Refactor watchers for improved reactivity #5975

Workflow file for this run

.github/workflows/pipeline.yml at 5ad55c8

	name: Pipeline

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	- cron: "0 18 * * *" # Every day at 8pm
	# Allow to run this workflow manually
	workflow_dispatch:

	env:
	RUN_ID: ${{ github.run_id }}
	CONTAINER_REGISTRY: ghcr.io
	CONTAINER_IMAGE_NAME: ${{ github.repository }}
	CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha \|\| github.sha }} # Use PR head SHA if available
	GH_PACKAGES_REPOSITORY_USER: ${{ secrets.GH_PACKAGES_REPOSITORY_USER }} # Secrets must not start with "GITHUB_"..
	GH_PACKAGES_REPOSITORY_TOKEN: ${{ secrets.GH_PACKAGES_REPOSITORY_TOKEN }}
	SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
	SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
	REPORTS_REPOSITORY: digitalservicebund/ris-reports

	jobs:
	backend-build:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Get Gradle version
	working-directory: ./backend
	run: \|
	echo "GRADLE_VERSION=$(sed -n 's/.gradle-$[0-9]\(\.[0-9]$\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	java-version: "17.0"
	distribution: "temurin"
	- uses: gradle/gradle-build-action@0280eb7de5ad3fb0deb50017b8ce842980b4789a
	with:
	gradle-version: ${{ env.GRADLE_VERSION }}
	arguments: build --profile -x integrationTest -x test
	build-root-directory: ./backend
	- name: Upload build performance report
	uses: actions/upload-artifact@v3
	with:
	name: performance-report
	path: backend/build/reports/profile/profile*.html
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	backend-unit-tests:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Get Gradle version
	working-directory: ./backend
	run: \|
	echo "GRADLE_VERSION=$(sed -n 's/.gradle-$[0-9]\(\.[0-9]$\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	java-version: "17.0"
	distribution: "temurin"
	- uses: gradle/gradle-build-action@0280eb7de5ad3fb0deb50017b8ce842980b4789a
	with:
	gradle-version: ${{ env.GRADLE_VERSION}}
	arguments: test -x integrationTest
	build-root-directory: ./backend
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	backend-integration-tests:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Get Gradle version
	working-directory: ./backend
	run: \|
	echo "GRADLE_VERSION=$(sed -n 's/.gradle-$[0-9]\(\.[0-9]$\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	java-version: "17.0"
	distribution: "temurin"
	- uses: gradle/gradle-build-action@0280eb7de5ad3fb0deb50017b8ce842980b4789a
	with:
	gradle-version: ${{ env.GRADLE_VERSION }}
	arguments: integrationTest -x test
	build-root-directory: ./backend
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	backend-build-image-and-scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- uses: actions/checkout@v4
	- name: Get Gradle version
	working-directory: ./backend
	run: \|
	echo "GRADLE_VERSION=$(sed -n 's/.gradle-$[0-9]\(\.[0-9]$\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
	- name: Validate gradle wrapper
	uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4
	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	java-version: "17.0"
	distribution: "temurin"
	- uses: gradle/gradle-build-action@0280eb7de5ad3fb0deb50017b8ce842980b4789a
	with:
	gradle-version: ${{ env.GRADLE_VERSION }}
	arguments: bootBuildImage
	build-root-directory: ./backend
	- name: Run Trivy vulnerability scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "sarif"
	output: "trivy-results.sarif"
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	- name: Generate cosign vulnerability scan record
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "cosign-vuln"
	output: "vuln-backend.json"
	- name: Upload cosign vulnerability scan record
	uses: actions/upload-artifact@v3
	with:
	name: "vuln-backend.json"
	path: "vuln-backend.json"
	if-no-files-found: error
	- name: Save image
	run: \|
	mkdir /tmp/images
	docker save -o /tmp/images/backend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	- uses: actions/cache@v3
	with:
	path: /tmp/images
	key: docker-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-images-cache-${{ env.RUN_ID }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	frontend-tests:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version-file: ./frontend/.node-version
	cache: npm
	cache-dependency-path: ./frontend/package-lock.json
	- name: Cache node_modules
	uses: actions/cache@v3
	id: node-modules-cache
	with:
	path: \|
	./frontend/node_modules
	key: modules-${{ hashFiles('./frontend/package-lock.json') }}
	- name: Install dependencies
	if: steps.node-modules-cache.outputs.cache-hit != 'true'
	run: \|
	npm ci
	working-directory: ./frontend
	- name: Run tests
	run: \|
	npm test
	working-directory: ./frontend
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	frontend-style:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version-file: ./frontend/.node-version
	cache: npm
	cache-dependency-path: ./frontend/package-lock.json
	- name: Cache node_modules
	uses: actions/cache@v3
	id: node-modules-cache
	with:
	path: \|
	./frontend/node_modules
	key: modules-${{ hashFiles('./frontend/package-lock.json') }}
	- name: Install dependencies
	if: steps.node-modules-cache.outputs.cache-hit != 'true'
	run: \|
	npm ci
	working-directory: ./frontend
	- name: Check style
	run: npm run style:check
	working-directory: ./frontend
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	audit-licenses-backend:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	java-version: "17.0"
	distribution: "temurin"
	cache: gradle
	- name: Grant execute permission for gradlew
	working-directory: ./backend
	run: chmod +x gradlew
	- name: Run license scanner
	working-directory: ./backend
	run: ./gradlew checkLicense
	- name: Upload licence report
	uses: actions/upload-artifact@v3
	with:
	name: licence-reports
	retention-days: 3
	path: backend/build/reports/dependency-license/backend-licence-report.csv
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	audit-licenses-frontend:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version-file: ./frontend/.node-version
	cache: npm
	cache-dependency-path: ./frontend/package-lock.json
	- name: Install dependencies
	run: npm ci
	working-directory: ./frontend
	- name: Run license scanner
	run: npm run audit:licences
	working-directory: ./frontend
	- name: Upload licence report
	uses: actions/upload-artifact@v3
	with:
	name: licence-reports
	retention-days: 3
	path: frontend/frontend-licence-report.csv
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	frontend-build-image-and-scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- uses: actions/checkout@v4
	- name: Build frontend image
	run: docker build --file frontend/Dockerfile.prod --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} ./frontend
	- name: Run Trivy vulnerability image scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "sarif"
	output: "trivy-results.sarif"
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	- name: Upload Trivy image scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	category: trivy-image-scan
	- name: Run Trivy vulnerability file scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0
	with:
	scan-type: "fs"
	scan-ref: "./frontend"
	skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
	format: "sarif"
	output: "trivy-results.sarif"
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	- name: Upload Trivy file scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	category: trivy-fs-scan
	- name: Generate cosign vulnerability scan record
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "cosign-vuln"
	output: "vuln-frontend.json"
	- name: Upload cosign vulnerability scan record
	uses: actions/upload-artifact@v3
	with:
	name: "vuln-frontend.json"
	path: "vuln-frontend.json"
	if-no-files-found: error
	- name: Save image
	run: \|
	mkdir /tmp/images
	docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	- uses: actions/cache@v3
	with:
	path: /tmp/images
	key: docker-frontend-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	analyze-backend:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' }}
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
	- name: Validate gradle wrapper
	uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4
	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	java-version: "17.0"
	distribution: "temurin"
	- name: Cache SonarQube packages
	uses: actions/cache@v3
	with:
	path: ~/.sonar/cache
	key: ${{ runner.os }}-sonar
	- name: Scan with SonarQube
	uses: gradle/gradle-build-action@0280eb7de5ad3fb0deb50017b8ce842980b4789a
	with:
	gradle-version: ${{ env.GRADLE_VERSION }}
	arguments: sonar --info
	build-root-directory: ./backend
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	- name: Check SonarQube Quality Gate
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496
	with:
	scanMetadataReportFile: backend/build/sonar/report-task.txt
	timeout-minutes: 3 # Force to fail step after specific time
	env:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	analyze-frontend:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' }}
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
	- name: Install SonarScanner
	uses: digitalservicebund/github-actions/setup-sonarscanner@7c3c5fd3b1467215f9e6c66181a37538607999b1
	- name: Scan with SonarQube
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	run: \|
	npm install
	npm run coverage
	sonar-scanner
	working-directory: ./frontend
	- name: Check SonarQube Quality Gate
	uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496
	with:
	scanMetadataReportFile: frontend/.scannerwork/report-task.txt
	timeout-minutes: 3
	env:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	push-backend-image-to-registry:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' \|\| contains(github.event.pull_request.labels..name, 'dev-env') \|\| contains(github.event.labeled.labels..name, 'dev-env') }}
	needs:
	- backend-build
	- backend-unit-tests
	- backend-integration-tests
	- backend-build-image-and-scan
	- audit-licenses-backend
	permissions:
	contents: read
	id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
	packages: write
	outputs:
	version: ${{ steps.set-version.outputs.version }}
	steps:
	- uses: actions/cache@v3
	with:
	path: /tmp/images
	key: docker-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-images-cache-${{ env.RUN_ID }}
	- name: load image
	shell: bash
	run: docker load -i /tmp/images/backend-image.tar
	- name: Log into container registry
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
	with:
	registry: ${{ env.CONTAINER_REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Publish backend container image
	run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	- name: Install cosign
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
	with:
	cosign-release: "v1.13.1"
	- name: Sign the published Docker image
	env:
	COSIGN_EXPERIMENTAL: "true"
	# This step uses the identity token to provision an ephemeral certificate
	# against the sigstore community Fulcio instance.
	run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	- name: Download cosign vulnerability scan record
	uses: actions/download-artifact@v3
	with:
	name: "vuln-backend.json"
	- name: Attest vulnerability scan
	run: cosign attest --yes --replace --predicate vuln-backend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	env:
	COSIGN_EXPERIMENTAL: "true"
	- id: set-version
	run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	push-frontend-image-to-registry:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' \|\| contains(github.event.pull_request.labels..name, 'dev-env') \|\| contains(github.event.labeled.labels..name, 'dev-env') }}
	needs:
	- frontend-tests
	- frontend-style
	- frontend-build-image-and-scan
	- audit-licenses-frontend
	permissions:
	contents: read
	id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
	packages: write
	outputs:
	version: ${{ steps.set-version.outputs.version }}
	steps:
	- uses: actions/cache@v3
	with:
	path: /tmp/images
	key: docker-frontend-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-images-cache-${{ env.RUN_ID }}
	- name: load image
	shell: bash
	run: docker load -i /tmp/images/frontend-image.tar
	- name: Log into container registry
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
	with:
	registry: ${{ env.CONTAINER_REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Publish backend container image
	run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	- name: Install cosign
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
	with:
	cosign-release: "v1.13.1"
	- name: Sign the published Docker image
	env:
	COSIGN_EXPERIMENTAL: "true"
	# This step uses the identity token to provision an ephemeral certificate
	# against the sigstore community Fulcio instance.
	run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	- name: Download cosign vulnerability scan record
	uses: actions/download-artifact@v3
	with:
	name: "vuln-frontend.json"
	- name: Attest vulnerability scan
	run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	env:
	COSIGN_EXPERIMENTAL: "true"
	- id: set-version
	run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	deploy-staging:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' }}
	concurrency: deploy-staging
	environment: staging
	needs:
	- push-frontend-image-to-registry
	- push-backend-image-to-registry
	permissions:
	id-token: write # Enable OIDC for gitsign
	steps:
	- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3
	- name: Deploy new images
	uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858
	with:
	environment: staging
	version: ${{ needs.push-backend-image-to-registry.outputs.version }}
	deploying_repo: ris-backend-service,ris-backend-service/frontend
	infra_repo: neuris-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: ris-staging
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	- name: Track deploy
	uses: digitalservicebund/github-actions/track-deployment@b51920b9fdeeb0c8721c210853aee955bd7cefc0
	with:
	project: RIS
	environment: staging
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	prep-playwright-tests:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' }}
	steps:
	- uses: actions/checkout@v4
	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version-file: ./frontend/.node-version
	cache: npm
	cache-dependency-path: ./frontend/package-lock.json
	- name: Get Playwright version
	working-directory: ./frontend
	run: echo "PLAYWRIGHT_VERSION=$(jq -r '.packages["node_modules/@playwright/test"].version' package-lock.json)" >> $GITHUB_ENV
	- name: Cache browser binaries
	id: cache-browser-binaries
	uses: actions/cache@v3
	with:
	path: ~/.cache/ms-playwright
	key: ${{ runner.os }}-playwright-${{ env.PLAYWRIGHT_VERSION }}
	- name: Install browsers
	if: steps.cache-browser-binaries.outputs.cache-hit != 'true'
	run: \|
	npx --yes playwright install --with-deps chromium firefox
	working-directory: ./frontend

	e2e-tests:
	if: ${{ github.ref == 'refs/heads/main' }}
	needs: [deploy-staging, prep-playwright-tests]
	strategy:
	fail-fast: false
	matrix:
	subproject: [caselaw, norms, shared]
	browser: [chromium, firefox]
	mode: [e2e]
	include:
	- mode: a11y
	browser: a11y
	uses: ./.github/workflows/_playwright-test.yml
	with:
	subproject: ${{ matrix.subproject}}
	browser: ${{ matrix.browser }}
	mode: ${{ matrix.mode }}
	secrets: inherit

	check-latest-deploy-tag:
	if: ${{ github.ref == 'refs/heads/main' }}
	needs:
	- e2e-tests
	runs-on: ubuntu-latest
	outputs:
	should_deploy: ${{ steps.compare-tags.outputs.should_deploy }}
	environment: production
	steps:
	- name: Checkout infra repository
	uses: actions/checkout@v4
	with:
	repository: digitalservicebund/neuris-infra
	ssh-key: ${{ secrets.DEPLOY_KEY }}
	path: infra
	- name: Checkout main repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	path: main
	- name: compare image tags
	id: compare-tags
	run: \|
	set -x
	CURRENT_TAG=${{ env.CONTAINER_IMAGE_VERSION }}
	DEPLOYED_TAG=$(yq '.images[0] \| .newTag' infra/manifests/overlays/production/kustomization.yaml)
	cd main
	if git merge-base --is-ancestor $CURRENT_TAG $DEPLOYED_TAG; then
	echo "should_deploy=false" >> "$GITHUB_OUTPUT"
	else
	echo "should_deploy=true" >> "$GITHUB_OUTPUT"
	fi

	deploy-production:
	runs-on: ubuntu-latest
	if: \|
	github.ref == 'refs/heads/main' &&
	needs.check-latest-deploy-tag.outputs.should_deploy == 'true'
	concurrency: deploy-production
	environment: production
	needs:
	- push-frontend-image-to-registry
	- push-backend-image-to-registry
	- e2e-tests
	- check-latest-deploy-tag
	permissions:
	id-token: write # Enable OIDC for gitsign
	steps:
	- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3
	- name: Deploy new images
	uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858
	with:
	environment: production
	version: ${{ needs.push-backend-image-to-registry.outputs.version }}
	deploying_repo: ris-backend-service,ris-backend-service/frontend
	infra_repo: neuris-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: ris-production
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	- name: Track deploy
	uses: digitalservicebund/github-actions/track-deployment@b51920b9fdeeb0c8721c210853aee955bd7cefc0
	with:
	project: RIS
	environment: production
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	deployment-time-check:
	runs-on: ubuntu-latest
	outputs:
	between-8-and-20: ${{ steps.check-time.outputs.between-8-and-20 }}
	steps:
	- id: check-time
	run: \|
	current_hour=$(TZ="Europe/Berlin" date +'%H')
	if [ "$current_hour" -ge 8 ] && [ "$current_hour" -lt 20 ]; then
	echo "between-8-and-20=true" >> "$GITHUB_OUTPUT"
	else
	echo "between-8-and-20=false" >> "$GITHUB_OUTPUT"
	fi

	deploy-uat:
	runs-on: ubuntu-latest
	if: \|
	github.ref == 'refs/heads/main'
	# &&
	# needs.deployment-time-check.outputs.between-8-and-20 == 'false'
	concurrency: deploy-uat
	environment: uat
	needs:
	- push-frontend-image-to-registry
	- push-backend-image-to-registry
	- e2e-tests
	- deployment-time-check
	- deploy-production
	permissions:
	id-token: write # Enable OIDC for gitsign
	steps:
	- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3
	- name: Deploy new images
	uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858
	with:
	environment: uat
	version: ${{ needs.push-backend-image-to-registry.outputs.version }}
	deploying_repo: ris-backend-service,ris-backend-service/frontend
	infra_repo: neuris-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: ris-uat
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	generate-entity-relationship-diagram:
	runs-on: ubuntu-latest
	if: ${{ false && github.ref == 'refs/heads/main' }}
	env:
	POSTGRES_DB: ris-erd
	POSTGRES_PASSWORD: postgres
	POSTGRES_USER: postgres
	services:
	postgres:
	image: postgres:14-alpine
	env:
	POSTGRES_DB: ris-erd
	POSTGRES_PASSWORD: postgres
	POSTGRES_USER: postgres
	options: >-
	--health-cmd pg_isready
	--health-interval 10s
	--health-timeout 5s
	--health-retries 5
	--name postgres
	ports:
	- 5432:5432
	steps:
	- uses: actions/checkout@v4
	- name: Install uuid-ossp extension
	run: docker exec postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";'
	- name: Apply incremental migration structure
	run: docker exec -i postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} < ./backend/src/test/resources/db/create_migration_scheme_and_extensions.sql
	- name: Get Gradle version
	working-directory: ./backend
	run: \|
	echo "GRADLE_VERSION=$(sed -n 's/.gradle-$[0-9]\(\.[0-9]$\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
	- name: Set up JDK
	uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
	with:
	java-version: "17.0"
	distribution: "temurin"
	cache: gradle
	- uses: gradle/gradle-build-action@0280eb7de5ad3fb0deb50017b8ce842980b4789a
	with:
	gradle-version: ${{ env.GRADLE_VERSION }}
	arguments: migrateDatabaseForERD
	build-root-directory: ./backend
	env:
	DB_URL: jdbc:postgresql://localhost:5432/${{ env.POSTGRES_DB }}
	DB_USER: ${{ env.POSTGRES_USER }}
	DB_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
	- name: Generate mermaid ER-diagram
	uses: digitalservicebund/github-actions/entity-relationship-diagram@b0e67dbb3637296eeb2ae0c9110cd42d4d8de6fb
	with:
	configFile: ./backend/mermerd.config.yaml
	connectionString: postgresql://${{ env.POSTGRES_USER }}:${{ env.POSTGRES_PASSWORD }}@localhost:5432/${{ env.POSTGRES_DB }}
	outputFile: latest.mmd
	flags: --debug
	version: 0.9.0
	- name: Upload mermaid ER-diagram
	uses: actions/upload-artifact@v3
	with:
	name: erdiagram
	retention-days: 3
	path: latest.mmd

	generate-backend-code-documentation:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	java-version: "17.0"
	distribution: "temurin"
	cache: gradle
	- name: Grant execute permission for gradlew
	working-directory: ./backend
	run: chmod +x gradlew
	- name: Run Javadoc
	working-directory: ./backend
	run: ./gradlew javadoc
	- name: Run Dokka
	working-directory: ./backend
	run: ./gradlew dokkaHtml
	- name: Upload documentation
	uses: actions/upload-artifact@v3
	with:
	name: backend-code-documentation
	retention-days: 3
	path: \|
	backend/build/dokka/html/
	backend/build/docs/javadoc/
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@0b21f14f28717b3b756282824976cdd1354b1235 # v1.3.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	push-reports:
	runs-on: ubuntu-latest
	needs:
	# - generate-entity-relationship-diagram
	- backend-build
	- audit-licenses-backend
	- audit-licenses-frontend
	- e2e-tests
	- generate-backend-code-documentation
	if: ${{ github.ref == 'refs/heads/main' }}
	steps:
	# Setup
	- uses: actions/checkout@v4
	with:
	repository: ${{ env.REPORTS_REPOSITORY }}
	ssh-key: ${{ secrets.REPORTS_DEPLOY_KEY }}
	- name: Setup git config
	run: \|
	git config user.name "${{ github.repository }}"
	# This email identifies the commit as GitHub Actions - see https://github.com/orgs/community/discussions/26560
	git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
	# ER-diagram
	# - name: ER-diagram - Download artifact
	# uses: actions/download-artifact@v3
	# with:
	# name: erdiagram
	# path: tmp/erdiagram-reports/
	# - name: ER-diagram - git add report
	# uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
	# with:
	# filePath: tmp/erdiagram-reports/latest.mmd
	# destinationDir: entity-relationship-diagrams/ris-backend-service
	# Licence reports
	- name: Licence reports - Download
	uses: actions/download-artifact@v3
	with:
	name: licence-reports
	path: tmp/licence-reports/
	- name: Frontend licence report - git add report
	uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
	with:
	filePath: tmp/licence-reports/frontend-licence-report.csv
	destinationDir: licence-reports/frontend/ris-backend-service
	- name: Backend licence report - git add report
	uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
	with:
	filePath: tmp/licence-reports/backend-licence-report.csv
	destinationDir: licence-reports/backend/ris-backend-service
	# Performance report
	- name: Performance reports - Download
	uses: actions/download-artifact@v3
	with:
	name: performance-report
	path: tmp/performance-reports/
	- run: mv tmp/performance-reports/profile*.html tmp/performance-reports/profile-report.html
	- name: Performance report - git add report
	uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
	with:
	filePath: tmp/performance-reports/profile-report.html
	destinationDir: performance-reports/ris-backend-service
	# Backend code documentation
	- name: Backend Code Documentation - Download
	uses: actions/download-artifact@v3
	with:
	name: backend-code-documentation
	path: tmp/backend-code-documentation/
	- name: Java - git add report
	uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
	with:
	filePath: tmp/backend-code-documentation/docs/javadoc
	destinationDir: backend-code-documentation/java
	reportIsDirectory: true
	- name: Kotlin - git add report
	uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510
	with:
	filePath: tmp/backend-code-documentation/dokka/html
	destinationDir: backend-code-documentation/kotlin
	reportIsDirectory: true
	# Push reports
	- name: Push reports
	# we use `toJSON(...)` below to escape double quotation marks
	run: \|
	git diff-index --cached --quiet HEAD \|\|
	git commit \
	-m ${{ toJSON(github.event.head_commit.message) }} \
	-m "From commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" &&
	git push origin main &&
	echo "Pushed reports to ${{ github.server_url }}/${{ env.REPORTS_REPOSITORY }}" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Refactor watchers for improved reactivity #5975

Workflow file

Refactor watchers for improved reactivity #5975

Jobs

Run details

Workflow file for this run