-
Notifications
You must be signed in to change notification settings - Fork 2
221 lines (210 loc) · 8.24 KB
/
ci-pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
name: buildAppImage
on:
push:
branches: [main]
pull_request:
branches: [main]
# Allow to run this workflow manually
workflow_dispatch:
env:
REGISTRY: ghcr.io
jobs:
code-quality:
uses: ./.github/workflows/npm-checks.yml
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
get-content-file:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: fetchLatestImageContent
run: ./docker.sh --contentFromImage && mv content_from_image.json content.json
continue-on-error: true
- if: steps.fetchLatestImageContent.outcome == 'failure'
run: npm ci && npm run build:localContent
env:
STRAPI_API: "${{ secrets.STRAPI_API }}"
STRAPI_ACCESS_KEY: "${{ secrets.STRAPI_ACCESS_KEY }}"
- name: Calculate content checksum
id: checksum
run: echo "content_checksum=$(./docker.sh --contentHashFromImage)" >> $GITHUB_OUTPUT
- name: Upload content.json
uses: actions/upload-artifact@v4
with:
name: content-file
path: content.json
outputs:
content_checksum: ${{ steps.checksum.outputs.content_checksum }}
verify-local-e2e:
needs: [get-content-file]
uses: ./.github/workflows/e2e-test.yml
with:
require-published-app: false
e2e-target: local
secrets:
GERICHTSFINDER_ENCRYPTION_KEY: ${{ secrets.GERICHTSFINDER_ENCRYPTION_KEY }}
build-push-app-image:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: [code-quality, verify-local-e2e]
permissions:
contents: read
id-token: write # for cosign w/ keyless signing
packages: write # for updating cosign attestation
security-events: write
steps:
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v4
- uses: ./.github/actions/cached-checkout-install
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- run: ./docker.sh --build app
env:
SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}"
- run: ./docker.sh --push app
- run: ./docker.sh --build prod
- run: echo "PROD_IMAGE_TAG=$(./docker.sh --prodImageTag)" >> $GITHUB_ENV
- name: Generate cosign vulnerability scan record for PROD image
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }}
format: "cosign-vuln"
output: "vulnerabilities.json"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }}
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
- run: ./docker.sh --push prod
- run: ./docker.sh --sign
- id: prod_image_tag
run: echo "prod_image_tag=$(./docker.sh --prodImageTag)" >> $GITHUB_OUTPUT
- name: Create SBOM
uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9
with:
image_name: ${{ github.repository }}-app
outputs:
prod_image_tag: ${{ steps.prod_image_tag.outputs.prod_image_tag }}
deploy-staging:
if: github.ref == 'refs/heads/main'
needs: [build-push-app-image]
runs-on: ubuntu-latest
environment: staging
steps:
- name: Deploy new staging image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: staging
version: ${{ needs.build-push-app-image.outputs.prod_image_tag }}
deploying_repo: a2j-rechtsantragstelle
infra_repo: a2j-rechtsantragstelle-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: a2j-rast-staging
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Report Deployment
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: a2j-rechtsantragstelle
environment: staging
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
deploy-preview:
needs: [build-push-app-image, deploy-staging]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: preview
steps:
- name: Deploy new preview image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: preview
version: ${{ needs.build-push-app-image.outputs.prod_image_tag }}
deploying_repo: a2j-rechtsantragstelle
infra_repo: a2j-rechtsantragstelle-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: a2j-rast-preview
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Report Deployment
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: a2j-rechtsantragstelle
environment: preview
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
verify-preview-e2e:
needs: [deploy-preview]
uses: ./.github/workflows/e2e-test.yml
with:
require-published-app: false
use-existing-server: true
e2e-target: preview
deploy-production:
needs: [verify-preview-e2e, build-push-app-image]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production
steps:
- name: Deploy new production image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: production
version: ${{ needs.build-push-app-image.outputs.prod_image_tag }}
deploying_repo: a2j-rechtsantragstelle
infra_repo: a2j-rechtsantragstelle-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: a2j-rast-production
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Report Deployment
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: a2j-rechtsantragstelle
environment: production
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
test-production-text:
needs: [deploy-production]
runs-on: ubuntu-latest
steps:
- run: curl -s -v "https://service.justiz.de" | grep -q "Justiz-Services"
alert-pipeline-failure:
name: Send failure message to Slack
needs:
[
code-quality,
get-content-file,
verify-local-e2e,
build-push-app-image,
deploy-staging,
deploy-preview,
verify-preview-e2e,
deploy-production,
test-production-text,
]
if: always() && failure() && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- uses: digitalservicebund/notify-on-failure-gha@66c485757701f8d5dbee32f24df38d904ca693ba
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}