Update all-frontend-non-major-dependencies #15246

Workflow file for this run

.github/workflows/pipeline.yml at 3067efb

	name: Pipeline

	on:
	push:
	branches: [ main ]
	paths-ignore:
	- '*/.md'
	pull_request:
	branches: [ main ]
	schedule:
	- cron: "0 18 * * *" # Every day at 8pm
	# Allow to run this workflow manually
	workflow_dispatch:

	env:
	RUN_ID: ${{ github.run_id }}
	CONTAINER_REGISTRY: ghcr.io
	CONTAINER_IMAGE_NAME: ${{ github.repository }}
	CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha \|\| github.sha }} # Use PR head SHA if available
	GH_PACKAGES_REPOSITORY_USER: ${{ secrets.GH_PACKAGES_REPOSITORY_USER }} # Secrets must not start with "GITHUB_".
	GH_PACKAGES_REPOSITORY_TOKEN: ${{ secrets.GH_PACKAGES_REPOSITORY_TOKEN }}
	SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
	SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
	REPORTS_REPOSITORY: digitalservicebund/ris-reports

	jobs:
	backend-build:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Get Gradle version
	working-directory: ./backend
	run: \|
	echo "GRADLE_VERSION=$(sed -n 's/.gradle-$[0-9]\(\.[0-9]$\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
	- name: Set up JDK
	uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b
	with:
	java-version: "21.0"
	distribution: "temurin"
	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
	with:
	gradle-version: ${{ env.GRADLE_VERSION }}
	- name: Run backend tests
	working-directory: ./backend
	run: ./gradlew build --profile -x integrationTest -x test
	- name: Upload build performance report
	uses: actions/upload-artifact@v4
	with:
	name: performance-report
	path: backend/build/reports/profile/profile*.html
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	backend-checks:
	uses: ./.github/workflows/backend-checks.yml
	secrets: inherit

	backend-build-image-and-scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- uses: actions/checkout@v4
	- name: Get Gradle version
	working-directory: ./backend
	run: \|
	echo "GRADLE_VERSION=$(sed -n 's/.gradle-$[0-9]\(\.[0-9]$\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
	- name: Set up JDK
	uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b
	with:
	java-version: "21.0"
	distribution: "temurin"
	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
	with:
	gradle-version: ${{ env.GRADLE_VERSION }}
	- name: Build backend image
	working-directory: ./backend
	run: ./gradlew bootBuildImage
	- name: Run Trivy vulnerability image scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "sarif"
	output: "trivy-results.sarif"
	github-pat: ${{ secrets.GITHUB_TOKEN }}
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	# Todo: Remove this step
	- name: Upload Trivy scan results
	uses: actions/upload-artifact@v4
	with:
	name: "trivy-results-backend.sarif"
	path: "trivy-results.sarif"
	if-no-files-found: error
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	- name: Generate cosign vulnerability scan record
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "cosign-vuln"
	output: "vuln-backend.json"
	- name: Upload cosign vulnerability scan record
	uses: actions/upload-artifact@v4
	with:
	name: "vuln-backend.json"
	path: "vuln-backend.json"
	if-no-files-found: error
	- name: Save image
	run: \|
	mkdir /tmp/images
	docker save -o /tmp/images/backend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	- uses: actions/cache@v4
	with:
	path: /tmp/images
	key: docker-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-images-cache-${{ env.RUN_ID }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	frontend-checks:
	uses: ./.github/workflows/frontend-checks.yml
	secrets: inherit

	audit-licenses-backend:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up JDK
	uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b
	with:
	java-version: "21.0"
	distribution: "temurin"
	cache: gradle
	- name: Grant execute permission for gradlew
	working-directory: ./backend
	run: chmod +x gradlew
	- name: Run license scanner
	working-directory: ./backend
	run: ./gradlew checkLicense
	- name: Upload licence report
	uses: actions/upload-artifact@v4
	with:
	name: licence-reports-backend
	retention-days: 3
	path: backend/build/reports/dependency-license/backend-licence-report.csv
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	audit-licenses-frontend:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version-file: ./frontend/package.json
	cache: npm
	cache-dependency-path: ./frontend/package-lock.json
	- name: Install dependencies
	run: npm ci
	working-directory: ./frontend
	- name: Run license scanner
	run: npm run audit:licences
	working-directory: ./frontend
	- name: Upload licence report
	uses: actions/upload-artifact@v4
	with:
	name: licence-reports-frontend
	retention-days: 3
	path: frontend/frontend-licence-report.csv
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	frontend-build-image-and-scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- uses: actions/checkout@v4
	- name: Build frontend image
	run: docker build --file frontend/Dockerfile.prod --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} ./frontend
	- name: Run Trivy vulnerability image scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "sarif"
	output: "trivy-results.sarif"
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	- name: Run Trivy vulnerability file scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	with:
	scan-type: "fs"
	scan-ref: "./frontend"
	skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
	format: "sarif"
	output: "trivy-results.sarif"
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	- name: Upload Trivy file scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	category: trivy-fs-scan
	- name: Generate cosign vulnerability scan record
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "cosign-vuln"
	output: "vuln-frontend.json"
	- name: Upload cosign vulnerability scan record
	uses: actions/upload-artifact@v4
	with:
	name: "vuln-frontend.json"
	path: "vuln-frontend.json"
	if-no-files-found: error
	- name: Save image
	run: \|
	mkdir /tmp/images
	docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	- uses: actions/cache@v4
	with:
	path: /tmp/images
	key: docker-frontend-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}


	push-backend-image-to-registry:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' \|\| contains(github.event.pull_request.labels..name, 'dev-env') \|\| contains(github.event.labeled.labels..name, 'dev-env') }}
	needs:
	- backend-build
	- backend-checks
	- backend-build-image-and-scan
	- audit-licenses-backend
	permissions:
	contents: read
	id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
	packages: write
	outputs:
	version: ${{ steps.set-version.outputs.version }}
	steps:
	- uses: actions/cache@v4
	with:
	path: /tmp/images
	key: docker-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-images-cache-${{ env.RUN_ID }}
	- name: load image
	shell: bash
	run: docker load -i /tmp/images/backend-image.tar
	- name: Log into container registry
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
	with:
	registry: ${{ env.CONTAINER_REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Publish backend container image
	run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	- name: Install cosign
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: sigstore/cosign-installer@718228a5f85f61170ad5c3ea6c0e9871cc92f1c5
	- name: Sign the published Docker image
	run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
	- id: set-version
	run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	push-frontend-image-to-registry:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' \|\| contains(github.event.pull_request.labels..name, 'dev-env') \|\| contains(github.event.labeled.labels..name, 'dev-env') }}
	needs:
	- frontend-checks
	- frontend-build-image-and-scan
	- audit-licenses-frontend
	permissions:
	contents: read
	id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
	packages: write
	outputs:
	version: ${{ steps.set-version.outputs.version }}
	steps:
	- uses: actions/cache@v4
	with:
	path: /tmp/images
	key: docker-frontend-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-images-cache-${{ env.RUN_ID }}
	- name: load image
	shell: bash
	run: docker load -i /tmp/images/frontend-image.tar
	- name: Log into container registry
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
	with:
	registry: ${{ env.CONTAINER_REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Publish backend container image
	run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	- name: Install cosign
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: sigstore/cosign-installer@718228a5f85f61170ad5c3ea6c0e9871cc92f1c5
	- name: Sign the published Docker image
	run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	- id: set-version
	run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	deploy-staging:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' }}
	concurrency:
	group: deploy-staging
	cancel-in-progress: true
	environment: staging
	needs:
	- push-frontend-image-to-registry
	- push-backend-image-to-registry
	permissions:
	id-token: write # Enable OIDC for gitsign
	steps:
	- uses: chainguard-dev/actions/setup-gitsign@94389dc7faf4ef9040df90498419535e1bdcb60e
	- name: Deploy new images
	uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
	with:
	environment: staging
	version: ${{ needs.push-backend-image-to-registry.outputs.version }}
	deploying_repo: ris-backend-service,ris-backend-service/frontend
	infra_repo: neuris-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: ris-staging
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	argocd_sync_timeout: 300
	- name: Track deploy
	uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
	with:
	project: RIS
	environment: staging
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	prep-playwright-tests:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' }}
	steps:
	- uses: actions/checkout@v4
	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version-file: ./frontend/package.json
	cache: npm
	cache-dependency-path: ./frontend/package-lock.json
	- name: Get Playwright version
	working-directory: ./frontend
	run: echo "PLAYWRIGHT_VERSION=$(jq -r '.packages["node_modules/@playwright/test"].version' package-lock.json)" >> $GITHUB_ENV
	- name: Cache browser binaries
	id: cache-browser-binaries
	uses: actions/cache@v4
	with:
	path: ~/.cache/ms-playwright
	key: ${{ runner.os }}-playwright-${{ env.PLAYWRIGHT_VERSION }}
	- name: Install browsers
	if: steps.cache-browser-binaries.outputs.cache-hit != 'true'
	run: \|
	npx --yes playwright install --with-deps chromium firefox
	working-directory: ./frontend

	e2e-tests:
	if: ${{ github.ref == 'refs/heads/main' }}
	concurrency:
	group: deploy-staging
	cancel-in-progress: true
	needs: [ deploy-staging, prep-playwright-tests ]
	# We do not include the matrix directly, so that the concurrency group does not apply to each matrix job individually
	uses: ./.github/workflows/e2e_matrix.yml
	secrets: inherit

	query-performance-tests:
	if: ${{ github.ref == 'refs/heads/main' }}
	concurrency:
	group: deploy-staging
	cancel-in-progress: true
	needs: [ e2e-tests, prep-playwright-tests ]
	uses: ./.github/workflows/_playwright-test.yml
	with:
	subproject: "all"
	browser: "queries" # uses the 'queries' project
	mode: "queries"
	runs: 1
	workers: 1
	secrets: inherit

	generate-test-reports:
	if: ${{ !cancelled() && github.ref == 'refs/heads/main' }}
	needs: [ e2e-tests ]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version-file: ./frontend/package.json
	cache: npm
	cache-dependency-path: ./frontend/package-lock.json
	- name: Cache node_modules
	uses: actions/cache@v4
	id: node-modules-cache
	with:
	path: \|
	./frontend/node_modules
	key: modules-${{ hashFiles('./frontend/package-lock.json') }}
	- name: Install dependencies
	if: steps.node-modules-cache.outputs.cache-hit != 'true'
	run: \|
	npm ci
	working-directory: ./frontend
	- name: Download blob reports from artifacts
	uses: actions/download-artifact@v4
	with:
	path: ./frontend/all-blob-reports
	pattern: test-results-blob-*
	- name: Prepare test reports for merge
	working-directory: ./frontend/all-blob-reports
	run: \|
	for DIR in test-results-blob-*; do
	unzip -o "$DIR/test-report.zip" -d "$DIR"
	rm "$DIR/test-report.zip"
	ZIP_FILE="../$(basename "$DIR").zip"
	(cd "$DIR" && zip -r "$ZIP_FILE" ./*.jsonl)
	rm -rf "$DIR"
	done
	shell: bash
	- name: Merge into html report
	run: npx playwright merge-reports --reporter html ./all-blob-reports
	working-directory: ./frontend
	- name: Upload html report to artifacts
	uses: actions/upload-artifact@v4
	with:
	name: html-test-report
	path: ./frontend/playwright-report

	check-latest-deploy-tag:
	if: ${{ github.ref == 'refs/heads/main' }}
	needs:
	- e2e-tests
	runs-on: ubuntu-latest
	outputs:
	should_deploy: ${{ steps.compare-tags.outputs.should_deploy }}
	environment: production
	steps:
	- name: Checkout infra repository
	uses: actions/checkout@v4
	with:
	repository: digitalservicebund/neuris-infra
	ssh-key: ${{ secrets.DEPLOY_KEY }}
	path: infra
	- name: Checkout main repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	path: main
	- name: compare image tags
	id: compare-tags
	run: \|
	set -x
	CURRENT_TAG=${{ env.CONTAINER_IMAGE_VERSION }}
	DEPLOYED_TAG=$(yq '.images[0] \| .newTag' infra/manifests/overlays/production/kustomization.yaml)
	cd main
	if git merge-base --is-ancestor $CURRENT_TAG $DEPLOYED_TAG; then
	echo "should_deploy=false" >> "$GITHUB_OUTPUT"
	else
	echo "should_deploy=true" >> "$GITHUB_OUTPUT"
	fi

	deploy-production:
	runs-on: ubuntu-latest
	if: \|
	github.ref == 'refs/heads/main' &&
	needs.check-latest-deploy-tag.outputs.should_deploy == 'true'
	concurrency: deploy-production
	environment: production
	needs:
	- push-frontend-image-to-registry
	- push-backend-image-to-registry
	- e2e-tests
	- check-latest-deploy-tag
	- backend-checks
	- frontend-checks
	permissions:
	id-token: write # Enable OIDC for gitsign
	steps:
	- uses: chainguard-dev/actions/setup-gitsign@94389dc7faf4ef9040df90498419535e1bdcb60e
	- name: Deploy new images
	uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
	with:
	environment: production
	version: ${{ needs.push-backend-image-to-registry.outputs.version }}
	deploying_repo: ris-backend-service,ris-backend-service/frontend
	infra_repo: neuris-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: ris-production
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	argocd_sync_timeout: 300
	- name: Track deploy
	uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
	with:
	project: RIS
	environment: production
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	deploy-uat:
	runs-on: ubuntu-latest
	if: \|
	github.ref == 'refs/heads/main'
	concurrency: deploy-uat
	environment: uat
	needs:
	- push-frontend-image-to-registry
	- push-backend-image-to-registry
	- e2e-tests
	- deploy-production
	permissions:
	id-token: write # Enable OIDC for gitsign
	steps:
	- uses: chainguard-dev/actions/setup-gitsign@94389dc7faf4ef9040df90498419535e1bdcb60e
	- name: Deploy new images
	uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
	with:
	environment: uat
	version: ${{ needs.push-backend-image-to-registry.outputs.version }}
	deploying_repo: ris-backend-service,ris-backend-service/frontend
	infra_repo: neuris-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: ris-uat
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	argocd_sync_timeout: 300
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	generate-entity-relationship-diagram:
	runs-on: ubuntu-latest
	if: ${{ false && github.ref == 'refs/heads/main' }}
	env:
	POSTGRES_DB: ris-erd
	POSTGRES_PASSWORD: postgres
	POSTGRES_USER: postgres
	services:
	postgres:
	image: postgres:14-alpine
	env:
	POSTGRES_DB: ris-erd
	POSTGRES_PASSWORD: postgres
	POSTGRES_USER: postgres
	options: >-
	--health-cmd pg_isready
	--health-interval 10s
	--health-timeout 5s
	--health-retries 5
	--name postgres
	ports:
	- 5432:5432
	steps:
	- uses: actions/checkout@v4
	- name: Install uuid-ossp extension
	run: docker exec postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";'
	- name: Apply incremental migration structure
	run: docker exec -i postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} < ./backend/src/test/resources/db/create_migration_scheme_and_extensions.sql
	- name: Get Gradle version
	working-directory: ./backend
	run: \|
	echo "GRADLE_VERSION=$(sed -n 's/.gradle-$[0-9]\(\.[0-9]$\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
	- name: Set up JDK
	uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b
	with:
	java-version: "21.0"
	distribution: "temurin"
	cache: gradle
	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
	with:
	gradle-version: ${{ env.GRADLE_VERSION }}
	- name: Migrate database for Entity–relationship model
	working-directory: ./backend
	run: ./gradlew migrateDatabaseForERD
	env:
	DB_URL: jdbc:postgresql://localhost:5432/${{ env.POSTGRES_DB }}
	DB_USER: ${{ env.POSTGRES_USER }}
	DB_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
	- name: Generate mermaid ER-diagram
	uses: digitalservicebund/export-entity-relationship-diagram@c022c18a7a9e4fce71cece7ff907a952ba5c11c8
	with:
	configFile: ./backend/mermerd.config.yaml
	connectionString: postgresql://${{ env.POSTGRES_USER }}:${{ env.POSTGRES_PASSWORD }}@localhost:5432/${{ env.POSTGRES_DB }}
	outputFile: latest.mmd
	flags: --debug
	version: 0.9.0
	- name: Upload mermaid ER-diagram
	uses: actions/upload-artifact@v4
	with:
	name: erdiagram
	retention-days: 3
	path: latest.mmd

	generate-backend-code-documentation:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up JDK
	uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b
	with:
	java-version: "21.0"
	distribution: "temurin"
	cache: gradle
	- name: Grant execute permission for gradlew
	working-directory: ./backend
	run: chmod +x gradlew
	- name: Run Javadoc
	working-directory: ./backend
	run: ./gradlew javadoc
	- name: Upload documentation
	uses: actions/upload-artifact@v4
	with:
	name: backend-code-documentation
	retention-days: 3
	path: backend/build/docs/javadoc/
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	push-reports:
	runs-on: ubuntu-latest
	needs:
	# - generate-entity-relationship-diagram
	- backend-build
	- audit-licenses-backend
	- audit-licenses-frontend
	- e2e-tests
	- generate-backend-code-documentation
	- generate-test-reports
	if: ${{ github.ref == 'refs/heads/main' }}
	steps:
	# Setup
	- uses: actions/checkout@v4
	with:
	repository: ${{ env.REPORTS_REPOSITORY }}
	ssh-key: ${{ secrets.REPORTS_DEPLOY_KEY }}
	- name: Setup git config
	run: \|
	git config user.name "${{ github.repository }}"
	# This email identifies the commit as GitHub Actions - see https://github.com/orgs/community/discussions/26560
	git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
	# ER-diagram
	# - name: ER-diagram - Download artifact
	# uses: actions/download-artifact@v4
	# with:
	# name: erdiagram
	# path: tmp/erdiagram-reports/
	# - name: ER-diagram - git add report
	# uses: digitalservicebund/add-ris-report@32770d369cf00a8154bb6a17005d11cf781bfba3
	# with:
	# filePath: tmp/erdiagram-reports/latest.mmd
	# destinationDir: entity-relationship-diagrams/ris-backend-service
	# Licence reports
	- name: Licence reports - Download
	uses: actions/download-artifact@v4
	with:
	pattern: licence-reports-*
	path: tmp/licence-reports/
	merge-multiple: true
	- name: Frontend licence report - git add report
	uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
	with:
	filePath: tmp/licence-reports/frontend-licence-report.csv
	destinationDir: licence-reports/frontend/ris-backend-service
	- name: Backend licence report - git add report
	uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
	with:
	filePath: tmp/licence-reports/backend-licence-report.csv
	destinationDir: licence-reports/backend/ris-backend-service
	# Performance report
	- name: Performance reports - Download
	uses: actions/download-artifact@v4
	with:
	name: performance-report
	path: tmp/performance-reports/
	- run: mv tmp/performance-reports/profile*.html tmp/performance-reports/profile-report.html
	- name: Performance report - git add report
	uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
	with:
	filePath: tmp/performance-reports/profile-report.html
	destinationDir: performance-reports/ris-backend-service
	# Backend code documentation
	- name: Backend Code Documentation - Download
	uses: actions/download-artifact@v4
	with:
	name: backend-code-documentation
	path: tmp/backend-code-documentation/
	- name: Java - git add report
	uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
	with:
	filePath: tmp/backend-code-documentation
	destinationDir: backend-code-documentation/java
	reportIsDirectory: true
	# e2e test report
	- name: E2E test reports - Download
	uses: actions/download-artifact@v4
	with:
	name: html-test-report
	path: tmp/html-test-report/
	- name: E2E test reports - git add report
	uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
	with:
	filePath: tmp/html-test-report/
	destinationDir: test-reports/ris-backend-service
	reportIsDirectory: true
	# Push reports
	- name: Push reports
	# we use `toJSON(...)` below to escape double quotation marks
	run: \|
	git diff-index --cached --quiet HEAD \|\|
	git commit \
	-m ${{ toJSON(github.event.head_commit.message) }} \
	-m "From commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" &&
	git push origin main &&
	echo "Pushed reports to ${{ github.server_url }}/${{ env.REPORTS_REPOSITORY }}" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update all-frontend-non-major-dependencies #15246

Workflow file

Update all-frontend-non-major-dependencies #15246

Jobs

Run details

Workflow file for this run