PEK-849 Prepare for 'Fail on unknown JSON properties' (#80) #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and deploy to Prod | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '.gitignore' | |
| - 'CODEOWNERS' | |
| - 'LICENSE' | |
| - 'README.md' | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| id-token: write | |
| packages: write | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: java | |
| - name: Setup java | |
| uses: actions/setup-java@v4 | |
| with: | |
| cache: maven | |
| java-version: 21 | |
| distribution: temurin | |
| - name: Build with Maven | |
| run: mvn -B package --file pom.xml | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:java" | |
| - name: Create Docker image | |
| id: image-creation | |
| uses: nais/docker-build-push@v0 | |
| with: | |
| dockerfile: .docker/Dockerfile | |
| team: pensjonskalkulator | |
| identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} | |
| project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} | |
| outputs: | |
| image: ${{ steps.image-creation.outputs.image }} | |
| deploy-prod: | |
| name: Deploy to prod-gcp | |
| needs: [ build ] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Deploy to prod-gcp | |
| uses: nais/deploy/actions/deploy@v2 | |
| env: | |
| CLUSTER: prod-gcp | |
| IMAGE: ${{ needs.build.outputs.image }} | |
| RESOURCE: .nais/deploy-prod.yml | |
| deploy-krakend-config-prod: | |
| name: Deploy KrakenD config to prod | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Deploy KrakenD config | |
| uses: nais/deploy/actions/deploy@v2 | |
| env: | |
| CLUSTER: prod-gcp | |
| RESOURCE: .nais/api/krakend-prod.yaml | |
| - name: Deploy API endpoints config | |
| uses: nais/deploy/actions/deploy@v2 | |
| env: | |
| CLUSTER: prod-gcp | |
| RESOURCE: .nais/api/apiendpoints.yaml | |
| trivy-imagescan: | |
| name: Scan Docker image | |
| needs: [ build ] | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| id-token: write | |
| security-events: write | |
| steps: | |
| - uses: nais/login@v0 | |
| with: | |
| project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} | |
| identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} | |
| team: pensjonskalkulator | |
| - name: Run Trivy vulnerability scanner on Docker image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ needs.build.outputs.image }} | |
| ignore-unfixed: true | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'MEDIUM,HIGH,CRITICAL' | |
| limit-severities-for-sarif: true | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' |