Validate multiple fields #6389
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: buildAppImage | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
# Allow to run this workflow manually | |
workflow_dispatch: | |
env: | |
REGISTRY: ghcr.io | |
jobs: | |
code-quality: | |
uses: ./.github/workflows/npm-checks.yml | |
secrets: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
get-content-file: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- id: fetchLatestImageContent | |
run: ./docker.sh --contentFromImage && mv content_from_image.json content.json | |
continue-on-error: true | |
- if: steps.fetchLatestImageContent.outcome == 'failure' | |
run: npm ci && npm run build:localContent | |
env: | |
STRAPI_API: "${{ secrets.STRAPI_API }}" | |
STRAPI_ACCESS_KEY: "${{ secrets.STRAPI_ACCESS_KEY }}" | |
- name: Calculate content checksum | |
id: checksum | |
run: echo "content_checksum=$(./docker.sh --contentHashFromImage)" >> $GITHUB_OUTPUT | |
- name: Upload content.json | |
uses: actions/upload-artifact@v4 | |
with: | |
name: content-file | |
path: content.json | |
outputs: | |
content_checksum: ${{ steps.checksum.outputs.content_checksum }} | |
## run-integration-tests: | |
## runs-on: ubuntu-latest | |
## env: | |
## STRAPI_API: "${{ secrets.STRAPI_API }}" | |
## STRAPI_ACCESS_KEY: "${{ secrets.STRAPI_ACCESS_KEY }}" | |
## CMS: STRAPI | |
## steps: | |
## - uses: actions/checkout@v4 | |
## - uses: ./.github/actions/cached-checkout-install | |
## - run: npm run test:integration | |
verify-local-e2e: | |
needs: [get-content-file] | |
uses: ./.github/workflows/e2e-test.yml | |
with: | |
require-published-app: false | |
e2e-target: local | |
secrets: | |
GERICHTSFINDER_ENCRYPTION_KEY: ${{ secrets.GERICHTSFINDER_ENCRYPTION_KEY }} | |
build-push-app-image: | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
needs: [code-quality, verify-local-e2e] | |
permissions: | |
contents: read | |
id-token: write # for cosign w/ keyless signing | |
packages: write # for updating cosign attestation | |
security-events: write | |
steps: | |
- uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/cached-checkout-install | |
- name: Install cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- run: ./docker.sh --build app | |
env: | |
SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}" | |
- run: ./docker.sh --push app | |
- run: ./docker.sh --build prod | |
- run: echo "PROD_IMAGE_TAG=$(./docker.sh --prodImageTag)" >> $GITHUB_ENV | |
- name: Generate cosign vulnerability scan record for PROD image | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 | |
env: | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
with: | |
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }} | |
format: "cosign-vuln" | |
output: "vulnerabilities.json" | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 | |
env: | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
with: | |
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "trivy-results.sarif" | |
- run: ./docker.sh --push prod | |
- run: ./docker.sh --sign | |
- id: prod_image_tag | |
run: echo "prod_image_tag=$(./docker.sh --prodImageTag)" >> $GITHUB_OUTPUT | |
- name: Create SBOM | |
uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9 | |
with: | |
image_name: ${{ github.repository }}-app | |
outputs: | |
prod_image_tag: ${{ steps.prod_image_tag.outputs.prod_image_tag }} | |
deploy-staging: | |
if: github.ref == 'refs/heads/main' | |
needs: [build-push-app-image] | |
runs-on: ubuntu-latest | |
environment: staging | |
steps: | |
- name: Deploy new staging image | |
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 | |
with: | |
environment: staging | |
version: ${{ needs.build-push-app-image.outputs.prod_image_tag }} | |
deploying_repo: a2j-rechtsantragstelle | |
infra_repo: a2j-rechtsantragstelle-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: a2j-rast-staging | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
argocd_sync_timeout: 300 | |
- name: Report Deployment | |
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0 | |
with: | |
project: a2j-rechtsantragstelle | |
environment: staging | |
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
deploy-preview: | |
needs: [build-push-app-image, deploy-staging] | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
environment: preview | |
steps: | |
- name: Deploy new preview image | |
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 | |
with: | |
environment: preview | |
version: ${{ needs.build-push-app-image.outputs.prod_image_tag }} | |
deploying_repo: a2j-rechtsantragstelle | |
infra_repo: a2j-rechtsantragstelle-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: a2j-rast-preview | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
argocd_sync_timeout: 300 | |
- name: Report Deployment | |
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0 | |
with: | |
project: a2j-rechtsantragstelle | |
environment: preview | |
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
verify-preview-e2e: | |
needs: [deploy-preview] | |
uses: ./.github/workflows/e2e-test.yml | |
with: | |
require-published-app: false | |
use-existing-server: true | |
e2e-target: preview | |
deploy-production: | |
needs: [verify-preview-e2e, build-push-app-image] | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
environment: production | |
steps: | |
- name: Deploy new production image | |
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 | |
with: | |
environment: production | |
version: ${{ needs.build-push-app-image.outputs.prod_image_tag }} | |
deploying_repo: a2j-rechtsantragstelle | |
infra_repo: a2j-rechtsantragstelle-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: a2j-rast-production | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
argocd_sync_timeout: 300 | |
- name: Report Deployment | |
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0 | |
with: | |
project: a2j-rechtsantragstelle | |
environment: production | |
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
test-production-text: | |
needs: [deploy-production] | |
runs-on: ubuntu-latest | |
steps: | |
- run: curl -s -v "https://service.justiz.de" | grep -q "Justiz-Services" | |
alert-pipeline-failure: | |
name: Send failure message to Slack | |
needs: | |
[ | |
code-quality, | |
get-content-file, | |
verify-local-e2e, | |
build-push-app-image, | |
deploy-staging, | |
deploy-preview, | |
verify-preview-e2e, | |
deploy-production, | |
test-production-text, | |
] | |
if: always() && failure() && github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: digitalservicebund/notify-on-failure-gha@66c485757701f8d5dbee32f24df38d904ca693ba | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |