Bump io.micrometer:micrometer-registry-prometheus from 1.11.2 to 1.12.2 in /backend #6231
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pipeline | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
schedule: | |
- cron: "0 18 * * *" # Every day at 8pm | |
# Allow to run this workflow manually | |
workflow_dispatch: | |
env: | |
RUN_ID: ${{ github.run_id }} | |
CONTAINER_REGISTRY: ghcr.io | |
CONTAINER_IMAGE_NAME: ${{ github.repository }} | |
CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha || github.sha }} # Use PR head SHA if available | |
GH_PACKAGES_REPOSITORY_USER: ${{ secrets.GH_PACKAGES_REPOSITORY_USER }} # Secrets must not start with "GITHUB_".. | |
GH_PACKAGES_REPOSITORY_TOKEN: ${{ secrets.GH_PACKAGES_REPOSITORY_TOKEN }} | |
SENTRY_DSN: ${{ secrets.SENTRY_DSN }} | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
REPORTS_REPOSITORY: digitalservicebund/ris-reports | |
jobs: | |
backend-build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- uses: gradle/gradle-build-action@f95e9c74599bc49122b76ecfe1306f0034f87266 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: build --profile -x integrationTest -x test | |
build-root-directory: ./backend | |
- name: Upload build performance report | |
uses: actions/upload-artifact@v3 | |
with: | |
name: performance-report | |
path: backend/build/reports/profile/profile*.html | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
backend-unit-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- uses: gradle/gradle-build-action@f95e9c74599bc49122b76ecfe1306f0034f87266 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION}} | |
arguments: test -x integrationTest | |
build-root-directory: ./backend | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
backend-integration-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- uses: gradle/gradle-build-action@f95e9c74599bc49122b76ecfe1306f0034f87266 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: integrationTest -x test | |
build-root-directory: ./backend | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
backend-build-image-and-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Validate gradle wrapper | |
uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- uses: gradle/gradle-build-action@f95e9c74599bc49122b76ecfe1306f0034f87266 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: bootBuildImage | |
build-root-directory: ./backend | |
- name: Run Trivy vulnerability scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
- name: Generate cosign vulnerability scan record | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "cosign-vuln" | |
output: "vuln-backend.json" | |
- name: Upload cosign vulnerability scan record | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "vuln-backend.json" | |
path: "vuln-backend.json" | |
if-no-files-found: error | |
- name: Save image | |
run: | | |
mkdir /tmp/images | |
docker save -o /tmp/images/backend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- uses: actions/cache@v3 | |
with: | |
path: /tmp/images | |
key: docker-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-images-cache-${{ env.RUN_ID }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
frontend-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ./frontend/.node-version | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Cache node_modules | |
uses: actions/cache@v3 | |
id: node-modules-cache | |
with: | |
path: | | |
./frontend/node_modules | |
key: modules-${{ hashFiles('./frontend/package-lock.json') }} | |
- name: Install dependencies | |
if: steps.node-modules-cache.outputs.cache-hit != 'true' | |
run: | | |
npm ci | |
working-directory: ./frontend | |
- name: Run tests | |
run: | | |
npm test | |
working-directory: ./frontend | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
frontend-style: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ./frontend/.node-version | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Cache node_modules | |
uses: actions/cache@v3 | |
id: node-modules-cache | |
with: | |
path: | | |
./frontend/node_modules | |
key: modules-${{ hashFiles('./frontend/package-lock.json') }} | |
- name: Install dependencies | |
if: steps.node-modules-cache.outputs.cache-hit != 'true' | |
run: | | |
npm ci | |
working-directory: ./frontend | |
- name: Check style | |
run: npm run style:check | |
working-directory: ./frontend | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
audit-licenses-backend: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
cache: gradle | |
- name: Grant execute permission for gradlew | |
working-directory: ./backend | |
run: chmod +x gradlew | |
- name: Run license scanner | |
working-directory: ./backend | |
run: ./gradlew checkLicense | |
- name: Upload licence report | |
uses: actions/upload-artifact@v3 | |
with: | |
name: licence-reports | |
retention-days: 3 | |
path: backend/build/reports/dependency-license/backend-licence-report.csv | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
audit-licenses-frontend: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ./frontend/.node-version | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Install dependencies | |
run: npm ci | |
working-directory: ./frontend | |
- name: Run license scanner | |
run: npm run audit:licences | |
working-directory: ./frontend | |
- name: Upload licence report | |
uses: actions/upload-artifact@v3 | |
with: | |
name: licence-reports | |
retention-days: 3 | |
path: frontend/frontend-licence-report.csv | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
frontend-build-image-and-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build frontend image | |
run: docker build --file frontend/Dockerfile.prod --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} ./frontend | |
- name: Run Trivy vulnerability image scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
- name: Upload Trivy image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
category: trivy-image-scan | |
- name: Run Trivy vulnerability file scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 | |
with: | |
scan-type: "fs" | |
scan-ref: "./frontend" | |
skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283 | |
format: "sarif" | |
output: "trivy-results.sarif" | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
- name: Upload Trivy file scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
category: trivy-fs-scan | |
- name: Generate cosign vulnerability scan record | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "cosign-vuln" | |
output: "vuln-frontend.json" | |
- name: Upload cosign vulnerability scan record | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "vuln-frontend.json" | |
path: "vuln-frontend.json" | |
if-no-files-found: error | |
- name: Save image | |
run: | | |
mkdir /tmp/images | |
docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
- uses: actions/cache@v3 | |
with: | |
path: /tmp/images | |
key: docker-frontend-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
analyze-backend: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: Validate gradle wrapper | |
uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
- name: Cache SonarQube packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.sonar/cache | |
key: ${{ runner.os }}-sonar | |
- name: Scan with SonarQube | |
uses: gradle/gradle-build-action@f95e9c74599bc49122b76ecfe1306f0034f87266 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: sonar --info | |
build-root-directory: ./backend | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
- name: Check SonarQube Quality Gate | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 | |
with: | |
scanMetadataReportFile: backend/build/sonar/report-task.txt | |
timeout-minutes: 3 # Force to fail step after specific time | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
analyze-frontend: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: Install SonarScanner | |
uses: digitalservicebund/github-actions/setup-sonarscanner@7c3c5fd3b1467215f9e6c66181a37538607999b1 | |
- name: Scan with SonarQube | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
run: | | |
npm install | |
npm run coverage | |
sonar-scanner | |
working-directory: ./frontend | |
- name: Check SonarQube Quality Gate | |
uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 | |
with: | |
scanMetadataReportFile: frontend/.scannerwork/report-task.txt | |
timeout-minutes: 3 | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
push-backend-image-to-registry: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} | |
needs: | |
- backend-build | |
- backend-unit-tests | |
- backend-integration-tests | |
- backend-build-image-and-scan | |
- audit-licenses-backend | |
permissions: | |
contents: read | |
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. | |
packages: write | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/cache@v3 | |
with: | |
path: /tmp/images | |
key: docker-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-images-cache-${{ env.RUN_ID }} | |
- name: load image | |
shell: bash | |
run: docker load -i /tmp/images/backend-image.tar | |
- name: Log into container registry | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish backend container image | |
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Install cosign | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 | |
with: | |
cosign-release: "v1.13.1" | |
- name: Sign the published Docker image | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
# This step uses the identity token to provision an ephemeral certificate | |
# against the sigstore community Fulcio instance. | |
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Download cosign vulnerability scan record | |
uses: actions/download-artifact@v3 | |
with: | |
name: "vuln-backend.json" | |
- name: Attest vulnerability scan | |
run: cosign attest --yes --replace --predicate vuln-backend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
- id: set-version | |
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT" | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
push-frontend-image-to-registry: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} | |
needs: | |
- frontend-tests | |
- frontend-style | |
- frontend-build-image-and-scan | |
- audit-licenses-frontend | |
permissions: | |
contents: read | |
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. | |
packages: write | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/cache@v3 | |
with: | |
path: /tmp/images | |
key: docker-frontend-images-cache-${{ env.RUN_ID }} | |
restore-keys: docker-images-cache-${{ env.RUN_ID }} | |
- name: load image | |
shell: bash | |
run: docker load -i /tmp/images/frontend-image.tar | |
- name: Log into container registry | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish backend container image | |
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Install cosign | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 | |
with: | |
cosign-release: "v1.13.1" | |
- name: Sign the published Docker image | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
# This step uses the identity token to provision an ephemeral certificate | |
# against the sigstore community Fulcio instance. | |
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Download cosign vulnerability scan record | |
uses: actions/download-artifact@v3 | |
with: | |
name: "vuln-frontend.json" | |
- name: Attest vulnerability scan | |
run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
- id: set-version | |
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT" | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
deploy-staging: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
concurrency: deploy-staging | |
environment: staging | |
needs: | |
- push-frontend-image-to-registry | |
- push-backend-image-to-registry | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3 | |
- name: Deploy new images | |
uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858 | |
with: | |
environment: staging | |
version: ${{ needs.push-backend-image-to-registry.outputs.version }} | |
deploying_repo: ris-backend-service,ris-backend-service/frontend | |
infra_repo: neuris-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-staging | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
- name: Track deploy | |
uses: digitalservicebund/github-actions/track-deployment@b51920b9fdeeb0c8721c210853aee955bd7cefc0 | |
with: | |
project: RIS | |
environment: staging | |
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
prep-playwright-tests: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ./frontend/.node-version | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Get Playwright version | |
working-directory: ./frontend | |
run: echo "PLAYWRIGHT_VERSION=$(jq -r '.packages["node_modules/@playwright/test"].version' package-lock.json)" >> $GITHUB_ENV | |
- name: Cache browser binaries | |
id: cache-browser-binaries | |
uses: actions/cache@v3 | |
with: | |
path: ~/.cache/ms-playwright | |
key: ${{ runner.os }}-playwright-${{ env.PLAYWRIGHT_VERSION }} | |
- name: Install browsers | |
if: steps.cache-browser-binaries.outputs.cache-hit != 'true' | |
run: | | |
npx --yes playwright install --with-deps chromium firefox | |
working-directory: ./frontend | |
e2e-tests: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: [deploy-staging, prep-playwright-tests] | |
strategy: | |
fail-fast: false | |
matrix: | |
subproject: [caselaw, norms, shared] | |
browser: [chromium, firefox] | |
mode: [e2e] | |
include: | |
- mode: a11y | |
browser: a11y | |
uses: ./.github/workflows/_playwright-test.yml | |
with: | |
subproject: ${{ matrix.subproject}} | |
browser: ${{ matrix.browser }} | |
mode: ${{ matrix.mode }} | |
secrets: inherit | |
check-latest-deploy-tag: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: | |
- e2e-tests | |
runs-on: ubuntu-latest | |
outputs: | |
should_deploy: ${{ steps.compare-tags.outputs.should_deploy }} | |
environment: production | |
steps: | |
- name: Checkout infra repository | |
uses: actions/checkout@v4 | |
with: | |
repository: digitalservicebund/neuris-infra | |
ssh-key: ${{ secrets.DEPLOY_KEY }} | |
path: infra | |
- name: Checkout main repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
path: main | |
- name: compare image tags | |
id: compare-tags | |
run: | | |
set -x | |
CURRENT_TAG=${{ env.CONTAINER_IMAGE_VERSION }} | |
DEPLOYED_TAG=$(yq '.images[0] | .newTag' infra/manifests/overlays/production/kustomization.yaml) | |
cd main | |
if git merge-base --is-ancestor $CURRENT_TAG $DEPLOYED_TAG; then | |
echo "should_deploy=false" >> "$GITHUB_OUTPUT" | |
else | |
echo "should_deploy=true" >> "$GITHUB_OUTPUT" | |
fi | |
deploy-production: | |
runs-on: ubuntu-latest | |
if: | | |
github.ref == 'refs/heads/main' && | |
needs.check-latest-deploy-tag.outputs.should_deploy == 'true' | |
concurrency: deploy-production | |
environment: production | |
needs: | |
- push-frontend-image-to-registry | |
- push-backend-image-to-registry | |
- e2e-tests | |
- check-latest-deploy-tag | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3 | |
- name: Deploy new images | |
uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858 | |
with: | |
environment: production | |
version: ${{ needs.push-backend-image-to-registry.outputs.version }} | |
deploying_repo: ris-backend-service,ris-backend-service/frontend | |
infra_repo: neuris-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-production | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
- name: Track deploy | |
uses: digitalservicebund/github-actions/track-deployment@b51920b9fdeeb0c8721c210853aee955bd7cefc0 | |
with: | |
project: RIS | |
environment: production | |
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
deployment-time-check: | |
runs-on: ubuntu-latest | |
outputs: | |
between-8-and-20: ${{ steps.check-time.outputs.between-8-and-20 }} | |
steps: | |
- id: check-time | |
run: | | |
current_hour=$(TZ="Europe/Berlin" date +'%H') | |
if [ "$current_hour" -ge 8 ] && [ "$current_hour" -lt 20 ]; then | |
echo "between-8-and-20=true" >> "$GITHUB_OUTPUT" | |
else | |
echo "between-8-and-20=false" >> "$GITHUB_OUTPUT" | |
fi | |
deploy-uat: | |
runs-on: ubuntu-latest | |
if: | | |
github.ref == 'refs/heads/main' | |
# && | |
# needs.deployment-time-check.outputs.between-8-and-20 == 'false' | |
concurrency: deploy-uat | |
environment: uat | |
needs: | |
- push-frontend-image-to-registry | |
- push-backend-image-to-registry | |
- e2e-tests | |
- deployment-time-check | |
- deploy-production | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@ac42db4c9c2e2bd9f66aadf3290c5995891d91a3 | |
- name: Deploy new images | |
uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858 | |
with: | |
environment: uat | |
version: ${{ needs.push-backend-image-to-registry.outputs.version }} | |
deploying_repo: ris-backend-service,ris-backend-service/frontend | |
infra_repo: neuris-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-uat | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
generate-entity-relationship-diagram: | |
runs-on: ubuntu-latest | |
if: ${{ false && github.ref == 'refs/heads/main' }} | |
env: | |
POSTGRES_DB: ris-erd | |
POSTGRES_PASSWORD: postgres | |
POSTGRES_USER: postgres | |
services: | |
postgres: | |
image: postgres:14-alpine | |
env: | |
POSTGRES_DB: ris-erd | |
POSTGRES_PASSWORD: postgres | |
POSTGRES_USER: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
--name postgres | |
ports: | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install uuid-ossp extension | |
run: docker exec postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";' | |
- name: Apply incremental migration structure | |
run: docker exec -i postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} < ./backend/src/test/resources/db/create_migration_scheme_and_extensions.sql | |
- name: Get Gradle version | |
working-directory: ./backend | |
run: | | |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV | |
- name: Set up JDK | |
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
cache: gradle | |
- uses: gradle/gradle-build-action@f95e9c74599bc49122b76ecfe1306f0034f87266 | |
with: | |
gradle-version: ${{ env.GRADLE_VERSION }} | |
arguments: migrateDatabaseForERD | |
build-root-directory: ./backend | |
env: | |
DB_URL: jdbc:postgresql://localhost:5432/${{ env.POSTGRES_DB }} | |
DB_USER: ${{ env.POSTGRES_USER }} | |
DB_PASSWORD: ${{ env.POSTGRES_PASSWORD }} | |
- name: Generate mermaid ER-diagram | |
uses: digitalservicebund/github-actions/entity-relationship-diagram@b0e67dbb3637296eeb2ae0c9110cd42d4d8de6fb | |
with: | |
configFile: ./backend/mermerd.config.yaml | |
connectionString: postgresql://${{ env.POSTGRES_USER }}:${{ env.POSTGRES_PASSWORD }}@localhost:5432/${{ env.POSTGRES_DB }} | |
outputFile: latest.mmd | |
flags: --debug | |
version: 0.9.0 | |
- name: Upload mermaid ER-diagram | |
uses: actions/upload-artifact@v3 | |
with: | |
name: erdiagram | |
retention-days: 3 | |
path: latest.mmd | |
generate-backend-code-documentation: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: "17.0" | |
distribution: "temurin" | |
cache: gradle | |
- name: Grant execute permission for gradlew | |
working-directory: ./backend | |
run: chmod +x gradlew | |
- name: Run Javadoc | |
working-directory: ./backend | |
run: ./gradlew javadoc | |
- name: Run Dokka | |
working-directory: ./backend | |
run: ./gradlew dokkaHtml | |
- name: Upload documentation | |
uses: actions/upload-artifact@v3 | |
with: | |
name: backend-code-documentation | |
retention-days: 3 | |
path: | | |
backend/build/dokka/html/ | |
backend/build/docs/javadoc/ | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
push-reports: | |
runs-on: ubuntu-latest | |
needs: | |
# - generate-entity-relationship-diagram | |
- backend-build | |
- audit-licenses-backend | |
- audit-licenses-frontend | |
- e2e-tests | |
- generate-backend-code-documentation | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
# Setup | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ env.REPORTS_REPOSITORY }} | |
ssh-key: ${{ secrets.REPORTS_DEPLOY_KEY }} | |
- name: Setup git config | |
run: | | |
git config user.name "${{ github.repository }}" | |
# This email identifies the commit as GitHub Actions - see https://github.com/orgs/community/discussions/26560 | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
# ER-diagram | |
# - name: ER-diagram - Download artifact | |
# uses: actions/download-artifact@v3 | |
# with: | |
# name: erdiagram | |
# path: tmp/erdiagram-reports/ | |
# - name: ER-diagram - git add report | |
# uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
# with: | |
# filePath: tmp/erdiagram-reports/latest.mmd | |
# destinationDir: entity-relationship-diagrams/ris-backend-service | |
# Licence reports | |
- name: Licence reports - Download | |
uses: actions/download-artifact@v3 | |
with: | |
name: licence-reports | |
path: tmp/licence-reports/ | |
- name: Frontend licence report - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/licence-reports/frontend-licence-report.csv | |
destinationDir: licence-reports/frontend/ris-backend-service | |
- name: Backend licence report - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/licence-reports/backend-licence-report.csv | |
destinationDir: licence-reports/backend/ris-backend-service | |
# Performance report | |
- name: Performance reports - Download | |
uses: actions/download-artifact@v3 | |
with: | |
name: performance-report | |
path: tmp/performance-reports/ | |
- run: mv tmp/performance-reports/profile*.html tmp/performance-reports/profile-report.html | |
- name: Performance report - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/performance-reports/profile-report.html | |
destinationDir: performance-reports/ris-backend-service | |
# Backend code documentation | |
- name: Backend Code Documentation - Download | |
uses: actions/download-artifact@v3 | |
with: | |
name: backend-code-documentation | |
path: tmp/backend-code-documentation/ | |
- name: Java - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/backend-code-documentation/docs/javadoc | |
destinationDir: backend-code-documentation/java | |
reportIsDirectory: true | |
- name: Kotlin - git add report | |
uses: digitalservicebund/ris-reports/actions/git-add-report@da8cfce630414b940051870f02413c700320d510 | |
with: | |
filePath: tmp/backend-code-documentation/dokka/html | |
destinationDir: backend-code-documentation/kotlin | |
reportIsDirectory: true | |
# Push reports | |
- name: Push reports | |
# we use `toJSON(...)` below to escape double quotation marks | |
run: | | |
git diff-index --cached --quiet HEAD || | |
git commit \ | |
-m ${{ toJSON(github.event.head_commit.message) }} \ | |
-m "From commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" && | |
git push origin main && | |
echo "Pushed reports to ${{ github.server_url }}/${{ env.REPORTS_REPOSITORY }}" >> $GITHUB_STEP_SUMMARY |