Merge pull request #910 from digitalservicebund/renovate/quay.io-keyc… #6549
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pipeline | |
on: | |
# run on any branch receiving a push (not only on main) | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
# also: allow to run this workflow manually | |
workflow_dispatch: | |
jobs: | |
############################################# | |
# jobs dispatched to a separate workflow file | |
############################################# | |
backend-jobs: | |
permissions: | |
security-events: write # upload-sarif | |
packages: write | |
id-token: write | |
contents: read | |
uses: ./.github/workflows/backend-jobs.yml | |
with: | |
container-registry: ghcr.io | |
container-image-name: ${{ github.repository }} | |
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }} | |
secrets: inherit # e.g. sonar token | |
frontend-jobs: | |
permissions: | |
security-events: write # upload-sarif | |
packages: write | |
id-token: write | |
contents: read | |
uses: ./.github/workflows/frontend-jobs.yml | |
with: | |
# It would be nicer if we used the env vars defined above (as not to duplicate information), | |
# however, env vars cannot be passed over to a reuseable workflow using "with" | |
# cf. https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations | |
# and the workaround is horrible | |
# cf. https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow | |
container-registry: ghcr.io | |
container-image-name: ${{ github.repository }} | |
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }} | |
secrets: inherit # e.g. sonar token | |
ldml-extension-jobs: | |
uses: ./.github/workflows/ldml-extension-jobs.yml | |
secrets: inherit # e.g. sonar token | |
create-docker-image-job: | |
permissions: | |
security-events: write # upload-sarif | |
packages: write | |
id-token: write | |
contents: read | |
uses: ./.github/workflows/create-docker-image-job.yml | |
with: | |
container-registry: ghcr.io | |
container-image-name: ${{ github.repository }} | |
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }} | |
secrets: inherit # e.g. sonar token | |
push-docker-image-job: | |
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} | |
needs: | |
- backend-jobs | |
- frontend-jobs | |
- create-docker-image-job | |
- e2e-tests | |
permissions: | |
security-events: write # upload-sarif | |
packages: write | |
id-token: write | |
contents: read | |
uses: ./.github/workflows/push-docker-image-job.yml | |
with: | |
container-registry: ghcr.io | |
container-image-name: ${{ github.repository }} | |
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }} | |
secrets: inherit # e.g. sonar token | |
# ###################### | |
# # Check time for automatic deployments | |
# # Should only deploy automatically outside the hours when migration job (1:00AM UTC) and publishing job run (2:00AM UTC), | |
# # meaning not between 0:30 AM UTC and 4:00AM UTC | |
# ###################### | |
check-auto-deploy: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
runs-on: ubuntu-latest | |
outputs: | |
should-auto-deploy: ${{ steps.check-time.outputs.should-auto-deploy }} | |
steps: | |
- id: check-time | |
run: | | |
current_time=$(TZ=UTC date "+%H:%M") | |
if [[ "$current_time" > "00:30" && "$current_time" < "04:00" ]]; then | |
echo "Should not deploy automatically. Current time is $current_time" | |
echo "should-auto-deploy=false" >> "$GITHUB_OUTPUT" | |
else | |
echo "Should deploy automatically. Current time is $current_time" | |
echo "should-auto-deploy=true" >> "$GITHUB_OUTPUT" | |
fi | |
# ###################### | |
# # Deploy new versions to staging | |
# ###################### | |
deploy-staging-job: | |
if: ${{ github.ref == 'refs/heads/main' && needs.check-auto-deploy.outputs.should-auto-deploy == 'true' }} | |
needs: | |
- check-auto-deploy | |
- frontend-jobs | |
- backend-jobs | |
- push-docker-image-job | |
- e2e-tests | |
permissions: | |
id-token: write | |
uses: ./.github/workflows/deploy-staging-job.yml | |
secrets: inherit | |
# ###################### | |
# # Deploy new versions to uat | |
# ###################### | |
deploy-uat-job: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: | |
- deploy-staging-job | |
permissions: | |
id-token: write | |
uses: ./.github/workflows/deploy-uat-job.yml | |
secrets: inherit | |
# ###################### | |
# # Deploy new versions to production | |
# ###################### | |
deploy-production-job: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: | |
- deploy-uat-job | |
permissions: | |
id-token: write | |
uses: ./.github/workflows/deploy-production-job.yml | |
secrets: inherit | |
# ######################## | |
# # system test jobs | |
# ######################## | |
e2e-tests: | |
strategy: | |
fail-fast: false | |
matrix: | |
browser: [chromium, firefox, msedge] | |
uses: ./.github/workflows/end-to-end-tests.yml | |
with: | |
browser: ${{ matrix.browser }} | |
secrets: inherit | |
################ | |
# Security jobs | |
################ | |
trivy-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write # upload-sarif | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b | |
env: | |
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
with: | |
scan-type: "fs" | |
format: "sarif" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" #ignored by sarif report | |
- name: Check trivy results | |
run: | | |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
echo "Vulnerabilities found" | |
exit 1 | |
else | |
echo "No significant vulnerabilities found" | |
exit 0 | |
fi | |
- name: Upload Trivy scan results to GitHub Security tab | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "trivy-results.sarif" | |
- name: Send status to Slack | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
talisman-check: | |
runs-on: ubuntu-latest | |
# Running on main only https://digitalservicebund.slack.com/archives/C046VD44ZEH/p1706516240974409 | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Detect secrets in incoming commits with Talisman | |
uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb | |
- name: Send status to Slack | |
# only on failure and if on "main" branch | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
################### | |
# Generate reports | |
################### | |
generate-test-reports: | |
if: ${{ !cancelled() && github.ref == 'refs/heads/main' }} | |
needs: | |
- e2e-tests | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ./frontend/.node-version | |
cache: npm | |
cache-dependency-path: ./frontend/package-lock.json | |
- name: Cache node_modules | |
uses: actions/cache@v4 | |
id: cache-npm-cache | |
with: | |
# The docs discourage caching `node-modules`, cf. https://github.com/actions/cache/blob/main/examples.md#node---npm | |
path: /home/runner/.npm | |
key: npm-cache-${{ hashFiles('./frontend/package-lock.json') }} | |
- name: Install node modules | |
run: npm ci | |
working-directory: ./frontend | |
- name: Download blob reports from artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: ./frontend/all-blob-reports | |
pattern: test-results-blob-* | |
- name: Prepare test reports for merge | |
working-directory: ./frontend/all-blob-reports | |
run: | | |
for DIR in test-results-blob-*; do | |
unzip -o "$DIR/test-report.zip" -d "$DIR" | |
rm "$DIR/test-report.zip" | |
ZIP_FILE="../$(basename "$DIR").zip" | |
(cd "$DIR" && zip -r "$ZIP_FILE" ./*.jsonl) | |
rm -rf "$DIR" | |
done | |
shell: bash | |
- name: Merge into html report | |
run: npx playwright merge-reports --reporter html ./all-blob-reports | |
working-directory: ./frontend | |
- name: Upload html report to artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: html-test-report | |
path: ./frontend/playwright-report | |
push-reports: | |
runs-on: ubuntu-latest | |
env: | |
reports-repo: digitalservicebund/ris-reports | |
needs: | |
- generate-test-reports | |
- backend-jobs | |
if: ${{ github.ref == 'refs/heads/main' }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ env.reports-repo }} | |
ssh-key: ${{ secrets.REPORTS_DEPLOY_KEY }} | |
- name: Setup git config | |
run: | | |
git config user.name "${{ github.repository }}" | |
# This email identifies the commit as GitHub Actions - see https://github.com/orgs/community/discussions/26560 | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
# Backend code documentation | |
- name: Backend Code Documentation - Download | |
uses: actions/download-artifact@v4 | |
with: | |
name: backend-code-documentation | |
path: tmp/backend-code-documentation/ | |
- name: Java - git add report | |
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e | |
with: | |
filePath: tmp/backend-code-documentation | |
destinationDir: norms-code-documentation/java | |
reportIsDirectory: true | |
# e2e test report | |
- name: E2E test reports - Download | |
uses: actions/download-artifact@v4 | |
with: | |
name: html-test-report | |
path: tmp/html-test-report/ | |
- name: E2E test reports - git add report | |
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e | |
with: | |
filePath: tmp/html-test-report/ | |
destinationDir: test-reports/ris-norms | |
reportIsDirectory: true | |
# Licence reports | |
- name: Licence reports - Download | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: licence-reports-* | |
path: tmp/licence-reports/ | |
merge-multiple: true | |
- name: Frontend licence report - git add report | |
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e | |
with: | |
filePath: tmp/licence-reports/frontend-licence-report.csv | |
destinationDir: licence-reports/frontend/ris-norms | |
- name: Backend licence report - git add report | |
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e | |
with: | |
filePath: tmp/licence-reports/backend-licence-report.csv | |
destinationDir: licence-reports/backend/ris-norms | |
# Push reports | |
- name: Push reports | |
run: | | |
git diff-index --cached --quiet HEAD || | |
git commit \ | |
-m ${{ toJSON(github.event.head_commit.message) }} \ | |
-m "From commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" && | |
git push origin main && | |
echo "Pushed reports to ${{ github.server_url }}/${{ env.reports-repo }}" >> $GITHUB_STEP_SUMMARY | |
- name: Send status to Slack | |
uses: digitalservicebund/notify-on-failure-gha@66c485757701f8d5dbee32f24df38d904ca693ba | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |