frontend-image-to-registry | |
- push-backend-image-to-registry | |
- e2e-tests | |
- deployment-time-check | |
- deploy-production | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3 | |
- name: Deploy new images | |
uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858 | |
with: | |
environment: uat | |
version: ${{ needs.push-backend-image-to-registry.outputs.version }} | |
deploying_repo: ris-backend-service,ris-backend-service/frontend | |
infra_repo: neuris-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-uat | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "Deploy uat :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
build-github-pages: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: | |
- e2e-tests | |
permissions: | |
pages: write | |
id-token: write | |
environment: | |
name: github-pages | |
url: ${{ steps.deployment.outputs.page_url }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download licence reports | |
uses: actions/download-artifact@v3 | |
with: | |
name: licence-reports | |
path: _site | |
- name: Download build performance report | |
uses: actions/download-artifact@v3 | |
with: | |
name: performance-report | |
path: _site | |
- run: mv _site/profile*.html _site/profile-report.html | |
- name: Upload GitHub licence page | |
uses: actions/upload-pages-artifact@v2.0.0 | |
with: | |
path: _site | |
- name: Deploy to GitHub Pages | |
id: deployment | |
uses: actions/deploy-pages@v2.0.0 | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
generate-entity-relationship-diagram: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
env: | |
POSTGRES_DB: ris-erd | |
POSTGRES_PASSWORD: postgres | |
POSTGRES_USER: postgres | |
services: | |
postgres: | |
image: postgres:14-alpine | |
env: | |
POSTGRES_DB: ris-erd | |
POSTGRES_PASSWORD: postgres | |
POSTGRES_USER: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
--name postgres | |
ports: | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install uuid-ossp extension | |
run: docker exec postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";' | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
cache: gradle | |
- uses: gradle/gradle-build-action@62cce3c597efd445cd71ee868887b8b1117703a7 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: migrateDatabaseForERD | |
build-root-directory: ./backend | |
env: | |
DB_URL: jdbc:postgresql://localhost:5432/${{ env.POSTGRES_DB }} | |
DB_USER: ${{ env.POSTGRES_USER }} | |
DB_PASSWORD: ${{ env.POSTGRES_PASSWORD }} | |
- name: Generate mermaid ER-diagram | |
uses: digitalservicebund/github-actions/entity-relationship-diagram@b0e67dbb3637296eeb2ae0c9110cd42d4d8de6fb | |
with: | |
configFile: ./backend/mermerd.config.yaml | |
connectionString: postgresql://${{ env.POSTGRES_USER }}:${{ env.POSTGRES_PASSWORD }}@localhost:5432/${{ env.POSTGRES_DB }} | |
outputFile: latest.mmd | |
flags: --debug | |
version: 0.9.0 | |
- name: Upload mermaid ER-diagram | |
uses: actions/upload-artifact@v3 | |
with: | |
name: erdiagram | |
retention-days: 3 | |
path: latest.mmd | |
generate-backend-code-documentation: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
cache: gradle | |
- name: Grant execute permission for gradlew | |
working-directory: ./backend | |
run: chmod +x gradlew | |
- name: Run Javadoc | |
working-directory: ./backend | |
run: ./gradlew javadoc | |
- name: Run Dokka | |
working-directory: ./backend | |
run: ./gradlew dokkaHtml | |
- name: Upload documentation | |
uses: actions/upload-artifact@v3 | |
with: | |
name: backend-code-documentation | |
retention-days: 3 | |
path: | | |
backend/build/dokka/html/ | |
backend/build/docs/javadoc/ | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 | |
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
type: ${{ job.status }} | |
job_name: "License audit backend :point_right:" | |
mention: "here" | |
mention_if: "failure" | |
commit: true | |
url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
push-reports: | |
runs-on: ubuntu-latest | |
needs: | |
- generate-entity-relationship-diagram | |
- backend-build | |
- audit-licenses-backend | |
- audit-licenses-frontend | |
- e2e-tests | |
- generate-backend-code-documentation | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
# Setup | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ env.REPORTS_REPOSITORY }} | |
ssh-key: ${{ secrets.REPORTS_DEPLOY_KEY }} | |
- name: Setup git config | |
run: | | |
git config user.name "${{ github.repository }}" | |
# This email identifies the commit as GitHub Actions - see https://github.com/orgs/community/discussions/26560 | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
# ER-diagram | |
- name: ER-diagram - Download artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: erdiagram | |
path: tmp/erdiagram-reports/ | |
- name: ER-diagram - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/erdiagram-reports/latest.mmd | |
destinationDir: entity-relationship-diagrams/ris-backend-service | |
# Licence reports | |
- name: Licence reports - Download | |
uses: actions/download-artifact@v3 | |
with: | |
name: licence-reports | |
path: tmp/licence-reports/ | |
- name: Frontend licence report - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/licence-reports/frontend-licence-report.csv | |
destinationDir: licence-reports/frontend/ris-backend-service | |
- name: Backend licence report - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/licence-reports/backend-licence-report.csv | |
destinationDir: licence-reports/backend/ris-backend-service | |
# Performance report | |
- name: Performance reports - Download | |
uses: actions/download-artifact@v3 | |
with: | |
name: performance-report | |
path: tmp/performance-reports/ | |
- run: mv tmp/performance-reports/profile*.html tmp/performance-reports/profile-report.html | |
- name: Performance report - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/performance-reports/profile-report.html | |
destinationDir: performance-reports/ris-backend-service | |
# Backend code documentation | |
- name: Backend Code Documentation - Download | |
uses: actions/download-artifact@v3 | |
with: | |
name: backend-code-documentation | |
path: tmp/backend-code-documentation/ | |
- name: Java - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/backend-code-documentation/docs/javadoc | |
destinationDir: backend-code-documentation/java | |
reportIsDirectory: true | |
- name: Kotlin - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/backend-code-documentation/dokka/html | |
destinationDir: backend-code-documentation/kotlin | |
reportIsDirectory: true | |
# Push reports | |
- name: Push reports | |
# we use `toJSON(...)` below to escape double quotation marks | |
run: | | |
git diff-index --cached --quiet HEAD || | |
git commit \ | |
-m ${{ toJSON(github.event.head_commit.message) }} \ | |
-m "From commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" && | |
git push origin main && | |
echo "Pushed reports to ${{ github.server_url }}/${{ env.REPORTS_REPOSITORY }}" >> $GITHUB_STEP_SUMMARY |