This repository has been archived by the owner on Nov 27, 2023. It is now read-only.
Bump semver from 5.7.1 to 5.7.2 #4277
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # Allow to run this workflow manually | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| check-format: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Setup Node | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "16.15.1" | |
| cache: "npm" | |
| - name: Cache npm dependencies | |
| id: cache-npm-deps | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| **/node_modules | |
| ~/.cache/Cypress | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Install dependecies | |
| if: steps.cache-npm-deps.outputs.cache-hit != 'true' | |
| run: npm install | |
| - name: Check format | |
| run: npm run format:check | |
| - name: Lint | |
| run: npm run lint:check | |
| unit-test: | |
| needs: check-format | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Setup Node | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "16.15.1" | |
| cache: "npm" | |
| - name: Cache npm dependencies | |
| id: cache-npm-deps | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| **/node_modules | |
| ~/.cache/Cypress | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Install dependecies | |
| if: steps.cache-npm-deps.outputs.cache-hit != 'true' | |
| run: npm install | |
| - name: Run unit tests | |
| run: npm test -- --json ----outputFile=webapp-unit-test-report.log | |
| - name: Archive unit test logs | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: webapp-unit-test-report.log | |
| path: webapp-unit-test-report.log | |
| integration-test: | |
| needs: check-format | |
| permissions: | |
| packages: read | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Setup Node | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "16.15.1" | |
| cache: "npm" | |
| - name: Cache npm dependencies | |
| id: cache-npm-deps | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| **/node_modules | |
| ~/.cache/Cypress | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Install dependecies | |
| if: steps.cache-npm-deps.outputs.cache-hit != 'true' | |
| run: npm install | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up postgres, erica, redis, unleash | |
| run: docker-compose -f ./test/docker-compose-test.yml -p grundsteuer-test up -d | |
| - name: Wait for test db to rise and shine | |
| run: sleep 2 | |
| shell: bash | |
| - name: Migrate test db | |
| env: | |
| DATABASE_URL: postgresql://prisma:prisma@localhost:5433/tests | |
| run: npx prisma migrate deploy && npx prisma db seed | |
| - name: Create Unleash toggles | |
| working-directory: ./unleash | |
| run: ./create-flags.sh http://localhost:4243 '*:*.unleash-insecure-admin-token' | |
| shell: bash | |
| - name: Run integration tests | |
| env: | |
| DATABASE_URL: postgresql://prisma:prisma@localhost:5433/tests | |
| REDIS_URL: redis://localhost:6380/0 | |
| UNLEASH_HOST: http://localhost:4243 | |
| UNLEASH_API_TOKEN: default:development.unleash-insecure-api-token | |
| UNLEASH_ADMIN_TOKEN: "*:*.unleash-insecure-admin-token" | |
| run: npm run test:integration -- --json ----outputFile=webapp-integration-test-report.log | |
| - name: Archive integration test logs | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: webapp-integration-test-report.log | |
| path: webapp-integration-test-report.log | |
| short-e2e-test: | |
| needs: check-format | |
| permissions: | |
| packages: read | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Setup Node | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "16.15.1" | |
| cache: "npm" | |
| - name: Cache npm dependencies | |
| id: cache-npm-deps | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| **/node_modules | |
| ~/.cache/Cypress | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Install dependecies | |
| if: steps.cache-npm-deps.outputs.cache-hit != 'true' | |
| run: npm install | |
| - name: Check build | |
| env: | |
| APP_VERSION: test | |
| run: npm run build | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up postgres, erica, redis, unleash | |
| run: docker-compose -f ./test/docker-compose-test.yml -p grundsteuer-test up -d | |
| - name: Wait for test db to rise and shine | |
| run: sleep 2 | |
| shell: bash | |
| - name: Migrate test db | |
| env: | |
| DATABASE_URL: postgresql://prisma:prisma@localhost:5433/tests | |
| run: npx prisma migrate deploy && npx prisma db seed | |
| - name: Create Unleash toggles | |
| working-directory: ./unleash | |
| run: ./create-flags.sh http://localhost:4243 '*:*.unleash-insecure-admin-token' | |
| shell: bash | |
| - name: Run short E2E tests | |
| env: | |
| APP_ENV: gha | |
| APP_VERSION: test | |
| BASE_URL: http://localhost:3000 | |
| DATABASE_URL: postgresql://prisma:prisma@localhost:5433/tests | |
| SESSION_COOKIE_SECRET: thisaintnosecret | |
| FORM_COOKIE_SECRET: thisalsoaintnosecret | |
| FORM_COOKIE_ENC_SECRET: 26d011bcbb9db8c4673b7fcd90c9ec6d | |
| ERICA_URL: http://localhost:8001 | |
| AUDIT_PUBLIC_KEY: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvMxhy5PDdUO8EgAXZFK+\nH8X0iswlg685+iXeCEekl+aohrzJEUrUw6GJwmIdqwkK8YDjcZdr7WzcuAazDK5F\nOjenA7IdR7go8fj1fHugaEoX/Mb+qDAsmP1tNCW3my4GJa7g2vl67qLE8QtvX6hz\nn8FaXx8NKlkDQZ85s3yhykpSGC2zBajXukb4GY5dWYURXInbvaH/immNzAlzfAi0\nJylm+qwsHdH281alq7rXc4v3KVoXF4Sj4oAyeDIvHyJwrpNDwrjb/Chu8fKifr3J\nAWPVD2YiwI6WENhCUorZiDiCNjqZtYizXeIrrehQ5YGvujnVKRbPZx9IPrrTE2Lg\nSqKfAMQsxD2pyxW8xN1zu3SthWJX4KwyU+8v4V1Es3ET7QvXyZ9TaoHvLFJuj01G\n9jpupn1hLeCP7cROQ5etjscH2nrRpdIe9ZS4u6Oz1YWYeNDSl+19zLpBdzp3UuZo\nlfrQjXZMHsVaN9u8AnY7+U9Gx44sjwEFmKhiLCI6LzUrzkHVGmg847O9NvLkeYgX\nmOcNJ5U9+8LjUYGjUWttKpLGC+a7CXVmXe7WqKdG3En8yj6gFGLENGYg/Ri/5rOJ\neh1EeTSyLQCzCaSRigeeZ/nlc5xSn6/GgPoIchWHK0bNcHds7afmF4NkRmq+DhS/\nsc6ZU6KrMdtASGVZKvdft/MCAwEAAQ==\n-----END PUBLIC KEY-----\n" | |
| AUDIT_PUBLIC_KEY_V2: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn8CcfcJIg7ZvRr1ZzHNv\nBpTH/vFngK50Xr9/fFMY+Jd8EDYc7OSln9WDMDm4dX557/SxTU102P8KfbzRgNLG\nOP4fPgVSxAAlUIu7GRnilaLMAh1mqsMkdhaUwefdxUUBbMPJtvIyJVjiVaDUXemF\n1cp/YhI33FeY1kR4IdcIeS7oY/vIMWcYF/0EgbOmD01hjK5DGjry/8lcb/nDaoL2\nQtZ6U/2TlhOQ4f307GPrmmGg5KHlvw8ITEraMyB4Imz3vC1RMuITLp5gPzOn6LT2\nkoSBl4NpWqsLTeAHZGENeD5zdgbD1furY75Kksgm8ACPFQq01lTdwtQZIM57eRip\notSUtmq2ZRtDMYhjJ3gHtKVZ/lPmb1FLv1jYPHS7v6PSjfy2jZ1oscbvRq1Z3HCD\nx6AJJHeiQSTIWc+LmmSb1V+Z8X+EuNenr2p7gHiS99vN1WfnTukzXMPs0G4nfJhY\njje6uAfdkp09AJ/D5bS/K2JZ4Fe7n4BnPGxfPJFy1shiroMPkhz2AEhXJM+9iIFB\n77fHJqYILA21D+hiRnMjdYqgSLVNEOcLT0msvjCys4V4SM5YHy81vm/J3kBFi207\nsj93kBjD6MhZJbgG5DkC+oBvae3uKR+/SD8uD+L9zyv3BeC3DFYQxC7Wx6uuB0zK\nf+KIHGFNz42vD717Gk2Ez7sCAwEAAQ==\n-----END PUBLIC KEY-----\n" | |
| MAGIC_LINK_SECRET: thisaintnosecret | |
| TEST_FEATURES_ENABLED: true | |
| HASHED_LOGGING_SALT: "$2a$10$7hclYwYcZY5qCfmedLQx/u" | |
| HASHED_IP_LIMIT_SALT: "$2a$10$7hclYwYcZY5qCfmidLQx/u" | |
| SKIP_RATELIMIT: true | |
| EKONA_ISSUER: "${{ secrets.EKONA_ISSUER }}" | |
| EKONA_ISSUER_URL: "${{ secrets.EKONA_ISSUER_URL }}" | |
| EKONA_IDP_CERT: "${{ secrets.EKONA_IDP_CERT }}" | |
| EKONA_ENTRY_POINT: "${{ secrets.EKONA_ENTRY_POINT }}" | |
| EKONA_ENC_KEY: "${{ secrets.EKONA_ENC_KEY }}" | |
| EKONA_SIGNING_KEY: "${{ secrets.EKONA_SIGNING_KEY }}" | |
| REDIS_URL: redis://localhost:6380/0 | |
| UNLEASH_HOST: http://localhost:4243 | |
| UNLEASH_API_TOKEN: default:development.unleash-insecure-api-token | |
| UNLEASH_ADMIN_TOKEN: "*:*.unleash-insecure-admin-token" | |
| UNLEASH_REFRESH_INTERVAL: 500 | |
| USEID_DOMAIN: "https://useid.dev.ds4g.net" | |
| USEID_API_KEY: "${{ secrets.USEID_API_KEY }}" | |
| USE_USEID: true | |
| NO_COLOR: 1 | |
| run: | | |
| npm run test:e2e:short | tee webapp-short-e2e-test-report.log | |
| result_code=${PIPESTATUS[0]} | |
| exit $result_code | |
| - name: Archive short e2e test logs | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: webapp-short-e2e-test-report.log | |
| path: webapp-short-e2e-test-report.log | |
| long-e2e-test: | |
| needs: check-format | |
| permissions: | |
| packages: read | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Setup Node | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "16.15.1" | |
| cache: "npm" | |
| - name: Cache npm dependencies | |
| id: cache-npm-deps | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| **/node_modules | |
| ~/.cache/Cypress | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Install dependecies | |
| if: steps.cache-npm-deps.outputs.cache-hit != 'true' | |
| run: npm install | |
| - name: Check build | |
| env: | |
| APP_VERSION: test | |
| run: npm run build | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up postgres, erica, redis, unleash | |
| run: docker-compose -f ./test/docker-compose-test.yml -p grundsteuer-test up -d | |
| - name: Wait for test db to rise and shine | |
| run: sleep 2 | |
| shell: bash | |
| - name: Migrate test db | |
| env: | |
| DATABASE_URL: postgresql://prisma:prisma@localhost:5433/tests | |
| run: npx prisma migrate deploy && npx prisma db seed | |
| - name: Create Unleash toggles | |
| working-directory: ./unleash | |
| run: ./create-flags.sh http://localhost:4243 '*:*.unleash-insecure-admin-token' | |
| shell: bash | |
| - name: Run long E2E tests | |
| env: | |
| APP_ENV: gha | |
| APP_VERSION: test | |
| BASE_URL: http://localhost:3000 | |
| DATABASE_URL: postgresql://prisma:prisma@localhost:5433/tests | |
| SESSION_COOKIE_SECRET: thisaintnosecret | |
| FORM_COOKIE_SECRET: thisalsoaintnosecret | |
| FORM_COOKIE_ENC_SECRET: 26d011bcbb9db8c4673b7fcd90c9ec6d | |
| ERICA_URL: http://localhost:8001 | |
| AUDIT_PUBLIC_KEY: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvMxhy5PDdUO8EgAXZFK+\nH8X0iswlg685+iXeCEekl+aohrzJEUrUw6GJwmIdqwkK8YDjcZdr7WzcuAazDK5F\nOjenA7IdR7go8fj1fHugaEoX/Mb+qDAsmP1tNCW3my4GJa7g2vl67qLE8QtvX6hz\nn8FaXx8NKlkDQZ85s3yhykpSGC2zBajXukb4GY5dWYURXInbvaH/immNzAlzfAi0\nJylm+qwsHdH281alq7rXc4v3KVoXF4Sj4oAyeDIvHyJwrpNDwrjb/Chu8fKifr3J\nAWPVD2YiwI6WENhCUorZiDiCNjqZtYizXeIrrehQ5YGvujnVKRbPZx9IPrrTE2Lg\nSqKfAMQsxD2pyxW8xN1zu3SthWJX4KwyU+8v4V1Es3ET7QvXyZ9TaoHvLFJuj01G\n9jpupn1hLeCP7cROQ5etjscH2nrRpdIe9ZS4u6Oz1YWYeNDSl+19zLpBdzp3UuZo\nlfrQjXZMHsVaN9u8AnY7+U9Gx44sjwEFmKhiLCI6LzUrzkHVGmg847O9NvLkeYgX\nmOcNJ5U9+8LjUYGjUWttKpLGC+a7CXVmXe7WqKdG3En8yj6gFGLENGYg/Ri/5rOJ\neh1EeTSyLQCzCaSRigeeZ/nlc5xSn6/GgPoIchWHK0bNcHds7afmF4NkRmq+DhS/\nsc6ZU6KrMdtASGVZKvdft/MCAwEAAQ==\n-----END PUBLIC KEY-----\n" | |
| AUDIT_PUBLIC_KEY_V2: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn8CcfcJIg7ZvRr1ZzHNv\nBpTH/vFngK50Xr9/fFMY+Jd8EDYc7OSln9WDMDm4dX557/SxTU102P8KfbzRgNLG\nOP4fPgVSxAAlUIu7GRnilaLMAh1mqsMkdhaUwefdxUUBbMPJtvIyJVjiVaDUXemF\n1cp/YhI33FeY1kR4IdcIeS7oY/vIMWcYF/0EgbOmD01hjK5DGjry/8lcb/nDaoL2\nQtZ6U/2TlhOQ4f307GPrmmGg5KHlvw8ITEraMyB4Imz3vC1RMuITLp5gPzOn6LT2\nkoSBl4NpWqsLTeAHZGENeD5zdgbD1furY75Kksgm8ACPFQq01lTdwtQZIM57eRip\notSUtmq2ZRtDMYhjJ3gHtKVZ/lPmb1FLv1jYPHS7v6PSjfy2jZ1oscbvRq1Z3HCD\nx6AJJHeiQSTIWc+LmmSb1V+Z8X+EuNenr2p7gHiS99vN1WfnTukzXMPs0G4nfJhY\njje6uAfdkp09AJ/D5bS/K2JZ4Fe7n4BnPGxfPJFy1shiroMPkhz2AEhXJM+9iIFB\n77fHJqYILA21D+hiRnMjdYqgSLVNEOcLT0msvjCys4V4SM5YHy81vm/J3kBFi207\nsj93kBjD6MhZJbgG5DkC+oBvae3uKR+/SD8uD+L9zyv3BeC3DFYQxC7Wx6uuB0zK\nf+KIHGFNz42vD717Gk2Ez7sCAwEAAQ==\n-----END PUBLIC KEY-----\n" | |
| MAGIC_LINK_SECRET: thisaintnosecret | |
| TEST_FEATURES_ENABLED: true | |
| HASHED_LOGGING_SALT: "$2a$10$7hclYwYcZY5qCfmedLQx/u" | |
| HASHED_IP_LIMIT_SALT: "$2a$10$7hclYwYcZY5qCfmidLQx/u" | |
| SKIP_RATELIMIT: true | |
| EKONA_ISSUER: "${{ secrets.EKONA_ISSUER }}" | |
| EKONA_ISSUER_URL: "${{ secrets.EKONA_ISSUER_URL }}" | |
| EKONA_IDP_CERT: "${{ secrets.EKONA_IDP_CERT }}" | |
| EKONA_ENTRY_POINT: "${{ secrets.EKONA_ENTRY_POINT }}" | |
| EKONA_ENC_KEY: "${{ secrets.EKONA_ENC_KEY }}" | |
| EKONA_SIGNING_KEY: "${{ secrets.EKONA_SIGNING_KEY }}" | |
| REDIS_URL: redis://localhost:6380/0 | |
| UNLEASH_HOST: http://localhost:4243 | |
| UNLEASH_API_TOKEN: default:development.unleash-insecure-api-token | |
| UNLEASH_ADMIN_TOKEN: "*:*.unleash-insecure-admin-token" | |
| UNLEASH_REFRESH_INTERVAL: 500 | |
| USEID_DOMAIN: "https://useid.dev.ds4g.net" | |
| USEID_API_KEY: "${{ secrets.USEID_API_KEY }}" | |
| USE_USEID: true | |
| NO_COLOR: 1 | |
| run: | | |
| npm run test:e2e:long | tee webapp-long-e2e-test-report.log | |
| result_code=${PIPESTATUS[0]} | |
| exit $result_code | |
| - name: Archive long e2e test logs | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: webapp-long-e2e-test-report.log | |
| path: webapp-long-e2e-test-report.log | |
| build-push-image: | |
| needs: [unit-test, integration-test, short-e2e-test, long-e2e-test] | |
| if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| security-events: write | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Build an image from Dockerfile | |
| run: | | |
| docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }} | |
| docker build -t ${{ env.IMAGE_NAME }}-migrate:${{ github.sha }} . --target build | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@b43daad0c3c96202fc5800b511dfae8e6ecce864 | |
| with: | |
| image-ref: "${{ env.IMAGE_NAME }}:${{ github.sha }}" | |
| format: "template" | |
| template: "@/contrib/sarif.tpl" | |
| output: "trivy-results.sarif" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@81b419c908d540ec4c7da9bfb4b5d941fca8f624 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Login to container registry | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push image | |
| run: | | |
| docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} | |
| docker tag ${{ env.IMAGE_NAME }}-migrate:${{ github.sha }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-migrate | |
| docker tag ${{ env.IMAGE_NAME }}-migrate:${{ github.sha }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-migrate:${{ github.sha }} | |
| docker push --all-tags ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| docker push --all-tags ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-migrate | |
| - name: Install cosign | |
| # Third-party action, pin to commit SHA! | |
| # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
| uses: sigstore/cosign-installer@ef0e9691595ea19ec990a46b1a591dcafe568f34 | |
| - name: Sign the published Docker image | |
| # This step uses the identity token to provision an ephemeral certificate | |
| # against the sigstore community Fulcio instance. | |
| run: | | |
| cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} --yes | |
| cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-migrate:${{ github.sha }} --yes | |
| # This needs to happen here b/c remix changes filenames on each `remix build` run. So, to get working source maps, | |
| # we need access to the actual image that was built. | |
| - name: Extract and upload sourcemaps to Sentry | |
| env: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| run: | | |
| # Extract source maps | |
| container_id=$(docker create ${{ env.IMAGE_NAME }}-migrate:${{ github.sha }}) | |
| docker cp ${container_id}:/src/public/build public | |
| docker rm ${container_id} | |
| npx --package @sentry/cli --yes sentry-cli releases new --org digitalservice --project grundsteuer ${{ github.sha }} --finalize | |
| npx --package @sentry/cli --yes sentry-cli sourcemaps upload --org digitalservice --project grundsteuer --release ${{ github.sha }} --url-prefix '~/build/' public/build | |
| deploy-staging: | |
| needs: [build-push-image] | |
| if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| environment: staging | |
| steps: | |
| - name: Check out infra repo | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: digitalservicebund/grundsteuer-infra | |
| ssh-key: ${{ secrets.DEPLOY_KEY }} | |
| - name: Update image tag for staging | |
| run: | | |
| cd manifests/overlays/staging | |
| kustomize edit set image ghcr.io/digitalservicebund/grundsteuer:${{ github.sha }} | |
| kustomize edit set image ghcr.io/digitalservicebund/grundsteuer-migrate:${{ github.sha }} | |
| - name: Commit and push | |
| uses: EndBug/add-and-commit@61a88be553afe4206585b31aa72387c64295d08b | |
| with: | |
| add: "manifests/overlays/staging/kustomization.yaml" | |
| message: "Update staging image to ${{ github.sha }}" | |
| pathspec_error_handling: exitImmediately | |
| push: true | |
| - name: Register deployment with Sentry | |
| env: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| run: | | |
| npx --package @sentry/cli --yes sentry-cli releases deploys --org digitalservice --project grundsteuer ${{ github.sha }} new -e staging | |
| - name: Report Deployment | |
| uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88 | |
| with: | |
| project: grundsteuer | |
| environment: staging | |
| metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
| metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} |