Skip to content

fix(repair broken cached-checkout-install step) (#1454) #5872

fix(repair broken cached-checkout-install step) (#1454)

fix(repair broken cached-checkout-install step) (#1454) #5872

Workflow file for this run

name: buildAppImage
on:
push:
branches: [main]
pull_request:
branches: [main]
# Allow to run this workflow manually
workflow_dispatch:
env:
REGISTRY: ghcr.io
jobs:
code-quality:
uses: ./.github/workflows/npm-checks.yml
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
get-content-file:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: fetchLatestImageContent
run: ./docker.sh --contentFromImage && mv content_from_image.json content.json
continue-on-error: true
- if: steps.fetchLatestImageContent.outcome == 'failure'
run: npm ci && npm run build:localContent
env:
STRAPI_API: "${{ secrets.STRAPI_API }}"
STRAPI_ACCESS_KEY: "${{ secrets.STRAPI_ACCESS_KEY }}"
- name: Calculate content checksum
id: checksum
run: echo "content_checksum=$(./docker.sh --contentHashFromImage)" >> $GITHUB_OUTPUT
- name: Upload content.json
uses: actions/upload-artifact@v4
with:
name: content-file
path: content.json
outputs:
content_checksum: ${{ steps.checksum.outputs.content_checksum }}
run-integration-tests:
needs: [get-content-file]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/cached-checkout-install
- uses: actions/download-artifact@v4
with:
name: content-file
- run: npm run test:integration
verify-local-e2e:
needs: [run-integration-tests]
uses: ./.github/workflows/e2e-test.yml
with:
require-published-app: false
e2e-target: local
secrets:
GERICHTSFINDER_ENCRYPTION_KEY: ${{ secrets.GERICHTSFINDER_ENCRYPTION_KEY }}
build-push-app-image:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: [code-quality, verify-local-e2e]
permissions:
contents: read
id-token: write # for cosign w/ keyless signing
packages: write # for updating cosign attestation
security-events: write
steps:
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v4
- uses: ./.github/actions/cached-checkout-install
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- run: ./docker.sh --build app
env:
SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}"
- run: ./docker.sh --push app
- run: ./docker.sh --build prod
- run: echo "PROD_IMAGE_TAG=$(./docker.sh --prodImageTag)" >> $GITHUB_ENV
- name: Generate cosign vulnerability scan record for PROD image
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }}
format: "cosign-vuln"
output: "vulnerabilities.json"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }}
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
- run: ./docker.sh --push prod
- run: ./docker.sh --sign
- id: prod_image_tag
run: echo "prod_image_tag=$(./docker.sh --prodImageTag)" >> $GITHUB_OUTPUT
- name: Create SBOM
uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9
with:
image_name: ${{ github.repository }}-app
outputs:
prod_image_tag: ${{ steps.prod_image_tag.outputs.prod_image_tag }}
deploy-staging:
if: github.ref == 'refs/heads/main'
needs: [build-push-app-image]
runs-on: ubuntu-latest
environment: staging
steps:
- name: Deploy new staging image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: staging
version: ${{ needs.build-push-app-image.outputs.prod_image_tag }}
deploying_repo: a2j-rechtsantragstelle
infra_repo: a2j-rechtsantragstelle-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: a2j-rast-staging
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Report Deployment
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: a2j-rechtsantragstelle
environment: staging
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
deploy-preview:
needs: [build-push-app-image, deploy-staging]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: preview
steps:
- name: Deploy new preview image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: preview
version: ${{ needs.build-push-app-image.outputs.prod_image_tag }}
deploying_repo: a2j-rechtsantragstelle
infra_repo: a2j-rechtsantragstelle-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: a2j-rast-preview
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Report Deployment
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: a2j-rechtsantragstelle
environment: preview
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
verify-preview-e2e:
needs: [deploy-preview]
uses: ./.github/workflows/e2e-test.yml
with:
require-published-app: false
use-existing-server: true
e2e-target: preview
deploy-production:
needs: [verify-preview-e2e, build-push-app-image]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production
steps:
- name: Deploy new production image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: production
version: ${{ needs.build-push-app-image.outputs.prod_image_tag }}
deploying_repo: a2j-rechtsantragstelle
infra_repo: a2j-rechtsantragstelle-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: a2j-rast-production
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Report Deployment
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: a2j-rechtsantragstelle
environment: production
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
test-production-text:
needs: [deploy-production]
runs-on: ubuntu-latest
steps:
- run: curl -s -v "https://service.justiz.de" | grep -q "Justiz-Services"
alert-pipeline-failure:
name: Send failure message to Slack
needs:
[
code-quality,
get-content-file,
verify-local-e2e,
build-push-app-image,
deploy-staging,
deploy-preview,
verify-preview-e2e,
deploy-production,
test-production-text,
]
if: always() && failure() && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- uses: digitalservicebund/notify-on-failure-gha@66c485757701f8d5dbee32f24df38d904ca693ba
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}