This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Scan & Publish image and helm chart on push, deployment on push, delete deployment on branch deletion, scheduled trivy scanner | |
| name: "Dev Pipeline" | |
| # All triggers have to be in one file, so that the trivy results can be compared to identify introduced vulnerabilities | |
| # See DBP-340 | |
| on: | |
| push: | |
| branches: | |
| - "*" | |
| schedule: | |
| - cron: '0 2 * * *' | |
| delete: | |
| concurrency: | |
| group: dbildungs-iam-keycloak-${{ github.event.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| codeql_analyze: | |
| name: "CodeQL" | |
| if: ${{ github.event_name == 'push' }} | |
| uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-codeql.yaml@5 | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| build_image_on_push: | |
| if: ${{ github.event_name == 'push' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| security-events: write | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| ref: ${{ github.ref_name }} | |
| - name: Set up JDK 11 | |
| uses: actions/setup-java@v2 | |
| with: | |
| java-version: '11' | |
| distribution: 'temurin' | |
| - name: Build Jars with Maven | |
| run: mvn -f providers/privacyidea/pom.xml clean package | |
| - name: 'Checkout repository' | |
| uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@DBP-1196-adjust-dev-release-piepline | |
| with: | |
| image_name: "dbildungs-iam-keycloak" | |
| run_trivy_scan: true | |
| image_tag_generation: ${{ github.ref_name == 'main' && 'commit_hash' || 'ticket_from_branch' }} | |
| add_latest_tag: ${{ github.ref_name == 'main' }} | |
| container_registry: "ghcr.io" | |
| fail_on_vulnerabilites: false | |
| report_location: "Dockerfile" | |
| target: "deployment" | |
| github_branch: ${{ github.ref_name }} | |
| # scan_helm: | |
| # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| # uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5 | |
| # permissions: | |
| # contents: read | |
| # select_helm_version_generation_and_image_tag_generation: | |
| # if: ${{ github.event_name == 'push'}} | |
| # runs-on: ubuntu-latest | |
| # outputs: | |
| # SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }} | |
| # SELECT_IMAGE_TAG_GENERATION: ${{ steps.select_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} | |
| # steps: | |
| # - id: select_generation | |
| # shell: bash | |
| # run: | | |
| # if ${{ github.ref_name == 'main' }}; then | |
| # echo "SELECT_HELM_VERION_GENERATION=timestamp" >> "$GITHUB_OUTPUT" | |
| # echo "SELECT_IMAGE_TAG_GENERATION=commit_hash" >> "$GITHUB_OUTPUT" | |
| # else | |
| # echo "SELECT_HELM_VERION_GENERATION=ticket_from_branch_timestamp" >> "$GITHUB_OUTPUT" | |
| # echo "SELECT_IMAGE_TAG_GENERATION=ticket_from_branch" >> "$GITHUB_OUTPUT" | |
| # fi | |
| # release_helm: | |
| # needs: | |
| # - select_helm_version_generation_and_image_tag_generation | |
| # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| # uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7 | |
| # secrets: inherit | |
| # with: | |
| # chart_name: dbildungs-iam-keycloak | |
| # image_tag_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} | |
| # helm_chart_version_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_HELM_VERION_GENERATION }} | |
| # wait_for_helm_chart_to_get_published: | |
| # needs: | |
| # - release_helm | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - shell: bash | |
| # run: sleep 1m | |
| # branch_meta: | |
| # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/get-branch-meta.yml@3 | |
| # create_branch_identifier: | |
| # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| # needs: | |
| # - branch_meta | |
| # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 | |
| # with: | |
| # branch: ${{ needs.branch_meta.outputs.branch }} | |
| # deploy: | |
| # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| # needs: | |
| # - branch_meta | |
| # - create_branch_identifier | |
| # - wait_for_helm_chart_to_get_published | |
| # - build_image_on_push | |
| # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5 | |
| # with: | |
| # dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} | |
| # schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} | |
| # dbildungs_iam_keycloak_branch: ${{ needs.branch_meta.outputs.ticket }} | |
| # dbildungs_iam_ldap_branch: ${{ needs.branch_meta.outputs.ticket }} | |
| # namespace: ${{ needs.create_branch_identifier.outputs.namespace_from_branch }} | |
| # secrets: inherit | |
| # # On Delete | |
| # create_branch_identifier_for_deletion: | |
| # if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} | |
| # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 | |
| # with: | |
| # branch: ${{ github.event.ref }} | |
| # delete_namespace: | |
| # if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch'}} | |
| # needs: | |
| # - create_branch_identifier_for_deletion | |
| # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/delete-namespace.yml@5 | |
| # with: | |
| # namespace: ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} | |
| # secrets: | |
| # SPSH_DEV_KUBECONFIG: ${{ secrets.SPSH_DEV_KUBECONFIG }} | |
| # delete_successful: | |
| # if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} | |
| # needs: | |
| # - delete_namespace | |
| # - create_branch_identifier_for_deletion | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done" | |
| # # Scheduled | |
| # scheduled_trivy_scan: | |
| # name: "Scheduled trivy scan of latest image" | |
| # if: ${{ github.event_name == 'schedule' }} | |
| # permissions: | |
| # packages: read | |
| # security-events: write | |
| # uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-trivy.yaml@7 | |
| # with: | |
| # image_ref: 'ghcr.io/${{ github.repository_owner }}/dbildungs-iam-keycloak:latest' | |
| # fail_on_vulnerabilites: false | |
| # report_location: "Dockerfile" |