-
Notifications
You must be signed in to change notification settings - Fork 1
189 lines (175 loc) · 6.73 KB
/
pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
name: Pipeline
on:
# run on any branch receiving a push (not only on main)
push:
# also: allow to run this workflow manually
workflow_dispatch:
jobs:
#############################################
# jobs dispatched to a separate workflow file
#############################################
backend-jobs:
permissions:
security-events: write # upload-sarif
packages: write
id-token: write
contents: read
uses: ./.github/workflows/backend-jobs.yml
with:
container-registry: ghcr.io
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.sha }}
secrets: inherit # e.g. sonar token
frontend-jobs:
permissions:
security-events: write # upload-sarif
packages: write
id-token: write
contents: read
uses: ./.github/workflows/frontend-jobs.yml
with:
# It would be nicer if we used the env vars defined above (as not to duplicate information),
# however, env vars cannot be passed over to a reuseable workflow using "with"
# cf. https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations
# and the workaround is horrible
# cf. https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow
container-registry: ghcr.io
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.sha }}
secrets: inherit # e.g. sonar token
ldml-extension-jobs:
uses: ./.github/workflows/ldml-extension-jobs.yml
secrets: inherit # e.g. sonar token
create-docker-image-job:
permissions:
security-events: write # upload-sarif
packages: write
id-token: write
contents: read
uses: ./.github/workflows/create-docker-image-job.yml
with:
container-registry: ghcr.io
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.sha }}
secrets: inherit # e.g. sonar token
push-docker-image-job:
needs:
- backend-jobs
- create-docker-image-job
permissions:
security-events: write # upload-sarif
packages: write
id-token: write
contents: read
uses: ./.github/workflows/push-docker-image-job.yml
with:
container-registry: ghcr.io
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.sha }}
secrets: inherit # e.g. sonar token
# ######################
# # Deploy new versions
# ######################
deploy-staging:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
concurrency: deploy-staging
environment: staging
needs:
- frontend-jobs
- backend-jobs
- push-docker-image-job
- e2e-tests
permissions:
id-token: write # Enable OIDC for gitsign
steps:
- uses: chainguard-dev/actions/setup-gitsign@ba1a9c9ffe799736883d58f31caff18d85b2800e
- name: Deploy new images
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: staging
version: ${{ github.sha }}
deploying_repo: ris-norms
infra_repo: ris-norms-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ris-norms-staging
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
- name: Track deploy
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: ris-norms
environment: staging
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
- name: Send status to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
# ########################
# # system test jobs
# ########################
e2e-tests:
strategy:
fail-fast: false
matrix:
browser: [chromium, firefox, webkit]
uses: ./.github/workflows/end-to-end-tests.yml
with:
browser: ${{ matrix.browser }}
secrets: inherit
################
# Security jobs
################
trivy-scan:
runs-on: ubuntu-latest
permissions:
security-events: write # upload-sarif
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@841fb371db7b5cd339e5b2d55c92f5dbd730ac9f
with:
scan-type: "fs"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH" #ignored by sarif report
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy scan results to GitHub Security tab
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
talisman-check:
runs-on: ubuntu-latest
# Running on main only https://digitalservicebund.slack.com/archives/C046VD44ZEH/p1706516240974409
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect secrets in incoming commits with Talisman
uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb
- name: Send status to Slack
# only on failure and if on "main" branch
if: ${{ failure() && github.ref == 'refs/heads/main' }}
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}