Skip to content

Commit

Permalink
Update pipeline with reusable workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@HendrikSchmidt
HendrikSchmidt committed May 3, 2024
1 parent 4e98eef commit 7dc2e72
Show file tree
Hide file tree
Showing 2 changed files with 112 additions and 94 deletions.
99 changes: 99 additions & 0 deletions .github/workflows/build-and-deploy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
name: Build and Deploy

on:
workflow_call:
inputs:
name:
required: true
type: string
directory:
required: true
type: string

jobs:
build-and-push-image:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Build image from Dockerfile
working-directory: ${{ inputs.directory }}
run: |
docker build -t ${{ inputs.name }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
with:
image-ref: ${{ inputs.name }}:${{ github.sha }}
format: "cosign-vuln"
output: "vulnerabilities.json"

- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v4
with:
name: "vulnerabilities.json"
path: "vulnerabilities.json"
if-no-files-found: error

- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Login to container registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: "ghcr.io"
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push image
run: |
docker tag ${{ inputs.name }}:${{ github.sha }} ghcr.io/${{ inputs.name }}
docker tag ${{ inputs.name }}:${{ github.sha }} ghcr.io/${{ inputs.name }}:${{ github.sha }}
docker push --all-tags ghcr.io/${{ inputs.name }}
- name: Create SBOM
uses: digitalservicebund/create-sbom@095884614dac5ea922dfcb09cce2e22f3d6391a3 # v1.1.0
with:
image_name: ${{ inputs.name }}:${{ github.sha }}

- name: Sign the published Docker image
run: cosign sign --yes ghcr.io/${{ inputs.name }}:${{ github.sha }}

- name: Attest the vulnerability scan
run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ inputs.name }}:${{ github.sha }}

deploy:
needs: [build-and-push-image]
if: ${{ false }} # FIXME: Enable this job when the deployment is ready.
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
packages: read
environment: production # FIXME: Create environment.
steps:
- name: Deploy latest container image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: production
version: ${{ github.sha }}
deploying_repo: ${{ github.event.repository.name }}
infra_repo: ${{ github.event.repository.name }}-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ${{ github.event.repository.name }}-production
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}

- name: Report Deployment
uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88 # v1.0.0
with:
project: ${{ github.event.repository.name }}
environment: production
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
107 changes: 13 additions & 94 deletions .github/workflows/pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ jobs:
- name: Check types
run: npm run typecheck

- name: Run tests
- name: Run unit tests
run: npm test

- name: Install E2E & A11y test dependencies
Expand Down Expand Up @@ -162,101 +162,20 @@ jobs:
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

build-and-push-image:
build-and-deploy:
needs:
- test
- audit-licenses
- vulnerability-scan
if: ${{ github.ref == 'refs/heads/main' }}
uses: .github/workflows/build-and-deploy.yml@main
strategy:
matrix:
packages:
- name: digitalcheck-dito
dir: packages/dito
directory: packages/dito
- name: digitalcheck-tool-finder
dir: packages/tool-finder
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- test
- audit-licenses
- vulnerability-scan
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Build image from Dockerfile
working-directory: ${{ matrix.dir }}
run: |
docker build -t ${{ matrix.name }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
with:
image-ref: ${{ matrix.name }}:${{ github.sha }}
format: "cosign-vuln"
output: "vulnerabilities.json"

- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v4
with:
name: "vulnerabilities.json"
path: "vulnerabilities.json"
if-no-files-found: error

- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Login to container registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: "ghcr.io"
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push image
run: |
docker tag ${{ matrix.name }}:${{ github.sha }} ghcr.io/${{ matrix.name }}
docker tag ${{ matrix.name }}:${{ github.sha }} ghcr.io/${{ matrix.name }}:${{ github.sha }}
docker push --all-tags ghcr.io/${{ matrix.name }}
- name: Create SBOM
uses: digitalservicebund/create-sbom@095884614dac5ea922dfcb09cce2e22f3d6391a3 # v1.1.0
with:
image_name: ${{ matrix.name }}:${{ github.sha }}

- name: Sign the published Docker image
run: cosign sign --yes ghcr.io/${{ matrix.name }}:${{ github.sha }}

- name: Attest the vulnerability scan
run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ matrix.name }}:${{ github.sha }}

deploy:
needs: [build-and-push-image]
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' && false }}
timeout-minutes: 10
permissions:
packages: read
environment: production
steps:
- name: Deploy latest container image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: production
version: ${{ github.sha }}
deploying_repo: ${{ github.event.repository.name }}
infra_repo: ${{ github.event.repository.name }}-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ${{ github.event.repository.name }}-production
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}

- name: Report Deployment
uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88 # v1.0.0
with:
project: ${{ github.event.repository.name }}
environment: production
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
directory: packages/tool-finder
with:
name: ${{ matrix.packages.name }}
directory: ${{ matrix.packages.directory }}

0 comments on commit 7dc2e72

Please sign in to comment.