Skip to content

Dev Pipeline

Dev Pipeline #1250

# Scan & Publish image and helm chart on push, deployment on push, delete deployment on branch deletion, scheduled trivy scanner
name: "Dev Pipeline"
# All triggers have to be in one file, so that the trivy results can be compared to identify introduced vulnerabilities
# See DBP-340
on:
push:
branches:
- "*"
schedule:
- cron: '0 2 * * *'
delete:
concurrency:
group: dbildungs-iam-keycloak-${{ github.event.ref }}
cancel-in-progress: true
jobs:
codeql_analyze:
name: "CodeQL"
if: ${{ github.event_name == 'push' }}
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-codeql.yaml@5
permissions:
actions: read
contents: read
security-events: write
build_image_on_push:
needs:
- create_branch_identifier
name: "Publish image and scan with trivy"
if: ${{ github.event_name == 'push' }}
permissions:
packages: write
security-events: write
contents: read
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@7
with:
image_name: "dbildungs-iam-keycloak"
run_trivy_scan: true
image_tag_generation: ${{ github.ref_name == 'main' && 'commit_hash' || 'specified' }}
image_tag: ${{ github.ref_name == 'main' && '' || needs.create_branch_identifier.outputs.image_tag_from_branch }}
add_latest_tag: ${{ github.ref_name == 'main' }}
container_registry: "ghcr.io"
fail_on_vulnerabilites: false
report_location: "Dockerfile"
target: "deployment"
scan_helm:
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5
permissions:
contents: read
select_helm_version_generation_and_image_tag_generation:
if: ${{ github.event_name == 'push'}}
runs-on: ubuntu-latest
outputs:
SELECT_HELM_VERSION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERSION_GENERATION }}
SELECT_IMAGE_TAG_GENERATION: ${{ steps.select_generation.outputs.SELECT_IMAGE_TAG_GENERATION }}
steps:
- id: select_generation
shell: bash
run: |
if ${{ github.ref_name == 'main' }}; then
echo "SELECT_HELM_VERSION_GENERATION=timestamp" >> "$GITHUB_OUTPUT"
echo "SELECT_IMAGE_TAG_GENERATION=commit_hash" >> "$GITHUB_OUTPUT"
else
echo "SELECT_HELM_VERSION_GENERATION=specified" >> "$GITHUB_OUTPUT"
echo "SELECT_IMAGE_TAG_GENERATION=specified" >> "$GITHUB_OUTPUT"
fi
release_helm:
needs:
- create_branch_identifier
- select_helm_version_generation_and_image_tag_generation
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7
secrets: inherit
with:
chart_name: dbildungs-iam-keycloak
image_tag_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_IMAGE_TAG_GENERATION }}
image_tag: ${{ github.ref_name == 'main' && '' || needs.create_branch_identifier.outputs.image_tag_from_branch }}
helm_chart_version_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_HELM_VERSION_GENERATION }}
helm_chart_version: ${{ github.ref_name == 'main' && '' || needs.create_branch_identifier.outputs.chart_version_from_branch }}
wait_for_helm_chart_to_get_published:
needs:
- release_helm
runs-on: ubuntu-latest
steps:
- shell: bash
run: sleep 1m
branch_meta:
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/get-branch-meta.yml@6
create_branch_identifier:
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
needs:
- branch_meta
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/convert-branch-name.yml@6
with:
branch: ${{ needs.branch_meta.outputs.branch }}
deploy:
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
needs:
- branch_meta
- create_branch_identifier
- wait_for_helm_chart_to_get_published
- build_image_on_push
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@6
with:
dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }}
schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }}
dbildungs_iam_keycloak_branch: ${{ needs.branch_meta.outputs.ticket }}
dbildungs_iam_ldap_branch: ${{ needs.branch_meta.outputs.ticket }}
namespace: ${{ needs.create_branch_identifier.outputs.namespace_from_branch }}
database_recreation: ${{ github.ref_name == 'main' && 'true' || 'false' }}
# database_recreation: "true" # to force database recreation this has be set to true
secrets: inherit
# On Delete
create_branch_identifier_for_deletion:
if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }}
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/convert-branch-name.yml@6
with:
branch: ${{ github.event.ref }}
delete_namespace:
if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch'}}
needs:
- create_branch_identifier_for_deletion
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/delete-namespace.yml@5
with:
namespace: ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }}
secrets:
SPSH_DEV_KUBECONFIG: ${{ secrets.SPSH_DEV_KUBECONFIG }}
delete_successful:
if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }}
needs:
- delete_namespace
- create_branch_identifier_for_deletion
runs-on: ubuntu-latest
steps:
- run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done"
# Scheduled
scheduled_trivy_scan:
name: "Scheduled trivy scan of latest image"
if: ${{ github.event_name == 'schedule' }}
permissions:
packages: read
security-events: write
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-trivy.yaml@7
with:
image_ref: 'ghcr.io/${{ github.repository_owner }}/dbildungs-iam-keycloak:latest'
fail_on_vulnerabilites: false
report_location: "Dockerfile"