feat: override to patched version cross-spawn #5884

Workflow file for this run

.github/workflows/ci-pipeline.yml at 4c1d42f

	name: buildAppImage
	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	# Allow to run this workflow manually
	workflow_dispatch:

	env:
	REGISTRY: ghcr.io

	jobs:
	code-quality:
	uses: ./.github/workflows/npm-checks.yml
	secrets:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

	get-content-file:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- id: fetchLatestImageContent
	run: ./docker.sh --contentFromImage && mv content_from_image.json content.json
	continue-on-error: true
	- if: steps.fetchLatestImageContent.outcome == 'failure'
	run: npm ci && npm run build:localContent
	env:
	STRAPI_API: "${{ secrets.STRAPI_API }}"
	STRAPI_ACCESS_KEY: "${{ secrets.STRAPI_ACCESS_KEY }}"
	- name: Calculate content checksum
	id: checksum
	run: echo "content_checksum=$(./docker.sh --contentHashFromImage)" >> $GITHUB_OUTPUT
	- name: Upload content.json
	uses: actions/upload-artifact@v4
	with:
	name: content-file
	path: content.json
	outputs:
	content_checksum: ${{ steps.checksum.outputs.content_checksum }}

	run-integration-tests:
	needs: [get-content-file]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/cached-checkout-install
	- uses: actions/download-artifact@v4
	with:
	name: content-file
	- run: npm run test:integration

	verify-local-e2e:
	needs: [run-integration-tests]
	uses: ./.github/workflows/e2e-test.yml
	with:
	require-published-app: false
	e2e-target: local
	secrets:
	GERICHTSFINDER_ENCRYPTION_KEY: ${{ secrets.GERICHTSFINDER_ENCRYPTION_KEY }}

	build-push-app-image:
	if: github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	needs: [code-quality, verify-local-e2e]
	permissions:
	contents: read
	id-token: write # for cosign w/ keyless signing
	packages: write # for updating cosign attestation
	security-events: write
	steps:
	- uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- uses: actions/checkout@v4
	- uses: ./.github/actions/cached-checkout-install
	- name: Install cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
	- run: ./docker.sh --build app
	env:
	SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}"
	- run: ./docker.sh --push app
	- run: ./docker.sh --build prod
	- run: echo "PROD_IMAGE_TAG=$(./docker.sh --prodImageTag)" >> $GITHUB_ENV
	- name: Generate cosign vulnerability scan record for PROD image
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	with:
	image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }}
	format: "cosign-vuln"
	output: "vulnerabilities.json"
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	with:
	image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }}
	format: "sarif"
	output: "trivy-results.sarif"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "trivy-results.sarif"
	- run: ./docker.sh --push prod
	- run: ./docker.sh --sign
	- id: prod_image_tag
	run: echo "prod_image_tag=$(./docker.sh --prodImageTag)" >> $GITHUB_OUTPUT
	- name: Create SBOM
	uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9
	with:
	image_name: ${{ github.repository }}-app
	outputs:
	prod_image_tag: ${{ steps.prod_image_tag.outputs.prod_image_tag }}

	deploy-staging:
	if: github.ref == 'refs/heads/main'
	needs: [build-push-app-image]
	runs-on: ubuntu-latest
	environment: staging
	steps:
	- name: Deploy new staging image
	uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
	with:
	environment: staging
	version: ${{ needs.build-push-app-image.outputs.prod_image_tag }}
	deploying_repo: a2j-rechtsantragstelle
	infra_repo: a2j-rechtsantragstelle-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: a2j-rast-staging
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	argocd_sync_timeout: 300
	- name: Report Deployment
	uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
	with:
	project: a2j-rechtsantragstelle
	environment: staging
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}

	deploy-preview:
	needs: [build-push-app-image, deploy-staging]
	if: github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	environment: preview
	steps:
	- name: Deploy new preview image
	uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
	with:
	environment: preview
	version: ${{ needs.build-push-app-image.outputs.prod_image_tag }}
	deploying_repo: a2j-rechtsantragstelle
	infra_repo: a2j-rechtsantragstelle-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: a2j-rast-preview
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	argocd_sync_timeout: 300
	- name: Report Deployment
	uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
	with:
	project: a2j-rechtsantragstelle
	environment: preview
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}

	verify-preview-e2e:
	needs: [deploy-preview]
	uses: ./.github/workflows/e2e-test.yml
	with:
	require-published-app: false
	use-existing-server: true
	e2e-target: preview

	deploy-production:
	needs: [verify-preview-e2e, build-push-app-image]
	if: github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	environment: production
	steps:
	- name: Deploy new production image
	uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
	with:
	environment: production
	version: ${{ needs.build-push-app-image.outputs.prod_image_tag }}
	deploying_repo: a2j-rechtsantragstelle
	infra_repo: a2j-rechtsantragstelle-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: a2j-rast-production
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	argocd_sync_timeout: 300
	- name: Report Deployment
	uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
	with:
	project: a2j-rechtsantragstelle
	environment: production
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}

	test-production-text:
	needs: [deploy-production]
	runs-on: ubuntu-latest
	steps:
	- run: curl -s -v "https://service.justiz.de" \| grep -q "Justiz-Services"

	alert-pipeline-failure:
	name: Send failure message to Slack
	needs:
	[
	code-quality,
	get-content-file,
	verify-local-e2e,
	build-push-app-image,
	deploy-staging,
	deploy-preview,
	verify-preview-e2e,
	deploy-production,
	test-production-text,
	]
	if: always() && failure() && github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	steps:
	- uses: digitalservicebund/notify-on-failure-gha@66c485757701f8d5dbee32f24df38d904ca693ba
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: override to patched version cross-spawn #5884

Workflow file

feat: override to patched version cross-spawn #5884

Jobs

Run details

Workflow file for this run