Dev Pipeline #1260
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Scan & Publish image and helm chart on push, deployment on push, delete deployment on branch deletion, scheduled trivy scanner | |
name: "Dev Pipeline" | |
# All triggers have to be in one file, so that the trivy results can be compared to identify introduced vulnerabilities | |
# See DBP-340 | |
on: | |
push: | |
branches: | |
- "*" | |
schedule: | |
- cron: '0 2 * * *' | |
delete: | |
concurrency: | |
group: dbildungs-iam-keycloak-${{ github.event.ref }} | |
cancel-in-progress: true | |
jobs: | |
codeql_analyze: | |
name: "CodeQL" | |
if: ${{ github.event_name == 'push' }} | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-codeql.yaml@5 | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
build_image_on_push: | |
needs: | |
- create_branch_identifier | |
name: "Publish image and scan with trivy" | |
if: ${{ github.event_name == 'push' }} | |
permissions: | |
packages: write | |
security-events: write | |
contents: read | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@7 | |
with: | |
image_name: "dbildungs-iam-keycloak" | |
run_trivy_scan: true | |
image_tag_generation: ${{ github.ref_name == 'main' && 'commit_hash' || 'specified' }} | |
image_tag: ${{ github.ref_name == 'main' && '' || needs.create_branch_identifier.outputs.image_tag_from_branch }} | |
add_latest_tag: ${{ github.ref_name == 'main' }} | |
container_registry: "ghcr.io" | |
fail_on_vulnerabilites: false | |
report_location: "Dockerfile" | |
target: "deployment" | |
scan_helm: | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5 | |
permissions: | |
contents: read | |
select_helm_version_generation_and_image_tag_generation: | |
if: ${{ github.event_name == 'push'}} | |
runs-on: ubuntu-latest | |
outputs: | |
SELECT_HELM_VERSION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERSION_GENERATION }} | |
SELECT_IMAGE_TAG_GENERATION: ${{ steps.select_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} | |
steps: | |
- id: select_generation | |
shell: bash | |
run: | | |
if ${{ github.ref_name == 'main' }}; then | |
echo "SELECT_HELM_VERSION_GENERATION=timestamp" >> "$GITHUB_OUTPUT" | |
echo "SELECT_IMAGE_TAG_GENERATION=commit_hash" >> "$GITHUB_OUTPUT" | |
else | |
echo "SELECT_HELM_VERSION_GENERATION=specified" >> "$GITHUB_OUTPUT" | |
echo "SELECT_IMAGE_TAG_GENERATION=specified" >> "$GITHUB_OUTPUT" | |
fi | |
release_helm: | |
needs: | |
- create_branch_identifier | |
- select_helm_version_generation_and_image_tag_generation | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7 | |
secrets: inherit | |
with: | |
chart_name: dbildungs-iam-keycloak | |
image_tag_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} | |
image_tag: ${{ github.ref_name == 'main' && '' || needs.create_branch_identifier.outputs.image_tag_from_branch }} | |
helm_chart_version_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_HELM_VERSION_GENERATION }} | |
helm_chart_version: ${{ github.ref_name == 'main' && '' || needs.create_branch_identifier.outputs.chart_version_from_branch }} | |
wait_for_helm_chart_to_get_published: | |
needs: | |
- release_helm | |
runs-on: ubuntu-latest | |
steps: | |
- shell: bash | |
run: sleep 1m | |
branch_meta: | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/get-branch-meta.yml@6 | |
create_branch_identifier: | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
needs: | |
- branch_meta | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/convert-branch-name.yml@6 | |
with: | |
branch: ${{ needs.branch_meta.outputs.branch }} | |
deploy: | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
needs: | |
- branch_meta | |
- create_branch_identifier | |
- wait_for_helm_chart_to_get_published | |
- build_image_on_push | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@6 | |
with: | |
dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} | |
schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} | |
dbildungs_iam_keycloak_branch: ${{ needs.branch_meta.outputs.ticket }} | |
dbildungs_iam_ldap_branch: ${{ needs.branch_meta.outputs.ticket }} | |
namespace: ${{ needs.create_branch_identifier.outputs.namespace_from_branch }} | |
database_recreation: ${{ github.ref_name == 'main' && 'true' || 'false' }} | |
# database_recreation: "true" # to force database recreation this has be set to true | |
secrets: inherit | |
# On Delete | |
create_branch_identifier_for_deletion: | |
if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/convert-branch-name.yml@6 | |
with: | |
branch: ${{ github.event.ref }} | |
delete_namespace: | |
if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch'}} | |
needs: | |
- create_branch_identifier_for_deletion | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/delete-namespace.yml@5 | |
with: | |
namespace: ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} | |
secrets: | |
SPSH_DEV_KUBECONFIG: ${{ secrets.SPSH_DEV_KUBECONFIG }} | |
delete_successful: | |
if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} | |
needs: | |
- delete_namespace | |
- create_branch_identifier_for_deletion | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done" | |
# Scheduled | |
scheduled_trivy_scan: | |
name: "Scheduled trivy scan of latest image" | |
if: ${{ github.event_name == 'schedule' }} | |
permissions: | |
packages: read | |
security-events: write | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-trivy.yaml@7 | |
with: | |
image_ref: 'ghcr.io/${{ github.repository_owner }}/dbildungs-iam-keycloak:latest' | |
fail_on_vulnerabilites: false | |
report_location: "Dockerfile" |